Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support Authentication PIM Role Management Policies #3130

Open
wants to merge 17 commits into
base: master
Choose a base branch
from

Conversation

thomas11
Copy link
Contributor

@thomas11 thomas11 commented Mar 6, 2024

About

This PR adds support for Role Management Policies, part of Privileged Identity Management (PIM) in the Microsoft.Authentication namespace. It's one part of #2455.

Note that this is about the ARM part of PIM; there's also a Microsoft Graph API part which is not covered by this provider.

This resource wasn't automatically included because it supports only GET and PATCH. The policies are singletons that cannot be created or deleted, only modified via PATCH.

Implementation

Role Management Policies essentially consist of a name which is actually a GUID, and a list of ~20 rules.

Using our existing singleton support defaults.GetDefaultResourceState was tricky because

  1. there are many policies with many rules, for a total of ~300k lines of JSON for a subscription scope, and there are more scopes, plus
  2. I believe the defaults can vary per scope and possibly also per customer.

So instead, I've implemented a custom resource that captures the original state of a policy when it's first "created", i.e., added to Pulumi state. When a rule or the whole policy is removed from Pulumi, we look up the original state and re-apply it.

Testing

The e2e/integration test for this resource is special because using PIM requires a paid Entra ID P2 license. We don't have one yet so the test fails (example). This PR looks green because the test is marked as long-running and doesn't run in PR workflows. Hence the draft status while I organize the license.

Copy link

github-actions bot commented Mar 6, 2024

Does the PR have any schema changes?

Looking good! No breaking changes found.

New resources:

  • authorization.RoleManagementPolicy

New functions:

  • authorization.getRoleManagementPolicy

Copy link

codecov bot commented Mar 6, 2024

Codecov Report

Attention: Patch coverage is 37.08609% with 95 lines in your changes are missing coverage. Please review.

Project coverage is 56.47%. Comparing base (048405b) to head (2206dbc).

Files Patch % Lines
...ovider/pkg/resources/customresources/custom_pim.go 40.42% 49 Missing and 7 partials ⚠️
provider/pkg/provider/provider.go 33.33% 15 Missing and 5 partials ⚠️
provider/pkg/provider/crud/crud.go 0.00% 8 Missing ⚠️
provider/pkg/openapi/discover.go 0.00% 4 Missing and 1 partial ⚠️
...r/pkg/resources/customresources/custom_keyvault.go 0.00% 0 Missing and 2 partials ⚠️
...r/pkg/resources/customresources/customresources.go 71.42% 1 Missing and 1 partial ⚠️
...es/customresources/custom_keyvault_accesspolicy.go 0.00% 1 Missing ⚠️
...er/pkg/resources/customresources/custom_storage.go 50.00% 1 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##           master    #3130      +/-   ##
==========================================
- Coverage   56.77%   56.47%   -0.30%     
==========================================
  Files          66       67       +1     
  Lines        8055     8177     +122     
==========================================
+ Hits         4573     4618      +45     
- Misses       3049     3113      +64     
- Partials      433      446      +13     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@thomas11 thomas11 force-pushed the tkappler/pim branch 4 times, most recently from 540d754 to 46f3a52 Compare March 18, 2024 16:24
@thomas11 thomas11 requested review from danielrbradley, mjeffryes and a team March 22, 2024 15:35
@thomas11 thomas11 marked this pull request as ready for review March 25, 2024 14:25
@thomas11 thomas11 force-pushed the tkappler/pim branch 2 times, most recently from e608d43 to e34db2f Compare March 25, 2024 15:20
var exists bool
if customRes.CanCreate != nil {
err = customRes.CanCreate(ctx, id)
exists = err != nil
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is not existing the only kind of err?

@t0yv0
Copy link
Member

t0yv0 commented Mar 25, 2024

Glanced over it but the review effort here is formidable, LMK if you need me as a reviewer, I'm happy to try again. Since there's a lot going on it can be helpful to rebase into step-by-step commits.

Copy link
Member

@danielrbradley danielrbradley left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the status on this PR? Sorry I didn't get to a review when you put this up.

Guessing the behaviour change is still needed but we might need to rework the changes that touch the custom resources since more recent updates?

@thomas11
Copy link
Contributor Author

thomas11 commented Dec 6, 2024

What's the status on this PR? Sorry I didn't get to a review when you put this up.

Guessing the behaviour change is still needed but we might need to rework the changes that touch the custom resources since more recent updates?

Yep, exactly that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants