pulumi-azure-native icon indicating copy to clipboard operation
pulumi-azure-native copied to clipboard

Published 20 hours ago verified publisher icon pulumi

Add AzureRM Privileged Identity Management to Provider

Open phantlantis opened this issue 2 years ago • 3 comments

Hello!

  • Vote on this issue by adding a 👍 reaction
  • If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

Hello! Looking through the available resources, one set that is missing that could be majorly helpful is the Privileged Identity Management endpoint (the ones specifically for ARM, not the ones for Graph).

These currently sit under the Microsoft.Authorization namespace - the ones I'm specifically hoping for are: https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleEligibilityScheduleRequests/{roleEligibilityScheduleRequestName} as documented here.

Furthermore, the role management policies that govern PIM activation on each resource scope: https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleManagementPolicies/{roleManagementPolicyId}?api-version=2020-10-01 - as documented here

Affected area/feature

Likely the authorization section of the SDKs as a new resource.

Thanks!

phantlantis avatar May 12 '23 22:05 phantlantis

Hi @phantlantis - thank you for bringing this to our attention! This is due to Azure's API specs neither defining an endpoint to DELETE this resource nor a reasonable default to set this resource to when Pulumi runs its delete procedures. What we'll want to do to add support here is to add these endpoints and a corresponding default state here: https://github.com/pulumi/pulumi-azure-native/blob/0b1942064cfcc9086225c91be8d22e0f1411adf2/provider/pkg/openapi/defaultResourcesState.go#L9

From there, a simple make generate command should get us the rest of the way!

We'll get this queued up when we can, but if there are any enterprising souls out there, that would be the desired starting point.

Thank you again!

kpitzen avatar May 16 '23 15:05 kpitzen

I just spent a couple of hours looking into this under-documented API and I’m afraid it’s a size L task.

I don’t think our existing "reset to default state" mechanism actually applies here.

  • /roleManagementPolicies does have a DELETE method but is missing PUT ("You do not need to Create role management policies as each role within each resource has a default policy")
  • /roleEligibilityScheduleRequests is missing DELETE but doesn’t have a default state to be reset to, instead requiring explicit revocation.

The way to support both would be through custom resources.

RoleEligibilityScheduleRequests would be pretty simple, we’d only need to override DELETE and replace it with a PUT request.

RoleManagementPolicies would probably required custom-implementing all CRUD methods since it has weird semantics. I don’t even know what its DELETE method really does since there’s no creation of this resource and no PUT.

Another complication is that we cannot simply try the API to see how it behaves until we get the required "AAD Premium 2" license.

thomas11 avatar Jan 23 '24 14:01 thomas11

RoleEligibilityScheduleRequests would be pretty simple, we’d only need to override DELETE and replace it with a PUT request.

I take that back, since its PUT endpoint is only for creation, not for updates, so those would be custom.

thomas11 avatar Jan 24 '24 15:01 thomas11