From 635308780393fe44a20920a1ac4651d8446bccf9 Mon Sep 17 00:00:00 2001
From: Deyaaeldeen Almahallawi <dealmaha@microsoft.com>
Date: Wed, 5 Feb 2025 16:29:01 -0800
Subject: [PATCH] [Event Hubs] Disable local auth when not in the isolated sub
 (#32769)

Otherwise, resource creation fails.
---
 sdk/eventhub/test-resources.bicep | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/sdk/eventhub/test-resources.bicep b/sdk/eventhub/test-resources.bicep
index 4aa0b5cd9f69..562cf76513e8 100644
--- a/sdk/eventhub/test-resources.bicep
+++ b/sdk/eventhub/test-resources.bicep
@@ -1,9 +1,9 @@
 param baseName string = resourceGroup().name
 param location string = resourceGroup().location
 param testApplicationOid string
+param supportsSafeSecretStandard bool = false
 
 var eventHubApiVersion = '2024-01-01'
-var storageApiVersion = '2023-05-01'
 var iotHubApiVersion = '2023-06-30'
 var storageAccountName = 'storage${baseName}'
 var containerName = 'container'
@@ -32,6 +32,7 @@ resource eventHubNamespace 'Microsoft.EventHub/namespaces@2024-01-01' = {
     zoneRedundant: false
     isAutoInflateEnabled: false
     maximumThroughputUnits: 0
+    disableLocalAuth: supportsSafeSecretStandard
   }
 }
 
@@ -69,6 +70,7 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2023-05-01' = {
   }
   kind: 'StorageV2'
   properties: {
+    allowSharedKeyAccess: false
     networkAcls: {
       bypass: 'AzureServices'
       virtualNetworkRules: []
@@ -105,7 +107,11 @@ resource iotHub 'Microsoft.Devices/IotHubs@2023-06-30' = {
     name: 'S1'
     capacity: 1
   }
+  identity: {
+    type: 'SystemAssigned'
+  }
   properties: {
+    disableLocalAuth: supportsSafeSecretStandard
     ipFilterRules: []
     eventHubEndpoints: {
       events: {
@@ -134,7 +140,7 @@ resource iotHub 'Microsoft.Devices/IotHubs@2023-06-30' = {
     storageEndpoints: {
       '$default': {
         sasTtlAsIso8601: 'PT1H'
-        connectionString: 'DefaultEndpointsProtocol=https;AccountName=${storageAccountName};AccountKey=${listKeys(storageAccount.id, storageApiVersion).keys[0].value};EndpointSuffix=${environment().suffixes.storage}'
+        authenticationType: 'identityBased'
         containerName: containerName
       }
     }
@@ -225,6 +231,15 @@ resource iotHubDataContributorRoleAssignment 'Microsoft.Authorization/roleAssign
   }
 }
 
+resource iotHubStorageRoleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
+  name: guid(iotHub.id, 'Storage Blob Data Contributor')
+  scope: storageAccount
+  properties: {
+    roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions', blobDataContributorRoleId)
+    principalId: iotHub.identity.principalId
+  }
+}
+
 output EVENTHUB_FQDN string = replace(replace(eventHubNamespace.properties.serviceBusEndpoint, ':443/', ''), 'https://', '')
 output EVENTHUB_NAME string = eventHub.name
 output EVENTHUB_CONSUMER_GROUP_NAME string = eventHubConsumerGroup.name