fix: revert UAMI assignment to only require AZURE_MSI_RESOURCE_STRING

[awesomenix]

Problem

Windows VHD builds are failing with azcopy 403 AuthorizationPermissionMismatch errors when trying to download container images (e.g. servercore.tar) from wcctagentbakerstorage blob storage.

RESPONSE 403: 403 This request is not authorized to perform this operation using this permission.
ERROR CODE: AuthorizationPermissionMismatch

All 6 Windows VHD build jobs fail: build_win_2022_v1, build_win_2022_v2, build_win_23H2_v1, build_win_23H2_v2, build_win_2025_v1, build_win_2025_v2.

Failed build: https://msazure.visualstudio.com/CloudNativeCompute/_build/results?buildId=156157838

Root Cause

PR #7660 changed the UAMI assignment condition in produce-packer-settings.sh from:

if [ -n "${AZURE_MSI_RESOURCE_STRING}" ]; then

to:

if [ -n "${AZURE_MSI_RESOURCE_STRING}" ] && [ -n "${PRIVATE_PACKAGES_URL}" ]; then

This means the User-Assigned Managed Identity is only attached to the Packer VM when both AZURE_MSI_RESOURCE_STRING and PRIVATE_PACKAGES_URL are set. Windows VHD build pipelines set AZURE_MSI_RESOURCE_STRING but not PRIVATE_PACKAGES_URL, so the UAMI never gets assigned to the Packer VM.

Inside the Packer VM, configure-windows-vhd.ps1 calls azcopy.exe login --login-type=MSI, which then authenticates with the VM's system-assigned identity (which lacks Storage Blob Data Reader on the source storage account) instead of the intended UAMI.

Fix

Revert the condition to only require AZURE_MSI_RESOURCE_STRING, restoring the original behavior where the UAMI is assigned whenever it is configured, regardless of PRIVATE_PACKAGES_URL.

Testing

• Retrigger Windows VHD test build on this branch to confirm azcopy downloads succeed.

[Copilot]

Pull request overview

This PR restores the original behavior for attaching a user-assigned managed identity (UAMI) to Packer build VMs by keying the assignment solely off AZURE_MSI_RESOURCE_STRING, resolving Windows VHD build failures where azcopy login --login-type=MSI falls back to the VM’s system-assigned identity and hits 403s.

Changes:

• Revert UAMI assignment gating in produce-packer-settings.sh to only require AZURE_MSI_RESOURCE_STRING.
• Ensure msi_resource_strings is populated whenever the UAMI resource ID is provided, independent of PRIVATE_PACKAGES_URL.

[cameronmeissner]

we should gate this behind windows builds specifically - this was done to ensure that linux packer VMs aren't over-permissioned, particularly with respect to builds within the TME tenant.