pulumi-azure-native icon indicating copy to clipboard operation
pulumi-azure-native copied to clipboard

Published 20 hours ago verified publisher icon pulumi

Support Authentication PIM Role Management Policies

Open thomas11 opened this issue 1 year ago • 3 comments

About

This PR adds support for Role Management Policies, part of Privileged Identity Management (PIM) in the Microsoft.Authentication namespace. It's one part of #2455.

Note that this is about the ARM part of PIM; there's also a Microsoft Graph API part which is not covered by this provider.

This resource wasn't automatically included because it supports only GET and PATCH. The policies are singletons that cannot be created or deleted, only modified via PATCH.

Implementation

Role Management Policies essentially consist of a name which is actually a GUID, and a list of ~20 rules.

Using our existing singleton support defaults.GetDefaultResourceState was tricky because

  1. there are many policies with many rules, for a total of ~300k lines of JSON for a subscription scope, and there are more scopes, plus
  2. I believe the defaults can vary per scope and possibly also per customer.

So instead, I've implemented a custom resource that captures the original state of a policy when it's first "created", i.e., added to Pulumi state. When a rule or the whole policy is removed from Pulumi, we look up the original state and re-apply it.

Testing

The e2e/integration test for this resource is special because using PIM requires a paid Entra ID P2 license. We don't have one yet so the test fails (example). This PR looks green because the test is marked as long-running and doesn't run in PR workflows. Hence the draft status while I organize the license.

thomas11 avatar Mar 06 '24 16:03 thomas11

Does the PR have any schema changes?

Looking good! No breaking changes found.

New resources:

  • authorization.RoleManagementPolicy

New functions:

  • authorization.getRoleManagementPolicy

github-actions[bot] avatar Mar 06 '24 16:03 github-actions[bot]

Codecov Report

Attention: Patch coverage is 37.08609% with 95 lines in your changes are missing coverage. Please review.

Project coverage is 56.47%. Comparing base (048405b) to head (2206dbc).

Files Patch % Lines
...ovider/pkg/resources/customresources/custom_pim.go 40.42% 49 Missing and 7 partials :warning:
provider/pkg/provider/provider.go 33.33% 15 Missing and 5 partials :warning:
provider/pkg/provider/crud/crud.go 0.00% 8 Missing :warning:
provider/pkg/openapi/discover.go 0.00% 4 Missing and 1 partial :warning:
...r/pkg/resources/customresources/custom_keyvault.go 0.00% 0 Missing and 2 partials :warning:
...r/pkg/resources/customresources/customresources.go 71.42% 1 Missing and 1 partial :warning:
...es/customresources/custom_keyvault_accesspolicy.go 0.00% 1 Missing :warning:
...er/pkg/resources/customresources/custom_storage.go 50.00% 1 Missing :warning:
Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #3130      +/-   ##
==========================================
- Coverage   56.77%   56.47%   -0.30%     
==========================================
  Files          66       67       +1     
  Lines        8055     8177     +122     
==========================================
+ Hits         4573     4618      +45     
- Misses       3049     3113      +64     
- Partials      433      446      +13

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

codecov[bot] avatar Mar 06 '24 16:03 codecov[bot]

Glanced over it but the review effort here is formidable, LMK if you need me as a reviewer, I'm happy to try again. Since there's a lot going on it can be helpful to rebase into step-by-step commits.

t0yv0 avatar Mar 25 '24 15:03 t0yv0