PSRule icon indicating copy to clipboard operation
PSRule copied to clipboard

Published 20 hours ago verified publisher icon microsoft

PSRule 'Microsoft.Authorization/roleAssignments' is missing type 'properties.principalType'

Open lassehastrup opened this issue 1 year ago • 2 comments

Description of the issue

Using a custom rule of type 'Microsoft.Authorization/roleAssignments' with a condition that specifies that the field: 'properties.principalType' should be equal to 'xyz' we receive an error that the property does not exist.

However, when specifying the 'properties.PrincipalType' in a bicep file, and running the custom rule, everything works as expected. So it seems to only be an issue when the bicep property is not set.

To Reproduce

Steps to reproduce the issue:

PSRule rule:

---
apiVersion: github.com/microsoft/PSRule/v1
kind: Rule
recommend: "roleAssignments principalType should be set to ServicePrincipal or Group."
metadata:
  name: "Local.YAML.roleAssignments.principalType"
spec:
  type:
    - Microsoft.Authorization/roleAssignments
  condition:
    anyOf:
      - field: 'properties.principalType'
        equals: 'c3666e92-27d3-4fa3-bfa3-38ddd4d57559'

Bicep file:

param PrincipalObjectId string

resource roleAssignmentPatchManagement 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  name: guid('7a2fd238-abbc-4cd9-b22b-09391bef7bbb')
  properties: {
    principalId: PrincipalObjectId
    roleDefinitionId: guid('b24988ac-6180-42a0-ab88-20f7382dd24c')
  }
}

Error output

Reason:
  - Path properties.principalType: The field 'properties.principalType' does not exist.

When adding the properties.PrincipalType to the bicep file:

param PrincipalObjectId string
resource roleAssignmentPatchManagement 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  name: guid('7a2fd238-abbc-4cd9-b22b-09391bef7bbb')
  properties: {
    principalId: PrincipalObjectId
    roleDefinitionId: guid('b24988ac-6180-42a0-ab88-20f7382dd24c')
    principalType: 'ServicePrincipal'
  }
}

Everything works as expected.

Expected behaviour

As the property clearly exist in bicep, as is working as expected in ARM, we had hoped that PSRule would process the property correctly even when the property is not set in the bicep file.

Module in use and version:

  • Module: PSRule
  • Version: [2.9.0]

Captured output from $PSVersionTable:

Name                           Value
----                           -----
PSVersion                      7.4.2
PSEdition                      Core
GitCommitId                    7.4.2
OS                             Darwin 23.4.0 Darwin Kernel Version 23.4.0: Fri Mar 15 00:10:42 PDT 2024; root:xnu-10063.101.17~1/RELEASE_ARM64_T6000
Platform                       Unix
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Additional context

lassehastrup avatar May 16 '24 12:05 lassehastrup

@lassehastrup Thanks for reporting the issue. Let me see if I understand the issue correctly.

  • When testing a Microsoft.Authorization/roleAssignments resource you get a failure with reason Path properties.principalType: The field 'properties.principalType' does not exist. if the property is not set in Bicep.
  • However properties.principalType defaults to ServicePrincipal when not set so the reason The field 'properties.principalType' does not exist. is unexpected.

Have I understood the issue correctly?

BernieWhite avatar May 16 '24 13:05 BernieWhite

Hi @BernieWhite ,

The default value of properties.principalType is default 'user' according to this documentation:

https://learn.microsoft.com/en-us/rest/api/authorization/role-assignments/create-by-id?view=rest-authorization-2022-04-01&tabs=HTTP#roleassignment

You understood the issue correctly

lassehastrup avatar May 16 '24 13:05 lassehastrup

@lassehastrup This should be fixed in PSRule for Azure v1.40.0.

BernieWhite avatar Nov 02 '24 06:11 BernieWhite