Support setting existing app identity on compute resources

[captainsafia]

Description

This pull request introduces the ability to associate an AzureUserAssignedIdentityResource with a compute resource via the WithAzureUserAssignedIdentity extension method.

Fixes #8441

Checklist

• Is this feature complete?
  • Yes. Ready to ship.
  • No. Follow-up changes expected.
• Are you including unit tests for the changes and scenario tests if relevant?
  • Yes
  • No
• Did you add public API?
  • Yes
    • If yes, did you have an API Review for it?
      • Yes
      • No
    • Did you add <remarks /> and <code /> elements on your triple slash comments?
      • Yes
      • No
  • No
• Does the change make any security assumptions or guarantees?
  • Yes
    • If yes, have you done a threat model and had a security review?
      • Yes
      • No
  • No
• Does the change require an update in our Aspire docs?
  • Yes
  • No

[Copilot]

Pull Request Overview

This PR adds support for associating an existing AzureUserAssignedIdentityResource with compute resources via a new WithAzureUserAssignedIdentity extension and updates the provisioning logic to handle identity annotations and role assignments. It also includes comprehensive unit tests and updated Bicep snapshots to verify the new scenarios.

• Introduced WithAzureUserAssignedIdentity<T> extension method for compute resource builders.
• Enhanced AzureResourcePreparer to attach identity annotations without duplication and create fall-back identities for role assignments.
• Expanded unit tests and updated Bicep snapshots for various identity and role-assignment scenarios.

Reviewed Changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 2 comments.

File	Description
src/Aspire.Hosting.Azure/AzureUserAssignedIdentityExtensions.cs	Added WithAzureUserAssignedIdentity extension and XML docs
src/Aspire.Hosting.Azure/AzureResourcePreparer.cs	Adjusted role-assignment logic to attach/copy identity resources
tests/Aspire.Hosting.Azure.Tests/AzureUserAssignedIdentityTests.cs	New tests for WithAzureUserAssignedIdentity methods
tests/.../Snapshots/*.verified.bicep	Updated Bicep snapshots to include identity settings

Comments suppressed due to low confidence (3)

src/Aspire.Hosting.Azure/AzureResourcePreparer.cs:181

• [nitpick] The local variable resource shadows the method parameter; consider renaming it (e.g., targetResource) to improve clarity and reduce confusion.

if (resource != identityResource)

src/Aspire.Hosting.Azure/AzureResourcePreparer.cs:187

• [nitpick] Indentation here is inconsistent with the surrounding block; aligning this line will improve readability.

resource.Annotations.Add(new AppIdentityAnnotation(identityResource));

tests/Aspire.Hosting.Azure.Tests/AzureUserAssignedIdentityTests.cs:2

• [nitpick] Consider scoping this #pragma warning disable to the specific code region or pairing it with a restore directive, so the suppression doesn’t apply to the entire file unintentionally.

#pragma warning disable ASPIRECOMPUTE001 // Type is for evaluation purposes ...

[davidfowl]

Should it be possible to add as well as replace? Maybe that can be a separate issue?

[captainsafia]

Should it be possible to add as well as replace? Maybe that can be a separate issue?

Hmmm....how does this function in practice? Do role assignments apply on both identities or do we need a way to specify the identity that a role assignment should target? I worry that the API might get too confusing with that many permutations.

[eerhardt]

Should it be possible to add as well as replace?

To try to enable multiple identities would take more work in the client libraries as well, since I assume we would want to specify which identity to use to connect to an Azure resource. If someone wants to use multiple identities, I think they would need to do the heavy lifting themselves.

[eerhardt]

LGTM. Nice work!