azurerm_role_management_policy New resource & data source

[oWretch]

Community Note

• Please vote on this PR by adding a 👍 reaction to the original PR to help the community and maintainers prioritize for review
• Please do not leave "+1" or "me too" comments, they generate extra noise for PR followers and do not help prioritize for review

Description

Add support for managing the policies for PIM assignments to Azure resources. Based on the work in hashicorp/terraform-provider-azuread#1327.

Closes #23295 as this has not been updated for 7 months and has merge conflicts with main. I also thought code consistency would be nice between providers. Also closes #20496.

Fixes #19912, fixes #22766, fixes #23458, fixes hashicorp/terraform-provider-azuread#1186

PR Checklist

• I have followed the guidelines in our Contributing Documentation.
• I have checked to ensure there aren't other open Pull Requests for the same update/change.
• I have checked if my changes close any open issues. If so please include appropriate closing keywords below.
• I have updated/added Documentation as required written in a helpful and kind way to assist users that may be unfamiliar with the resource / data source.
• I have used a meaningful PR title to help maintainers and other users understand this change and help prevent duplicate work.

Changes to existing Resource / Data Source

• I have added an explanation of what my changes do and why I'd like you to include them (This may be covered by linking to an issue above, but may benefit from additional explanation).
• I have written new tests for my resource or datasource changes & updated any relevent documentation.
• I have successfully run tests with my changes locally. If not, please provide details on testing challenges that prevented you running the tests.

Testing

• My submission includes Test coverage as described in the Contribution Guide and the tests pass. (if this is not possible for any reason, please include details of why you did or could not add test coverage)

terraform-provider-azurerm % make acctests SERVICE='authorization' TESTARGS='-run="TestRoleManagementPolicy(DataSource)?_"' TESTTIMEOUT='60m'
==> Checking that code complies with gofmt requirements...
==> Checking that Custom Timeouts are used...
==> Checking that acceptance test packages are used...
TF_ACC=1 go test -v ./internal/services/authorization -run="TestRoleManagementPolicy(DataSource)?_" -timeout 60m -ldflags="-X=github.com/hashicorp/terraform-provider-azurerm/version.ProviderVersion=acc"
=== RUN   TestRoleManagementPolicyDataSource_resourceGroup
=== PAUSE TestRoleManagementPolicyDataSource_resourceGroup
=== RUN   TestRoleManagementPolicyDataSource_managementGroup
=== PAUSE TestRoleManagementPolicyDataSource_managementGroup
=== RUN   TestRoleManagementPolicy_resourceGroup
=== PAUSE TestRoleManagementPolicy_resourceGroup
=== RUN   TestRoleManagementPolicy_managementGroup
=== PAUSE TestRoleManagementPolicy_managementGroup
=== CONT  TestRoleManagementPolicyDataSource_resourceGroup
=== CONT  TestRoleManagementPolicy_resourceGroup
=== CONT  TestRoleManagementPolicy_managementGroup
=== CONT  TestRoleManagementPolicyDataSource_managementGroup
--- PASS: TestRoleManagementPolicyDataSource_managementGroup (87.60s)
--- PASS: TestRoleManagementPolicy_managementGroup (126.46s)
--- PASS: TestRoleManagementPolicyDataSource_resourceGroup (134.63s)
--- PASS: TestRoleManagementPolicy_resourceGroup (241.30s)
PASS
ok      github.com/hashicorp/terraform-provider-azurerm/internal/services/authorization 244.468s

Change Log

Below please provide what should go into the changelog (if anything) conforming to the Changelog Format documented here.

• azurerm_role_management_policy - new resource [azurerm_role_management_policy New resource & data source #25900]
• azurerm_role_management_policy - new data source [azurerm_role_management_policy New resource & data source #25900]

This is a (please select all that apply):

• Bug Fix
• New Feature (ie adding a service, resource, or data source)
• Enhancement
• Breaking Change

[manicminer]

Thanks for working on this @oWretch. Whilst this duplicates #23295, this does appear to be more developed so I'll close that one out in favor of this PR.

