Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Role Assignments / Role Definitions #414

Merged
merged 11 commits into from
Oct 11, 2017
Merged

Role Assignments / Role Definitions #414

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
96a8290
Updating the built-in role definition id's
tombuildsstuff Oct 11, 2017
5d76fd5
Vendorng the authorrization sdk
tombuildsstuff Oct 11, 2017
024ff3e
Adding more fields to the built-in role definition data source
tombuildsstuff Oct 11, 2017
4811eb1
Removing the ARM prefix for data sources
tombuildsstuff Oct 11, 2017
bc076d5
New Resource: `azurerm_role_definition`
tombuildsstuff Oct 11, 2017
04505da
Adding in Assignable Scopes to the Data Source
tombuildsstuff Oct 11, 2017
9fa85bf
New Data Source: `azurerm_role_definition`
tombuildsstuff Oct 11, 2017
0238dbd
New Resource: `azurerm_role_assignment`
tombuildsstuff Oct 11, 2017
6d8ebaa
Import Tests for Role Assignments
tombuildsstuff Oct 11, 2017
3311808
Adding Import tests for Role Definitions
tombuildsstuff Oct 11, 2017
e6b5e61
Vendoring github.com/google/uuid
tombuildsstuff Oct 11, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 17 additions & 2 deletions azurerm/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ import (
"net/http/httputil"

"github.com/Azure/azure-sdk-for-go/arm/appinsights"
"github.com/Azure/azure-sdk-for-go/arm/authorization"
"github.com/Azure/azure-sdk-for-go/arm/automation"
"github.com/Azure/azure-sdk-for-go/arm/cdn"
"github.com/Azure/azure-sdk-for-go/arm/compute"
Expand Down Expand Up @@ -138,6 +139,8 @@ type ArmClient struct {
appInsightsClient appinsights.ComponentsClient

// Authentication
roleAssignmentsClient authorization.RoleAssignmentsClient
roleDefinitionsClient authorization.RoleDefinitionsClient
servicePrincipalsClient graphrbac.ServicePrincipalsClient

// Databases
Expand Down Expand Up @@ -651,19 +654,31 @@ func (c *Config) getArmClient() (*ArmClient, error) {
aschc.Sender = sender
client.automationScheduleClient = aschc

client.registerAuthentication(graphEndpoint, c.TenantID, graphAuth, sender)
client.registerAuthentication(endpoint, graphEndpoint, c.SubscriptionID, c.TenantID, auth, graphAuth, sender)
client.registerDatabases(endpoint, c.SubscriptionID, auth, sender)
client.registerKeyVaultClients(endpoint, c.SubscriptionID, auth, keyVaultAuth, sender)

return &client, nil
}

func (c *ArmClient) registerAuthentication(graphEndpoint, tenantId string, graphAuth autorest.Authorizer, sender autorest.Sender) {
func (c *ArmClient) registerAuthentication(endpoint, graphEndpoint, subscriptionId, tenantId string, auth, graphAuth autorest.Authorizer, sender autorest.Sender) {
spc := graphrbac.NewServicePrincipalsClientWithBaseURI(graphEndpoint, tenantId)
setUserAgent(&spc.Client)
spc.Authorizer = graphAuth
spc.Sender = sender
c.servicePrincipalsClient = spc

rac := authorization.NewRoleAssignmentsClientWithBaseURI(endpoint, subscriptionId)
setUserAgent(&rac.Client)
rac.Authorizer = auth
rac.Sender = sender
c.roleAssignmentsClient = rac

rdc := authorization.NewRoleDefinitionsClientWithBaseURI(endpoint, subscriptionId)
setUserAgent(&rdc.Client)
rdc.Authorizer = auth
rdc.Sender = sender
c.roleDefinitionsClient = rdc
}

func (c *ArmClient) registerDatabases(endpoint, subscriptionId string, auth autorest.Authorizer, sender autorest.Sender) {
Expand Down
42 changes: 0 additions & 42 deletions azurerm/data_source_arm_builtin_role_definition.go
View file
Open in desktop

This file was deleted.

80 changes: 0 additions & 80 deletions azurerm/data_source_arm_builtin_role_definition_test.go
View file
Open in desktop

This file was deleted.

