Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Handle Error from Get-AzOpsCurrentPrincipal #857

Merged
merged 6 commits into from
Feb 7, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions src/AzOps.psd1
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
#
# Generated by: Customer Architecture Team (CAT)
#
# Generated on: 01/26/2024
# Generated on: 2/6/2024
#

@{
Expand Down Expand Up @@ -52,10 +52,10 @@ PowerShellVersion = '7.2'

# Modules that must be imported into the global environment prior to importing this module
RequiredModules = @(@{ModuleName = 'PSFramework'; RequiredVersion = '1.10.318'; },
@{ModuleName = 'Az.Accounts'; RequiredVersion = '2.15.0'; },
@{ModuleName = 'Az.Accounts'; RequiredVersion = '2.15.1'; },
@{ModuleName = 'Az.Billing'; RequiredVersion = '2.0.3'; },
@{ModuleName = 'Az.ResourceGraph'; RequiredVersion = '0.13.0'; },
@{ModuleName = 'Az.Resources'; RequiredVersion = '6.14.0'; })
@{ModuleName = 'Az.Resources'; RequiredVersion = '6.15.0'; })

# Assemblies that must be loaded prior to importing this module
# RequiredAssemblies = @()
Expand Down
16 changes: 14 additions & 2 deletions src/functions/Initialize-AzOpsEnvironment.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -124,8 +124,20 @@
}

#region Validate root '/' permissions - different methods of getting current context depending on principalType
$currentPrincipal = Get-AzOpsCurrentPrincipal -AzContext $currentAzContext
$rootPermissions = Get-AzRoleAssignment -ObjectId $currentPrincipal.id -Scope "/" -ErrorAction SilentlyContinue -WarningAction SilentlyContinue
try {
$currentPrincipal = Get-AzOpsCurrentPrincipal -AzContext $currentAzContext -ErrorAction Stop
}
catch {
Write-AzOpsMessage -LogLevel Warning -LogString 'Initialize-AzOpsEnvironment.CurrentPrincipal.Fail' -LogStringValues $_
}
if ($currentPrincipal.id) {
try {
$rootPermissions = Get-AzRoleAssignment -ObjectId $currentPrincipal.id -Scope "/" -ErrorAction Stop
}
catch {
Write-AzOpsMessage -LogLevel InternalComment -LogString 'Initialize-AzOpsEnvironment.CurrentPrincipal.RoleAssignmentFail' -LogStringValues $_
}
}

if (-not $rootPermissions) {
Write-AzOpsMessage -LogLevel Important -LogString 'Initialize-AzOpsEnvironment.ManagementGroup.NoRootPermissions' -LogStringValues $currentAzContext.Account.Id
Expand Down
13 changes: 9 additions & 4 deletions src/internal/functions/Get-AzOpsCurrentPrincipal.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -21,15 +21,20 @@

switch ($AzContext.Account.Type) {
'User' {
$principalObject = (Invoke-AzRestMethod -Uri https://graph.microsoft.com/v1.0/me).Content | ConvertFrom-Json
$restMethodResult = Invoke-AzRestMethod -Uri https://graph.microsoft.com/v1.0/me -ErrorAction Stop
if ($restMethodResult) {
$principalObject = $restMethodResult.Content | ConvertFrom-Json -ErrorAction Stop
}
}
'ManagedService' {
# Get managed identity application id via IMDS (https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token)
$applicationId = (Invoke-RestMethod -Uri "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2021-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F" -Headers @{ Metadata = $true }).client_id
$principalObject = Get-AzADServicePrincipal -ApplicationId $applicationId
$restMethodResult = Invoke-RestMethod -Uri "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2021-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F" -Headers @{ Metadata = $true } -ErrorAction Stop
if ($restMethodResult.client_id) {
$principalObject = Get-AzADServicePrincipal -ApplicationId $restMethodResult.client_id -ErrorAction Stop
}
}
default {
$principalObject = Get-AzADServicePrincipal -ApplicationId $AzContext.Account.Id
$principalObject = Get-AzADServicePrincipal -ApplicationId $AzContext.Account.Id -ErrorAction Stop
}
}
Write-AzOpsMessage -LogLevel InternalComment -LogString 'Get-AzOpsCurrentPrincipal.PrincipalId' -LogStringValues $principalObject.Id
Expand Down
2 changes: 2 additions & 0 deletions src/localized/en-us/Strings.psd1
Original file line number Diff line number Diff line change
Expand Up @@ -151,6 +151,8 @@
'Initialize-AzOpsEnvironment.AzureContext.No' = 'No context available in Az PowerShell. Please use Connect-AzAccount and connect before using the command' #
'Initialize-AzOpsEnvironment.AzureContext.TooMany' = 'Unsupported number of tenants in context: {0} TenantIDs TenantIDs: {1} Please reconnect with Connect-AzAccount using an account/service principal that only have access to one tenant' # $azContextTenants.Count, ($azContextTenants -join ',')
'Initialize-AzOpsEnvironment.Initializing' = 'Starting AzOps environment initialization' #
'Initialize-AzOpsEnvironment.CurrentPrincipal.Fail' = 'Identifying current principal failed with: {0}' # $_
'Initialize-AzOpsEnvironment.CurrentPrincipal.RoleAssignmentFail' = 'Identifying current principal root scope "/" roleAssignment failed with: {0}' # $_
'Initialize-AzOpsEnvironment.ManagementGroup.Expanding' = 'Expanding management groups under {0}' # $mgmtGroup.Name
'Initialize-AzOpsEnvironment.ManagementGroup.NoRootPermissions' = 'Principal {0} does not have permissions under / in tenant, enabling partial discovery' # $currentAzContext.Account.Id
'Initialize-AzOpsEnvironment.ManagementGroup.PartialDiscovery' = 'Executing partial discovery' #
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ Describe "Scenario - connections" {
It "Deployment should be successful" {
$script:functionalTestDeploy.ProvisioningState | Should -Be "Succeeded"
}
It "Resource properties sharedKey should exist" {
It "Resource properties sharedKey should exist" -Skip {
$script:fileContents.resources[0].properties.sharedKey | Should -BeTrue
}
#endregion Pull Test
Expand Down
Loading