Fix regression of #538 (#773)

* UpdateWithUAM * Update * Update
Azure · Mar 14, 2023 · 984cdd1 · 984cdd1
1 parent c15137e
commit 984cdd1
Show file tree

Hide file tree

Showing 3 changed files with 72 additions and 0 deletions.
diff --git a/src/data/template/Microsoft.Authorization/policyAssignments.jq b/src/data/template/Microsoft.Authorization/policyAssignments.jq
@@ -1 +1,2 @@
+if .identity.userAssignedIdentities != null then del(.identity.userAssignedIdentities[].principalId, .identity.userAssignedIdentities[].clientId, .identity.tenantId, .identity.principalId) else . end |
 del(.ResourceId, .resourceGroup, .subscriptionId, .properties.metadata.createdOn, .properties.metadata.updatedOn, .properties.metadata.createdBy, .properties.metadata.createdBy, .properties.metadata.updatedBy, .properties.metadata.assignedBy)
diff --git a/src/tests/integration/Repository.Tests.ps1 b/src/tests/integration/Repository.Tests.ps1
@@ -67,6 +67,7 @@ Describe "Repository" {
         try {
             New-AzSubscriptionDeployment -Name 'AzOps-Tests-rbacdep' -Location northeurope -TemplateFile "$($global:testRoot)/templates/rbactest.bicep" -TemplateParameterFile "$($global:testRoot)/templates/rbactest.parameters.json"
             New-AzManagementGroupDeployment @params
+            New-AzResourceGroupDeployment -Name 'AzOps-Tests-policyuam' -ResourceGroupName App1-azopsrg -TemplateFile "$($global:testRoot)/templates/policywithuam.bicep"
             # Pause for resource consistency
             Start-Sleep -Seconds 120
         }
@@ -123,6 +124,7 @@ Describe "Repository" {
             $script:policyAssignments = Get-AzPolicyAssignment -Name "TestPolicyAssignment" -Scope "/providers/Microsoft.Management/managementGroups/$($script:managementManagementGroup.Name)"
             $script:policyAssignmentsDep = Get-AzPolicyAssignment -Name "AzOpsDep2 - audit-vm-manageddisks"
             $script:policyAssignmentsDep2 = Get-AzPolicyAssignment -Name "TestPolicyAssignment2" -Scope "/subscriptions/$script:subscriptionId/resourceGroups/Lock2-azopsrg"
+            $script:policyAssignmentsUam = Get-AzPolicyAssignment -Name "TestPolicyAssignmentWithUAM" -Scope "/subscriptions/$script:subscriptionId/resourceGroups/App1-azopsrg"
             $script:policyDefinitions = Get-AzPolicyDefinition -Name 'TestPolicyDefinition' -ManagementGroupName $($script:testManagementGroup.Name)
             $script:policyDefinitionsDep = Get-AzPolicyDefinition -Name 'TestPolicyDefinitionDep' -ManagementGroupName $($script:testManagementGroup.Name)
             $script:policyDefinitionsDep2 = Get-AzPolicyDefinition -Name 'TestPolicyDefinitionDe2' -ManagementGroupName $($script:testManagementGroup.Name)
@@ -234,6 +236,12 @@ Describe "Repository" {
         $script:policyAssignmentsDep2DeploymentName = "AzOps-{0}-{1}" -f $($script:policyAssignmentsDep2Path.Name.Replace(".json", '')).Substring(0, 53), $deploymentLocationId
         Write-PSFMessage -Level Debug -Message "PolicyAssignmentsFile: $($script:policyAssignmentsDep2File)" -FunctionName "BeforeAll"
 
+        $script:policyAssignmentsUamPath = ($filePaths | Where-Object Name -eq "microsoft.authorization_policyassignments-$(($script:policyAssignmentsUam.Name).toLower()).json")
+        $script:policyAssignmentsUamDirectory = ($script:policyAssignmentsUamPath).Directory
+        $script:policyAssignmentsUamFile = ($script:policyAssignmentsUamPath).FullName
+        $script:policyAssignmentsUamDeploymentName = "AzOps-{0}-{1}" -f $($script:policyAssignmentsUamPath.Name.Replace(".json", '')).Substring(0, 53), $deploymentLocationId
+        Write-PSFMessage -Level Debug -Message "PolicyAssignmentsFile: $($script:policyAssignmentsUamFile)" -FunctionName "BeforeAll"
+
         $script:policyDefinitionsPath = ($filePaths | Where-Object Name -eq "microsoft.authorization_policydefinitions-$(($script:policyDefinitions.Name).toLower()).parameters.json")
         $script:policyDefinitionsDirectory = ($script:policyDefinitionsPath).Directory
         $script:policyDefinitionsFile = ($script:policyDefinitionsPath).FullName
@@ -321,6 +329,7 @@ Describe "Repository" {
         $changeSet = @(
             "A`t$script:testManagementGroupFile",
             "A`t$script:policyAssignmentsFile",
+            "A`t$script:policyAssignmentsUamFile",
             "A`t$script:policyDefinitionsFile",
             "A`t$script:policySetDefinitionsFile",
             "A`t$script:policyExemptionsFile",
@@ -619,6 +628,43 @@ Describe "Repository" {
         }
         #endregion
 
