feat: override assignpermissions for policy definitions (#157)

.github/workflows/test.yml

@@ -20,26 +20,27 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: "go.mod"
           cache: true
       - run: go mod download
       - run: go build -v .
       - name: Run linters
-        uses: golangci/golangci-lint-action@v6
+        uses: golangci/golangci-lint-action@ec5d18412c0aeab7936cb16880d708ba2a64e1ae # v6.2.0
         with:
           version: latest
 
   generate:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: "go.mod"
           cache: true
+      - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
       - run: go generate
         name: go generate (website)
       - run: go install github.com/hashicorp/terraform-plugin-codegen-framework/cmd/tfplugingen-framework@latest
@@ -65,19 +66,19 @@ jobs:
         # list whatever Terraform versions here you would like to support
         terraform:
           - "1.6.*"
-          - "1.9.*"
+          - "1.10.*"
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: "go.mod"
           cache: true
-      - uses: Azure/login@v2
+      - uses: Azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0
         with:
           client-id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
           allow-no-subscriptions: true
-      - uses: hashicorp/setup-terraform@v3
+      - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
         with:
           terraform_version: ${{ matrix.terraform }}
           terraform_wrapper: false

docs/data-sources/architecture.md

@@ -81,6 +81,8 @@ See the release notes [here](https://github.com/hashicorp/terraform/releases/tag
 
 ### Optional
 
+- `override_policy_definition_parameter_assign_permissions_set` (Attributes Set) This list of objects allows you to set the [`assignPermissions` metadata property](https://learn.microsoft.com/azure/governance/policy/concepts/definition-structure-parameters#parameter-properties) of the supplied definition and parameter names. This allows you to correct policies that haven't been authored correctly and means that the provider can generate the correct policy role assignments. (see [below for nested schema](#nestedatt--override_policy_definition_parameter_assign_permissions_set))
+- `override_policy_definition_parameter_assign_permissions_unset` (Attributes Set) This list of objects allows you to unset set the [`assignPermissions` metadata property](https://learn.microsoft.com/azure/governance/policy/concepts/definition-structure-parameters#parameter-properties) of the supplied definition and parameter names. This allows you to correct policies that haven't been authored correctly, or prevent permissions being assigned for policies that are disabled in a policy set. The provider can then generate the correct policy role assignments. (see [below for nested schema](#nestedatt--override_policy_definition_parameter_assign_permissions_unset))
 - `policy_assignments_to_modify` (Attributes Map) A mested map of policy assignments to modify. The key is the management group id, and the value is an object with a single attribute, `policy_assignments`. This is another map. (see [below for nested schema](#nestedatt--policy_assignments_to_modify))
 - `policy_default_values` (Map of String) A map of default values to apply to policy assignments. The key is the default name as defined in the library, and the value is an JSON object containing a single `value` attribute with the values to apply. This to mitigate issues with the Terraform type system. E.g. `{ defaultName = jsonencode({ value = "value"}) }`
 - `timeouts` (Block, Optional) (see [below for nested schema](#nestedblock--timeouts))
@@ -91,6 +93,24 @@ See the release notes [here](https://github.com/hashicorp/terraform/releases/tag
 - `management_groups` (Attributes List) This is a list of objects pertaining to the tier of management groups to be deployed (relative to the supplied root management group id). Use the `level` attribute to specify the tier of management groups to deploy. (see [below for nested schema](#nestedatt--management_groups))
 - `policy_role_assignments` (Attributes Set) A set of role assignments that need to be created for the policies that have been assigned in the hierarchy. Since we will likely be using system assigned identities, we don't know the principal ID until after the deployment. Therefore this data can be used to create the role assignments after the deployment. (see [below for nested schema](#nestedatt--policy_role_assignments))
 
+<a id="nestedatt--override_policy_definition_parameter_assign_permissions_set"></a>
+### Nested Schema for `override_policy_definition_parameter_assign_permissions_set`
+
+Required:
+
+- `definition_name` (String) The name of the policy definition to override.
+- `parameter_name` (String) The name of the parameter to override.
+
+
+<a id="nestedatt--override_policy_definition_parameter_assign_permissions_unset"></a>
+### Nested Schema for `override_policy_definition_parameter_assign_permissions_unset`
+
+Required:
+
+- `definition_name` (String) The name of the policy definition to override.
+- `parameter_name` (String) The name of the parameter to override.
+
+
 <a id="nestedatt--policy_assignments_to_modify"></a>
 ### Nested Schema for `policy_assignments_to_modify`
 

go.mod

@@ -3,7 +3,7 @@ module github.com/Azure/terraform-provider-alz
 go 1.23.3
 
 require (
-	github.com/Azure/alzlib v0.24.1
+	github.com/Azure/alzlib v0.25.0
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.16.0
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization v1.0.0

go.sum

@@ -2,6 +2,8 @@ dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk=
 dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
 github.com/Azure/alzlib v0.24.1 h1:Y5OIoETShx7o1OS/0iQzSWSQJMl743H7h0hWYhjVnKU=
 github.com/Azure/alzlib v0.24.1/go.mod h1:54zJ/xI5+bZNhHTJnrRexxLUodQGRHijSNoNS/6VweQ=
+github.com/Azure/alzlib v0.25.0 h1:2/6+pUEgQS4L1OfFyQnNnVUa3euj+D6BsGhsJtnaxEQ=
+github.com/Azure/alzlib v0.25.0/go.mod h1:54zJ/xI5+bZNhHTJnrRexxLUodQGRHijSNoNS/6VweQ=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.16.0 h1:JZg6HRh6W6U4OLl6lk7BZ7BLisIzM9dG1R50zUk9C/M=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.16.0/go.mod h1:YL1xnZ6QejvQHWJrX/AvhFl4WW4rqHVoKspWNVwFk0M=
 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.0 h1:B/dfvscEQtew9dVuoxqxrUKKv8Ih2f55PydknDamU+g=

internal/provider/architecture_data_source.go

@@ -90,6 +90,50 @@ func (d *architectureDataSource) Read(ctx context.Context, req datasource.ReadRe
 		return
 	}
 
