From 984cdd1eeca80a66cdd20ec4394119e405d53a24 Mon Sep 17 00:00:00 2001 From: Jesper Fajers Date: Tue, 14 Mar 2023 12:31:22 +0100 Subject: [PATCH] Fix regression of #538 (#773) * UpdateWithUAM * Update * Update --- .../policyAssignments.jq | 1 + src/tests/integration/Repository.Tests.ps1 | 46 +++++++++++++++++++ src/tests/templates/policywithuam.bicep | 25 ++++++++++ 3 files changed, 72 insertions(+) create mode 100644 src/tests/templates/policywithuam.bicep diff --git a/src/data/template/Microsoft.Authorization/policyAssignments.jq b/src/data/template/Microsoft.Authorization/policyAssignments.jq index 61349ed8..4129ef66 100644 --- a/src/data/template/Microsoft.Authorization/policyAssignments.jq +++ b/src/data/template/Microsoft.Authorization/policyAssignments.jq @@ -1 +1,2 @@ +if .identity.userAssignedIdentities != null then del(.identity.userAssignedIdentities[].principalId, .identity.userAssignedIdentities[].clientId, .identity.tenantId, .identity.principalId) else . end | del(.ResourceId, .resourceGroup, .subscriptionId, .properties.metadata.createdOn, .properties.metadata.updatedOn, .properties.metadata.createdBy, .properties.metadata.createdBy, .properties.metadata.updatedBy, .properties.metadata.assignedBy) \ No newline at end of file diff --git a/src/tests/integration/Repository.Tests.ps1 b/src/tests/integration/Repository.Tests.ps1 index 26ecce4a..8a5704ea 100644 --- a/src/tests/integration/Repository.Tests.ps1 +++ b/src/tests/integration/Repository.Tests.ps1 @@ -67,6 +67,7 @@ Describe "Repository" { try { New-AzSubscriptionDeployment -Name 'AzOps-Tests-rbacdep' -Location northeurope -TemplateFile "$($global:testRoot)/templates/rbactest.bicep" -TemplateParameterFile "$($global:testRoot)/templates/rbactest.parameters.json" New-AzManagementGroupDeployment @params + New-AzResourceGroupDeployment -Name 'AzOps-Tests-policyuam' -ResourceGroupName App1-azopsrg -TemplateFile "$($global:testRoot)/templates/policywithuam.bicep" # Pause for resource consistency Start-Sleep -Seconds 120 } @@ -123,6 +124,7 @@ Describe "Repository" { $script:policyAssignments = Get-AzPolicyAssignment -Name "TestPolicyAssignment" -Scope "/providers/Microsoft.Management/managementGroups/$($script:managementManagementGroup.Name)" $script:policyAssignmentsDep = Get-AzPolicyAssignment -Name "AzOpsDep2 - audit-vm-manageddisks" $script:policyAssignmentsDep2 = Get-AzPolicyAssignment -Name "TestPolicyAssignment2" -Scope "/subscriptions/$script:subscriptionId/resourceGroups/Lock2-azopsrg" + $script:policyAssignmentsUam = Get-AzPolicyAssignment -Name "TestPolicyAssignmentWithUAM" -Scope "/subscriptions/$script:subscriptionId/resourceGroups/App1-azopsrg" $script:policyDefinitions = Get-AzPolicyDefinition -Name 'TestPolicyDefinition' -ManagementGroupName $($script:testManagementGroup.Name) $script:policyDefinitionsDep = Get-AzPolicyDefinition -Name 'TestPolicyDefinitionDep' -ManagementGroupName $($script:testManagementGroup.Name) $script:policyDefinitionsDep2 = Get-AzPolicyDefinition -Name 'TestPolicyDefinitionDe2' -ManagementGroupName $($script:testManagementGroup.Name) @@ -234,6 +236,12 @@ Describe "Repository" { $script:policyAssignmentsDep2DeploymentName = "AzOps-{0}-{1}" -f $($script:policyAssignmentsDep2Path.Name.Replace(".json", '')).Substring(0, 53), $deploymentLocationId Write-PSFMessage -Level Debug -Message "PolicyAssignmentsFile: $($script:policyAssignmentsDep2File)" -FunctionName "BeforeAll" + $script:policyAssignmentsUamPath = ($filePaths | Where-Object Name -eq "microsoft.authorization_policyassignments-$(($script:policyAssignmentsUam.Name).toLower()).json") + $script:policyAssignmentsUamDirectory = ($script:policyAssignmentsUamPath).Directory + $script:policyAssignmentsUamFile = ($script:policyAssignmentsUamPath).FullName + $script:policyAssignmentsUamDeploymentName = "AzOps-{0}-{1}" -f $($script:policyAssignmentsUamPath.Name.Replace(".json", '')).Substring(0, 53), $deploymentLocationId + Write-PSFMessage -Level Debug -Message "PolicyAssignmentsFile: $($script:policyAssignmentsUamFile)" -FunctionName "BeforeAll" + $script:policyDefinitionsPath = ($filePaths | Where-Object Name -eq "microsoft.authorization_policydefinitions-$(($script:policyDefinitions.Name).toLower()).parameters.json") $script:policyDefinitionsDirectory = ($script:policyDefinitionsPath).Directory $script:policyDefinitionsFile = ($script:policyDefinitionsPath).FullName @@ -321,6 +329,7 @@ Describe "Repository" { $changeSet = @( "A`t$script:testManagementGroupFile", "A`t$script:policyAssignmentsFile", + "A`t$script:policyAssignmentsUamFile", "A`t$script:policyDefinitionsFile", "A`t$script:policySetDefinitionsFile", "A`t$script:policyExemptionsFile", @@ -619,6 +628,43 @@ Describe "Repository" { } #endregion + #region Scope = Policy Assignments with UAM - Resource Group (./root/tenant root group/test/platform/management/subscription-0/App1-azopsrg) + It "Policy Assignments with UAM directory should exist" { + Test-Path -Path $script:policyAssignmentsUamDirectory | Should -BeTrue + } + It "Policy Assignments with UAM file should exist" { + Test-Path -Path $script:policyAssignmentsUamFile | Should -BeTrue + } + It "Policy Assignments with UAM resource type should exist" { + $fileContents = Get-Content -Path $script:policyAssignmentsUamFile -Raw | ConvertFrom-Json -Depth 25 + $fileContents.resources[0].type | Should -BeTrue + } + It "Policy Assignments with UAM resource name should exist" { + $fileContents = Get-Content -Path $script:policyAssignmentsUamFile -Raw | ConvertFrom-Json -Depth 25 + $fileContents.resources[0].name | Should -BeTrue + } + It "Policy Assignments with UAM resource apiVersion should exist" { + $fileContents = Get-Content -Path $script:policyAssignmentsUamFile -Raw | ConvertFrom-Json -Depth 25 + $fileContents.resources[0].apiVersion | Should -BeTrue + } + It "Policy Assignments with UAM resource properties should exist" { + $fileContents = Get-Content -Path $script:policyAssignmentsUamFile -Raw | ConvertFrom-Json -Depth 25 + $fileContents.resources[0].properties | Should -BeTrue + } + It "Policy Assignments with UAM resource type should match" { + $fileContents = Get-Content -Path $script:policyAssignmentsUamFile -Raw | ConvertFrom-Json -Depth 25 + $fileContents.resources[0].type | Should -Be "Microsoft.Authorization/policyAssignments" + } + It "Policy Assignments with UAM scope property should match" { + $fileContents = Get-Content -Path $script:policyAssignmentsUamFile -Raw | ConvertFrom-Json -Depth 25 + $fileContents.resources[0].identity.userAssignedIdentities | Should -BeTrue + } + It "Policy Assignments with UAM deployment should be successful" { + $script:policyAssignmentUamDeployment = Get-AzResourceGroupDeployment -Name $script:policyAssignmentsUamDeploymentName -ResourceGroupName $script:policyAssignmentsUam.ResourceGroupName + $policyAssignmentUamDeployment.ProvisioningState | Should -Be "Succeeded" + } + #endregion + #region Scope = PolicyDefinition (./root/tenant root group/test/PolicyDefinition) It "Policy Definitions directory should exist" { Test-Path -Path $script:policyDefinitionsDirectory | Should -BeTrue diff --git a/src/tests/templates/policywithuam.bicep b/src/tests/templates/policywithuam.bicep new file mode 100644 index 00000000..abb477dd --- /dev/null +++ b/src/tests/templates/policywithuam.bicep @@ -0,0 +1,25 @@ +param policyAssignmentName string = 'TestPolicyAssignmentWithUAM' +param policyDefinitionID string = '/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df' +param location string = resourceGroup().location +param uamName string = 'TestAzOpsUAM' + +targetScope = 'resourceGroup' + +resource uam 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { + name: uamName + location: location +} + +resource assignment 'Microsoft.Authorization/policyAssignments@2022-06-01' = { + name: policyAssignmentName + location: location + identity: { + type: 'UserAssigned' + userAssignedIdentities: { + '${uam.id}': {} + } + } + properties: { + policyDefinitionId: policyDefinitionID + } +}