Create role assignment for MSI when enable_vnet_integration is true

[MuhammadAliFleet]

---

This checklist is used to make sure that common guidelines for a pull request are followed.

Related command

This PR:

• removes the is_preview=True flag from enable_vnet_integration and apiserver_subnet_id
• creates role assignment for msi on api and agent subnet when enable_vnet_integration is true

General Guidelines

• Have you run azdev style <YOUR_EXT> locally? (pip install azdev required)
• Have you run python scripts/ci/test_index.py -q locally? (pip install wheel==0.30.0 required)
• My extension version conforms to the Extension version schema

For new extensions:

• My extension description/summary conforms to the Extension Summary Guidelines.

About Extension Publish

There is a pipeline to automatically build, upload and publish extension wheels.
Once your pull request is merged into main branch, a new pull request will be created to update src/index.json automatically.
You only need to update the version information in file setup.py and historical information in file HISTORY.rst in your PR but do not modify src/index.json.

[azure-client-tools-bot-prd]

️✔️Azure CLI Extensions Breaking Change Test

️✔️Non Breaking Changes

[azure-client-tools-bot-prd]

Hi @MuhammadAliFleet,
Please write the description of changes which can be perceived by customers into HISTORY.rst.
If you want to release a new extension version, please update the version in setup.py as well.

[yonzhan]

Thank you for your contribution! We will review the pull request and get back to you soon.

[github-actions]

The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR.

Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions).
After that please run the following commands to enable git hooks:

pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>

[Copilot]

Pull Request Overview

This PR removes the preview flag from VNet integration functionality and adds proper role assignment management for managed service identities when VNet integration is enabled. The changes enable production use of VNet integration features and ensure proper network permissions are granted.

• Remove is_preview=True from VNet integration parameters to promote them to general availability
• Add role assignments for managed service identity on API server and agent subnets when VNet integration is enabled
• Refactor subnet role assignment logic to support different identity types

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File	Description
src/fleet/azext_fleet/custom.py	Updates fleet creation logic to assign network contributor roles for MSI when VNet integration is enabled
src/fleet/azext_fleet/_params.py	Removes preview flags from enable_vnet_integration and apiserver_subnet_id parameters
src/fleet/azext_fleet/_helpers.py	Refactors role assignment function and adds MSI object ID retrieval functionality
src/fleet/azext_fleet/_client_factory.py	Adds MSI client factory function for managed identity operations

[Copilot]

The code calls get_msi_object_id(cmd, assign_identity) without checking if assign_identity is None. This will cause an error when enable_vnet_integration is True but no user-assigned identity is provided.

Suggested change

	if enable_vnet_integration:
	if enable_vnet_integration:
	if assign_identity is None:
	raise CLIError("User-assigned identity must be provided for VNet integration.")

[jim-minter]

This is good feedback.
1- we should validate that MSI is not nil if enable_vnet_integration is set
2- we should call assign_network_contributor_role_to_subnet here only if we know it's a user MSI

[MuhammadAliFleet]

• now validating that MSI is not nil if enable_vnet_integration is set
• call assign_network_contributor_role_to_subnet here only if we know it's a user MSI. I tested creating private fleet v2 with system assigned msi and it fails due to missing perm action. We would need the role on the system MSI as well.

[github-actions]

Hi @MuhammadAliFleet

Release Suggestions

Module: fleet

• Please log updates into to src/fleet/HISTORY.rst
• Update VERSION to 1.7.0 in src/fleet/setup.py

Notes

• For more info about extension versioning, please refer to Extension version schema

[jim-minter]

This is good feedback.
1- we should validate that MSI is not nil if enable_vnet_integration is set
2- we should call assign_network_contributor_role_to_subnet here only if we know it's a user MSI

[jim-minter]

calling get_msi_object_id twice is 2 API calls. Call once and save the result for the second add_role call

[jim-minter]

this should be in a validator

[jim-minter]

1. shouldn't this just be if not enable_managed_identity:?
2. can this test be moved to _validators.py (i.e. add a new validate_enable_vnet_integration function and update _params.py with c.argument('enable_vnet_integration', validator=validate_enable_vnet_integration, ...)?

[MuhammadAliFleet]

moved to _validators.py

[jim-minter]

Could you provide a more detailed error? Maybe even ideally to the point at which someone could copy/paste an az role assignment create command and ask their admin to run that for them?

[MuhammadAliFleet]

Added detailed error with command

[jim-minter]

although it's theoretically possible to do vnet integration with system MSI, it's a real pain. I'm worried this message will send people down that painful path. I'm tempted to require they use user MSI in the CLI, i.e. validate both enable_managed_identity and assign_identity, and update the error message to include adding --assign-identity as well?

[MuhammadAliFleet]

now validating both enable_managed_identity and assign_identity

[jim-minter]

LGTM

[jim-minter]

@kairu-ms please merge?