Fix setting the federatedIdentity Subject-Issuer

infrastructure/Cluster.bicep

@@ -236,15 +236,51 @@ module fluxId 'modules/userAssignedIdentity.bicep' = {
     baseName: 'flux'
     location: location
     tags: tags
-    federatedIdentitySubjectIssuerDictionary: {
-      'system:serviceaccount:flux-system:source-controller': aks.outputs.oidcIssuerUrl
-      'system:serviceaccount:flux-system:helm-controller': aks.outputs.oidcIssuerUrl
-      'system:serviceaccount:flux-system:image-reflector-controller': aks.outputs.oidcIssuerUrl
-      'system:serviceaccount:flux-system:kustomize-controller': aks.outputs.oidcIssuerUrl
-    }
   }
 }
 
+// UAI doesn't support multiple concurrent deployments, so create a dependency chain:
+module fluxSourceController 'modules/uaiFederatedIdentity.bicep' = {
+  name: '${deploymentName}_uai_fi_source'
+  params: {
+    subject: 'system:serviceaccount:flux-system:source-controller'
+    issuerUrl: aks.outputs.oidcIssuerUrl
+    name: 'flux-system-source-controller'
+    userAssignedIdentityName: fluxId.outputs.name
+  }
+  dependsOn: [fluxId]
+}
+module fluxHelmController 'modules/uaiFederatedIdentity.bicep' = {
+  name: '${deploymentName}_uai_fi_helm'
+  params: {
+    subject: 'system:serviceaccount:flux-system:helm-controller'
+    issuerUrl: aks.outputs.oidcIssuerUrl
+    name: 'flux-system-helm-controller'
+    userAssignedIdentityName: fluxId.outputs.name
+  }
+  dependsOn: [fluxSourceController]
+}
+module fluxImageController 'modules/uaiFederatedIdentity.bicep' = {
+  name: '${deploymentName}_uai_fi_image'
+  params: {
+    subject: 'system:serviceaccount:flux-system:image-reflector-controller'
+    issuerUrl: aks.outputs.oidcIssuerUrl
+    name: 'flux-system-image-reflector-controller'
+    userAssignedIdentityName: fluxId.outputs.name
+  }
+  dependsOn: [fluxHelmController]
+}
+module fluxKustomizeController 'modules/uaiFederatedIdentity.bicep' = {
+  name: '${deploymentName}_uai_fi_kust'
+  params: {
+    subject: 'system:serviceaccount:flux-system:kustomize-controller'
+    issuerUrl: aks.outputs.oidcIssuerUrl
+    name: 'flux-system-kustomize-controller'
+    userAssignedIdentityName: fluxId.outputs.name
+  }
+  dependsOn: [fluxImageController]
+}
+
 // // Managed Flux
 // module flux 'modules/flux.bicep' = {
 //   name: '${deploymentName}_flux'

infrastructure/modules/uaiFederatedIdentity.bicep

@@ -0,0 +1,28 @@
+@description('Required. The name of the user assigned identity to modify')
+param userAssignedIdentityName string
+
+@description('Required. The name of the federated identity to create')
+param name string
+
+param issuerUrl string
+
+param subject string
+
+resource userAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' existing = {
+  name: userAssignedIdentityName
+}
+
+resource federatedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials@2023-01-31' = {
+  name: name
+  parent: userAssignedIdentity
+  properties: {
+    audiences: [
+      'api://AzureADTokenExchange'
+    ]
+    issuer: issuerUrl
+    subject: subject
+  }
+}
+
+@description('The resource id of the federated identity')
+output id string = federatedIdentity.id

infrastructure/modules/userAssignedIdentity.bicep

@@ -7,41 +7,14 @@ param location string = resourceGroup().location
 @description('Optional. Tags for this resource. Defaults to resourceGroup().tags')
 param tags object = resourceGroup().tags
 
-@description ('''Optional. A dictionary of subject identifiers to issuer URLs for configuring federated identity. Defaults to empty.
-Supports creating Azure Workload Identity federation credentials. For example:
-{
-  // Format: subject identifier: issuerUrl
-
-  // supports creating github actions wofklow connections:
-  'repo:PoshCode/cluster:ref:refs/heads/main': 'https://token.actions.githubusercontent.com'
-
-  // suppports creating AKS Workload Identities:
-  'system:serviceaccount:${AKSNamespaceName}:${AKSServiceAccountName}': cluster.oidcIssuerURL
-
-  // If necessary, add a trailing moreunique value that will be stripped out and ignored (I needed this for specific issues with clusters sharing identities)
-  'system:serviceaccount:${AKSNamespaceName}:${AKSServiceAccountName}:moreunique:${cluster.oidcIssuerURL}': cluster.oidcIssuerURL
-}''')
-param federatedIdentitySubjectIssuerDictionary object = {}
-
 resource userAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = {
   name: 'id-${baseName}'
   location: location
   tags: tags
 }
 
-resource credential 'Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials@2022-01-31-preview' = [for issuer in items(federatedIdentitySubjectIssuerDictionary): {
-  name: replace(replace(replace(issuer.key,'system:serviceaccount:',''),':','-'),'/','-')
-  parent: userAssignedIdentity
-  properties: {
-    audiences: [
-      'api://AzureADTokenExchange'
-    ]
-    issuer: issuer.value
-    // if the issuer URL is in the name, it's there as a differentiator, take it out
-    subject: split(issuer.key,':moreunique:')[0]
-  }
-}]
-
+@description('The name of the user assigned idenity resource (because it is calculated)')
+output name string = userAssignedIdentity.name
 
 @description('Resource ID, for deployment scripts')
 output id string = userAssignedIdentity.id