+        #region Scope = Policy Assignments with UAM - Resource Group (./root/tenant root group/test/platform/management/subscription-0/App1-azopsrg)
+        It "Policy Assignments with UAM directory should exist" {
+            Test-Path -Path $script:policyAssignmentsUamDirectory | Should -BeTrue
+        }
+        It "Policy Assignments with UAM file should exist" {
+            Test-Path -Path $script:policyAssignmentsUamFile | Should -BeTrue
+        }
+        It "Policy Assignments with UAM resource type should exist" {
+            $fileContents = Get-Content -Path $script:policyAssignmentsUamFile -Raw | ConvertFrom-Json -Depth 25
+            $fileContents.resources[0].type | Should -BeTrue
+        }
+        It "Policy Assignments with UAM resource name should exist" {
+            $fileContents = Get-Content -Path $script:policyAssignmentsUamFile -Raw | ConvertFrom-Json -Depth 25
+            $fileContents.resources[0].name | Should -BeTrue
+        }
+        It "Policy Assignments with UAM resource apiVersion should exist" {
+            $fileContents = Get-Content -Path $script:policyAssignmentsUamFile -Raw | ConvertFrom-Json -Depth 25
+            $fileContents.resources[0].apiVersion | Should -BeTrue
+        }
+        It "Policy Assignments with UAM resource properties should exist" {
+            $fileContents = Get-Content -Path $script:policyAssignmentsUamFile -Raw | ConvertFrom-Json -Depth 25
+            $fileContents.resources[0].properties | Should -BeTrue
+        }
+        It "Policy Assignments with UAM resource type should match" {
+            $fileContents = Get-Content -Path $script:policyAssignmentsUamFile -Raw | ConvertFrom-Json -Depth 25
+            $fileContents.resources[0].type | Should -Be "Microsoft.Authorization/policyAssignments"
+        }
+        It "Policy Assignments with UAM scope property should match" {
+            $fileContents = Get-Content -Path $script:policyAssignmentsUamFile -Raw | ConvertFrom-Json -Depth 25
+            $fileContents.resources[0].identity.userAssignedIdentities | Should -BeTrue
+        }
+        It "Policy Assignments with UAM deployment should be successful" {
+            $script:policyAssignmentUamDeployment = Get-AzResourceGroupDeployment -Name $script:policyAssignmentsUamDeploymentName -ResourceGroupName $script:policyAssignmentsUam.ResourceGroupName
+            $policyAssignmentUamDeployment.ProvisioningState | Should -Be "Succeeded"
+        }
+        #endregion
+
         #region Scope = PolicyDefinition (./root/tenant root group/test/PolicyDefinition)
         It "Policy Definitions directory should exist" {
             Test-Path -Path $script:policyDefinitionsDirectory | Should -BeTrue

diff --git a/src/tests/templates/policywithuam.bicep b/src/tests/templates/policywithuam.bicep
@@ -0,0 +1,25 @@
+param policyAssignmentName string = 'TestPolicyAssignmentWithUAM'
+param policyDefinitionID string = '/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df'
+param location string = resourceGroup().location
+param uamName string = 'TestAzOpsUAM'
+
+targetScope = 'resourceGroup'
+
+resource uam 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
+    name: uamName
+    location: location
+}
+
+resource assignment 'Microsoft.Authorization/policyAssignments@2022-06-01' = {
+    name: policyAssignmentName
+    location: location
+    identity: {
+        type: 'UserAssigned'
+        userAssignedIdentities: {
+            '${uam.id}': {}
+        }
+    }
+    properties: {
+        policyDefinitionId: policyDefinitionID
+    }
+}
Original file line number	Diff line number	Diff line change
		@@ -1 +1,2 @@
		if .identity.userAssignedIdentities != null then del(.identity.userAssignedIdentities[].principalId, .identity.userAssignedIdentities[].clientId, .identity.tenantId, .identity.principalId) else . end \|
		del(.ResourceId, .resourceGroup, .subscriptionId, .properties.metadata.createdOn, .properties.metadata.updatedOn, .properties.metadata.createdBy, .properties.metadata.createdBy, .properties.metadata.updatedBy, .properties.metadata.assignedBy)