I've made some comments inline, if you can take a look at these I'll happily circle back for another review.

Thanks!

[oWretch]

@manicminer I realised today I hadn't answered all your feedback. I think I have it all updated now.

[manicminer]

Hi @oWretch, thanks for circling back and making those changes. The updated buildRoleManagementPolicyForUpdate() function looks great 👍

I've spent some time reviewing and testing, and whilst I originally had some more changes to request, once I starting digging a bit more into the APIs I realised that it would be dificult to communicate - so I've gone ahead and made some updates to get this ready, which I've summarized here:

• I noticed that the response payloads to the List operations to retrieve the policy assignments were coming in at 4-8MB each (!!). It also seems that the SDK doesn't support filtering on the roleManagementPolicyAssignments endpoint (presumably the API specs don't advertise it), so I reworked the resource to use only the roleManagementPolicies endpoint (incidentally, the unfiltered List response payloads here are also in the multi-MB range, though a bit less than roleManagementPolicyAssignments), where we can use a $filter query parameter to filter on the role definition ID.
• Doing this brings down the List responses are to a few KB, drastically improving performance of the resource, but also means that we also need to save the role definition ID to state as part of the resource ID. I've added a custom ID type RoleManagementPolicyId which captures the scope and the role_definition_id, this enables us to perform a quick search with the new FindRoleManagementPolicyId() function whenever we need to get the latest policy. Given that the policy ID changes every time it is modified, this also provides us with a stable resource ID.
• The data source however, can continue to use the rolemanagementpolicies.ScopedRoleManagementPolicyId type since it does not matter if this changes at refresh time.
• Validating role_definition_id is tricky since it seems certain role definitions (looking at management groups in particular) are not scoped at all, so the ID types validation in the SDK fails to parse these, as does parse.RoleDefinitionId which is used in the azurerm_role_definition resource. Some definite inconsistency from the APIs here. I've opted to forego validation here (save for ensuring it's not empty), and I will follow up with another PR to consolidate the scattered logic around role definition IDs in the authorization package - else we will end up with yet another ID type to add to the confusion.
• I've updated the validation for scope to only support management groups, subscriptions and resource groups at this time. If it becomes clear that other resource types expose role management policies, we can add support for those individually (ensuring we have test coverage as we go).
• I removed the display_name attribute from the resource and the data source, since in my testing this doesn't actually exist and seems to be a ghost field from the API specs.
• I've added test cases for subscription policies since it's important to ensure coverage for these too.

With all that said, since I've made considerable changes, and as I have been staring at this for awhile, I'm going to request a secondary review from another contributor. Pending their review, I'm happy to merge this. Thanks again for your work on this!

[mbfrahry]

Hey @manicminer, gave it a review and it looks good! Just had a couple comments to confirm but other than that, I think we're good!

[mbfrahry]

We could simplify this by starting with isEnabled is false

[manicminer]

Good shout, will tidy this up 👍

[mbfrahry]

Are we losing recipient information with this? We're doing quite a bit of work here and then overwriting it if recipientChange is true. Did we want to append instead of overwrite or is this correct?

[manicminer]

I think this is OK, on lines 560-566 we're populating with any existing additional recipients as retrieved from the policy prior to updating, and here we're selectively replacing them if the property changed in the config (it seems they'll be removed if you just don't specify them in the Update request).

[manicminer]

Test results

[oWretch]

Thanks for that thorough review @manicminer. And I agree with your sentiments - the Azure API for role management could be far better than it is. One might think three versions would be enough to sort some of that out 🙂

[celsocoutinho-tangany]

This is awesome! But is it fair to assume that it is currently not possible to provision azurerm_role_management_policy on a resource-level, rather than on a RG, subscription or MG level?

[manicminer]

@celsocoutinho-tangany Currently yes, the resource only supports management group, subscription or resource group level. We had some challenging API interactions when trying to scope more specifically than that. I'll try to get those resolved in time, once the current implementation of this resource has had a break-in period to weed out any bugs.

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.