102 changes: 102 additions & 0 deletions azurerm/data_source_builtin_role_definition.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,102 @@
package azurerm

import (
"fmt"

"github.com/hashicorp/terraform/helper/schema"
"github.com/hashicorp/terraform/helper/validation"
)

func dataSourceArmBuiltInRoleDefinition() *schema.Resource {
return &schema.Resource{
Read: dataSourceArmBuiltInRoleDefinitionRead,
Schema: map[string]*schema.Schema{
"name": {
Type: schema.TypeString,
Required: true,
ValidateFunc: validation.StringInSlice([]string{
"Contributor",
"Reader",
"Owner",
"VirtualMachineContributor",
}, false),
},

// Computed
"description": {
Type: schema.TypeString,
Computed: true,
},
"type": {
Type: schema.TypeString,
Computed: true,
},
"permissions": {
Type: schema.TypeList,
Computed: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"actions": {
Type: schema.TypeList,
Computed: true,
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
"not_actions": {
Type: schema.TypeList,
Computed: true,
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
},
},
},
"assignable_scopes": {
Type: schema.TypeList,
Computed: true,
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
},
}
}

func dataSourceArmBuiltInRoleDefinitionRead(d *schema.ResourceData, meta interface{}) error {
client := meta.(*ArmClient).roleDefinitionsClient
name := d.Get("name").(string)
roleDefinitionIds := map[string]string{
"Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
Copy link
Member

@mbfrahry mbfrahry Oct 11, 2017
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are these values (Contributor, Owner, Reader, VirtualMachineContributor) specific to our account or azure in general?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They're Azure in General - this Data Source is mostly there so users don't have to refer to GUIDs tbh

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perfect!

"Owner": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
"Reader": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7",
"VirtualMachineContributor": "/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-4d4d-bd69-98a00b01fccb",
}
roleDefinitionId := roleDefinitionIds[name]

d.SetId(roleDefinitionId)

role, err := client.GetByID(roleDefinitionId)
if err != nil {
return fmt.Errorf("Error loadng Role Definition: %+v", err)
}

if props := role.Properties; props != nil {
d.Set("name", props.RoleName)
d.Set("description", props.Description)
d.Set("type", props.Type)

permissions := flattenRoleDefinitionPermissions(props.Permissions)
if err := d.Set("permissions", permissions); err != nil {
return err
}

assignableScopes := flattenRoleDefinitionAssignableScopes(props.AssignableScopes)
if err := d.Set("assignable_scopes", assignableScopes); err != nil {
return err
}
}

return nil
}
108 changes: 108 additions & 0 deletions azurerm/data_source_builtin_role_definition_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,108 @@
package azurerm

import (
"fmt"
"testing"

"github.com/hashicorp/terraform/helper/resource"
)

func TestAccDataSourceAzureRMBuiltInRoleDefinition_contributor(t *testing.T) {
dataSourceName := "data.azurerm_builtin_role_definition.test"
resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
Steps: []resource.TestStep{
{
Config: testAccDataSourceBuiltInRoleDefinition("Contributor"),
Check: resource.ComposeTestCheckFunc(
testAzureRMClientConfigAttr(dataSourceName, "id", "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"),
resource.TestCheckResourceAttrSet(dataSourceName, "description"),
resource.TestCheckResourceAttrSet(dataSourceName, "type"),
resource.TestCheckResourceAttr(dataSourceName, "permissions.#", "1"),
resource.TestCheckResourceAttr(dataSourceName, "permissions.0.actions.#", "1"),
resource.TestCheckResourceAttr(dataSourceName, "permissions.0.actions.0", "*"),
resource.TestCheckResourceAttr(dataSourceName, "permissions.0.not_actions.#", "3"),
resource.TestCheckResourceAttr(dataSourceName, "permissions.0.not_actions.0", "Microsoft.Authorization/*/Delete"),
resource.TestCheckResourceAttr(dataSourceName, "permissions.0.not_actions.1", "Microsoft.Authorization/*/Write"),
resource.TestCheckResourceAttr(dataSourceName, "permissions.0.not_actions.2", "Microsoft.Authorization/elevateAccess/Action"),
),
},
},
})
}

