[Fixes] Ensure that VirtualMachineImages are removed before MSIs are …

…removed as there's otherwise a high chance for a lock (#4418)

* Updated removal

* Update to latest

* Update to latest

* Update to latest

modules/virtual-machine-images/image-template/main.json

@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.23.1.45101",
-      "templateHash": "10277577540639461484"
+      "version": "0.24.24.22086",
+      "templateHash": "3206365221053341077"
     },
     "name": "Virtual Machine Image Templates",
     "description": "This module deploys a Virtual Machine Image Template that can be consumed by Azure Image Builder (AIB).",

modules/virtual-machine-images/image-template/tests/e2e/max/dependencies.bicep

@@ -18,6 +18,16 @@ resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-
   location: location
 }
 
+// required for the Azure Image Builder service to assign the list of User Assigned Identities to the Build VM.
+resource msi_managedIdentityOperatorRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(subscription().id, 'ManagedIdentityContributor', managedIdentity.id)
+  properties: {
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830') // Managed Identity Operator
+    principalId: managedIdentity.properties.principalId
+    principalType: 'ServicePrincipal'
+  }
+}
+
 var addressPrefix = '10.0.0.0/16'
 
 resource gallery 'Microsoft.Compute/galleries@2022-03-03' = {

modules/virtual-machine-images/image-template/tests/e2e/max/main.test.bicep

@@ -51,16 +51,6 @@ module nestedDependencies 'dependencies.bicep' = {
   }
 }
 
-// required for the Azure Image Builder service to assign the list of User Assigned Identities to the Build VM.
-resource msi_managedIdentityOperatorRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
-  name: guid(subscription().id, 'ManagedIdentityContributor', '${namePrefix}')
-  properties: {
-    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830') // Managed Identity Operator
-    principalId: nestedDependencies.outputs.managedIdentityPrincipalId
-    principalType: 'ServicePrincipal'
-  }
-}
-
 // ============== //
 // Test Execution //
 // ============== //

modules/virtual-machine-images/image-template/tests/e2e/waf-aligned/dependencies.bicep

@@ -18,6 +18,16 @@ resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-
   location: location
 }
 
+// required for the Azure Image Builder service to assign the list of User Assigned Identities to the Build VM.
+resource msi_managedIdentityOperatorRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(subscription().id, 'ManagedIdentityContributor', managedIdentity.id)
+  properties: {
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830') // Managed Identity Operator
+    principalId: managedIdentity.properties.principalId
+    principalType: 'ServicePrincipal'
+  }
+}
+
 var addressPrefix = '10.0.0.0/16'
 
 resource gallery 'Microsoft.Compute/galleries@2022-03-03' = {
@@ -86,9 +96,6 @@ resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = {
 @description('The principal ID of the created Managed Identity.')
 output managedIdentityResourceId string = managedIdentity.id
 
-@description('The principal ID of the created Managed Identity.')
-output managedIdentityPrincipalId string = managedIdentity.properties.principalId
-
 @description('The name of the created Managed Identity.')
 output managedIdentityName string = managedIdentity.name
 

modules/virtual-machine-images/image-template/tests/e2e/waf-aligned/main.test.bicep

@@ -51,16 +51,6 @@ module nestedDependencies 'dependencies.bicep' = {
   }
 }
 
-// required for the Azure Image Builder service to assign the list of User Assigned Identities to the Build VM.
-resource msi_managedIdentityOperatorRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
-  name: guid(subscription().id, 'ManagedIdentityContributor', '${namePrefix}')
-  properties: {
-    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830') // Managed Identity Operator
-    principalId: nestedDependencies.outputs.managedIdentityPrincipalId
-    principalType: 'ServicePrincipal'
-  }
-}
-
 // ============== //
 // Test Execution //
 // ============== //

utilities/pipelines/resourceRemoval/Initialize-DeploymentRemoval.ps1

@@ -76,8 +76,10 @@ function Initialize-DeploymentRemoval {
             'Microsoft.Authorization/policyDefinitions'
             'Microsoft.Sql/managedInstances',
             'Microsoft.MachineLearningServices/workspaces',
-            'Microsoft.Resources/resourceGroups',
-            'Microsoft.Compute/virtualMachines'
+            'Microsoft.Compute/virtualMachines',
+            'Microsoft.VirtualMachineImages/imageTemplates', # Must be removed before their MSI
+            'Microsoft.ManagedIdentity/userAssignedIdentities',
+            'Microsoft.Resources/resourceGroups'
         )
 
         Write-Verbose ('Handling resource removal with deployment names [{0}]' -f ($deploymentNames -join ', ')) -Verbose