+	// Process assignPermissions overrides setting the values in the alzlib
+	assignPermissionsSetValues := []gen.OverridePolicyDefinitionParameterAssignPermissionsSetValue{}
+	resp.Diagnostics.Append(data.OverridePolicyDefinitionParameterAssignPermissionsSet.ElementsAs(
+		ctx,
+		&assignPermissionsSetValues,
+		false,
+	)...)
+
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	for _, assignPermissionsSetValue := range assignPermissionsSetValues {
+		if assignPermissionsSetValue.DefinitionName.IsUnknown() || assignPermissionsSetValue.ParameterName.IsUnknown() {
+			continue
+		}
+		d.data.AlzLib.SetAssignPermissionsOnDefinitionParameter(
+			assignPermissionsSetValue.DefinitionName.ValueString(),
+			assignPermissionsSetValue.ParameterName.ValueString(),
+		)
+	}
+
+	// Process assignPermissions overrides unsetting the values in the alzlib
+	assignPermissionsUnsetValues := []gen.OverridePolicyDefinitionParameterAssignPermissionsUnsetValue{}
+	resp.Diagnostics.Append(data.OverridePolicyDefinitionParameterAssignPermissionsUnset.ElementsAs(
+		ctx,
+		&assignPermissionsUnsetValues,
+		false,
+	)...)
+
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	for _, assignPermissionsUnsetValue := range assignPermissionsUnsetValues {
+		if assignPermissionsUnsetValue.DefinitionName.IsUnknown() || assignPermissionsUnsetValue.ParameterName.IsUnknown() {
+			continue
+		}
+		d.data.AlzLib.UnsetAssignPermissionsOnDefinitionParameter(
+			assignPermissionsUnsetValue.DefinitionName.ValueString(),
+			assignPermissionsUnsetValue.ParameterName.ValueString(),
+		)
+	}
+
 	// Set policy assignment defaults
 	defaultsMap := convertPolicyAssignmentParametersMapToSdkType(data.PolicyDefaultValues, resp)
 	if resp.Diagnostics.HasError() {

internal/provider/architecture_data_source_test.go

@@ -123,6 +123,27 @@ func TestAccAlzArchitectureDataSourceModifyPolicyAssignmentNonExistent(t *testin
 	})
 }
 
+func TestAccAlzArchitectureDataSourceAssignPermissionsOverride(t *testing.T) {
+	resource.Test(t, resource.TestCase{
+		PreCheck:                 func() { testAccPreCheck(t) },
+		ProtoV6ProviderFactories: testAccProtoV6ProviderFactoriesUnique(),
+		ExternalProviders: map[string]resource.ExternalProvider{
+			"azapi": {
+				Source:            "azure/azapi",
+				VersionConstraint: "~> 2.0",
+			},
+		},
+		Steps: []resource.TestStep{
+			{
+				Config: testAccArchitectureDataSourceConfigOverrideAssignPermissions(),
+				ConfigStateChecks: []statecheck.StateCheck{
+					statecheck.ExpectKnownOutputValue("pra", knownvalue.Bool(true)),
+				},
+			},
+		},
+	})
+}
+
 // testAccArchitectureDataSourceConfigRemoteLib returns a test configuration for TestAccAlzArchetypeDataSource.
 func testAccArchitectureDataSourceConfigRemoteLib() string {
 	return `
@@ -329,6 +350,42 @@ data "alz_architecture" "test" {
 `
 }
 
+func testAccArchitectureDataSourceConfigOverrideAssignPermissions() string {
+	return `
+provider "alz" {
+	library_references = [
+		{
+			custom_url = "${path.root}/testdata/overrideAssignPermissions"
+    }
+	]
+}
+
+data "azapi_client_config" "current" {}
+
+data "alz_architecture" "test" {
+	name                     = "test"
+	root_management_group_id = data.azapi_client_config.current.tenant_id
+	location                 = "northeurope"
+	override_policy_definition_parameter_assign_permissions_set = [
+		{
+			definition_name = "test-policy-definition"
+			parameter_name  = "logAnalytics"
+		}
+	]
+}
+
+locals {
+	test = anytrue([
+	  for val in data.alz_architecture.test.policy_role_assignments : strcontains(val.scope, "Microsoft.OperationalInsights/workspaces/PLACEHOLDER")
+	])
+}
+
+output "pra" {
+	value = local.test
+}
+`
+}
+
 // TestConvertPolicyAssignmentResourceSelectorsToSdkType tests the conversion of policy assignment resource selectors from framework to Azure Go SDK types.
 func TestConvertPolicyAssignmentResourceSelectorsToSdkType(t *testing.T) {
 	ctx := context.Background()