func TestAccDataSourceAzureRMBuiltInRoleDefinition_owner(t *testing.T) {
dataSourceName := "data.azurerm_builtin_role_definition.test"
resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
Steps: []resource.TestStep{
{
Config: testAccDataSourceBuiltInRoleDefinition("Owner"),
Check: resource.ComposeTestCheckFunc(
testAzureRMClientConfigAttr(dataSourceName, "id", "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"),
resource.TestCheckResourceAttrSet(dataSourceName, "description"),
resource.TestCheckResourceAttrSet(dataSourceName, "type"),
resource.TestCheckResourceAttr(dataSourceName, "permissions.#", "1"),
resource.TestCheckResourceAttr(dataSourceName, "permissions.0.actions.#", "1"),
resource.TestCheckResourceAttr(dataSourceName, "permissions.0.actions.0", "*"),
resource.TestCheckResourceAttr(dataSourceName, "permissions.0.not_actions.#", "0"),
),
},
},
})
}

func TestAccDataSourceAzureRMBuiltInRoleDefinition_reader(t *testing.T) {
dataSourceName := "data.azurerm_builtin_role_definition.test"
resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
Steps: []resource.TestStep{
{
Config: testAccDataSourceBuiltInRoleDefinition("Reader"),
Check: resource.ComposeTestCheckFunc(
testAzureRMClientConfigAttr(dataSourceName, "id", "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7"),
resource.TestCheckResourceAttrSet(dataSourceName, "description"),
resource.TestCheckResourceAttrSet(dataSourceName, "type"),
resource.TestCheckResourceAttr(dataSourceName, "permissions.#", "1"),
resource.TestCheckResourceAttr(dataSourceName, "permissions.0.actions.#", "1"),
resource.TestCheckResourceAttr(dataSourceName, "permissions.0.actions.0", "*/read"),
resource.TestCheckResourceAttr(dataSourceName, "permissions.0.not_actions.#", "0"),
),
},
},
})
}

func TestAccDataSourceAzureRMBuiltInRoleDefinition_virtualMachineContributor(t *testing.T) {
dataSourceName := "data.azurerm_builtin_role_definition.test"
resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
Steps: []resource.TestStep{
{
Config: testAccDataSourceBuiltInRoleDefinition("VirtualMachineContributor"),
Check: resource.ComposeTestCheckFunc(
testAzureRMClientConfigAttr(dataSourceName, "id", "/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-4d4d-bd69-98a00b01fccb"),
resource.TestCheckResourceAttrSet(dataSourceName, "description"),
resource.TestCheckResourceAttrSet(dataSourceName, "type"),
resource.TestCheckResourceAttr(dataSourceName, "permissions.#", "1"),
resource.TestCheckResourceAttr(dataSourceName, "permissions.0.actions.#", "17"),
resource.TestCheckResourceAttr(dataSourceName, "permissions.0.actions.0", "Microsoft.Authorization/*/read"),
resource.TestCheckResourceAttr(dataSourceName, "permissions.0.actions.15", "Microsoft.Resources/subscriptions/resourceGroups/read"),
resource.TestCheckResourceAttr(dataSourceName, "permissions.0.not_actions.#", "0"),
),
},
},
})
}

func testAccDataSourceBuiltInRoleDefinition(name string) string {
return fmt.Sprintf(`
data "azurerm_builtin_role_definition" "test" {
name = "%s"
}
`, name)
}
0 azurerm/data_source_arm_client_config.go → azurerm/data_source_client_config.go
View file
Open in desktop
File renamed without changes.
0 ...erm/data_source_arm_client_config_test.go → azurerm/data_source_client_config_test.go
View file
Open in desktop
File renamed without changes.
0 azurerm/data_source_arm_public_ip.go → azurerm/data_source_public_ip.go
View file
Open in desktop
File renamed without changes.
0 azurerm/data_source_arm_public_ip_test.go → azurerm/data_source_public_ip_test.go
View file
Open in desktop
File renamed without changes.
0 azurerm/data_source_arm_resource_group.go → azurerm/data_source_resource_group.go
View file
Open in desktop
File renamed without changes.
0 ...rm/data_source_arm_resource_group_test.go → azurerm/data_source_resource_group_test.go
View file
Open in desktop
File renamed without changes.
Loading