From 6b91af48110c99276cc3938119fbae7b470b9056 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bindewald=2C=20Andr=C3=A9=20=28UIT=29?= Date: Wed, 17 Jul 2024 13:31:33 +0200 Subject: [PATCH 1/5] fix(resourceArmRoleAssignment): Allow `/providers/Microsoft.Capacity` as `scope` value --- internal/services/authorization/role_assignment_resource.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/internal/services/authorization/role_assignment_resource.go b/internal/services/authorization/role_assignment_resource.go index ea132f2a779e..4d48e415ed9c 100644 --- a/internal/services/authorization/role_assignment_resource.go +++ b/internal/services/authorization/role_assignment_resource.go @@ -67,6 +67,9 @@ func resourceArmRoleAssignment() *pluginsdk.Resource { // It seems only user account is allowed to be elevated access. validation.StringMatch(regexp.MustCompile("/providers/Microsoft.Subscription.*"), "Subscription scope is invalid"), + // This scope is used for the Reservations roles (Reservation Purchaser, Reservation Reader, etc.) + validation.StringMatch(regexp.MustCompile("/providers/Micrososoft.Capacity"), "Capacity scope is invalid"), + billingValidate.EnrollmentID, commonids.ValidateManagementGroupID, commonids.ValidateSubscriptionID, From 23f7814b34608f8a4362ea27ff6dc0ccde70785f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bindewald=2C=20Andr=C3=A9=20=28UIT=29?= Date: Wed, 17 Jul 2024 15:58:36 +0200 Subject: [PATCH 2/5] tests(): Added test `TestAccRoleAssignment_capacityProviderScoped` --- .../role_assignment_resource_test.go | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/internal/services/authorization/role_assignment_resource_test.go b/internal/services/authorization/role_assignment_resource_test.go index fe48ab290a1e..5ff4f5000394 100644 --- a/internal/services/authorization/role_assignment_resource_test.go +++ b/internal/services/authorization/role_assignment_resource_test.go @@ -263,6 +263,20 @@ func TestAccRoleAssignment_resourceGroupScoped(t *testing.T) { }) } +func TestAccRoleAssignment_capacityProviderScoped(t *testing.T) { + data := acceptance.BuildTestData(t, "azurerm_role_assignment", "test") + r := RoleAssignmentResource{} + data.ResourceTest(t, r, []acceptance.TestStep{ + { + Config: r.capacityProviderScoped(), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep("skip_service_principal_aad_check"), + }) +} + func (r RoleAssignmentResource) Exists(ctx context.Context, client *clients.Client, state *pluginsdk.InstanceState) (*bool, error) { id, err := parse.RoleAssignmentID(state.ID) if err != nil { @@ -627,3 +641,19 @@ resource "azurerm_role_assignment" "test" { } `, data.RandomInteger, data.Locations.Primary) } + +func (RoleAssignmentResource) capacityProviderScoped() string { + return ` +provider "azurerm" { + features {} +} + +data "azurerm_client_config" "test" {} + +resource "azurerm_role_assignment" "test" { + scope = "/providers/Micrososoft.Capacity" + role_definition_name = "Reservations Reader" + principal_id = data.azurerm_client_config.test.object_id +} +` +} From 9537a3989209a62d24c9c4c781141ac0436e2eff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bindewald=2C=20Andr=C3=A9=20=28UIT=29?= Date: Wed, 31 Jul 2024 13:39:57 +0200 Subject: [PATCH 3/5] fix(): typo --- internal/services/authorization/role_assignment_resource.go | 2 +- .../services/authorization/role_assignment_resource_test.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/services/authorization/role_assignment_resource.go b/internal/services/authorization/role_assignment_resource.go index 4d48e415ed9c..d1b3a79c092f 100644 --- a/internal/services/authorization/role_assignment_resource.go +++ b/internal/services/authorization/role_assignment_resource.go @@ -68,7 +68,7 @@ func resourceArmRoleAssignment() *pluginsdk.Resource { validation.StringMatch(regexp.MustCompile("/providers/Microsoft.Subscription.*"), "Subscription scope is invalid"), // This scope is used for the Reservations roles (Reservation Purchaser, Reservation Reader, etc.) - validation.StringMatch(regexp.MustCompile("/providers/Micrososoft.Capacity"), "Capacity scope is invalid"), + validation.StringMatch(regexp.MustCompile("/providers/Microsoft.Capacity"), "Capacity scope is invalid"), billingValidate.EnrollmentID, commonids.ValidateManagementGroupID, diff --git a/internal/services/authorization/role_assignment_resource_test.go b/internal/services/authorization/role_assignment_resource_test.go index 5ff4f5000394..44c33c19d483 100644 --- a/internal/services/authorization/role_assignment_resource_test.go +++ b/internal/services/authorization/role_assignment_resource_test.go @@ -651,7 +651,7 @@ provider "azurerm" { data "azurerm_client_config" "test" {} resource "azurerm_role_assignment" "test" { - scope = "/providers/Micrososoft.Capacity" + scope = "/providers/Microsoft.Capacity" role_definition_name = "Reservations Reader" principal_id = data.azurerm_client_config.test.object_id } From 02dc009329380b9ac223c8d7a75c13b633f08827 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bindewald=2C=20Andr=C3=A9=20=28UIT=29?= Date: Wed, 14 Aug 2024 10:27:15 +0200 Subject: [PATCH 4/5] feat(role_assignment_resource): Allow and as scope --- .../services/authorization/role_assignment_resource.go | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/internal/services/authorization/role_assignment_resource.go b/internal/services/authorization/role_assignment_resource.go index d1b3a79c092f..f80586267fe1 100644 --- a/internal/services/authorization/role_assignment_resource.go +++ b/internal/services/authorization/role_assignment_resource.go @@ -62,13 +62,12 @@ func resourceArmRoleAssignment() *pluginsdk.Resource { Required: true, ForceNew: true, ValidateFunc: validation.Any( - // Elevated access for a global admin is needed to assign roles in this scope: + // Elevated access (aka User Access Administrator role) is needed to assign roles in the following scopes: // https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin#azure-cli - // It seems only user account is allowed to be elevated access. + validation.StringMatch(regexp.MustCompile("/"), "Root scope (/) is invalid"), validation.StringMatch(regexp.MustCompile("/providers/Microsoft.Subscription.*"), "Subscription scope is invalid"), - - // This scope is used for the Reservations roles (Reservation Purchaser, Reservation Reader, etc.) validation.StringMatch(regexp.MustCompile("/providers/Microsoft.Capacity"), "Capacity scope is invalid"), + validation.StringMatch(regexp.MustCompile("/providers/Microsoft.BillingBenefits"), "BillingBenefits scope is invalid"), billingValidate.EnrollmentID, commonids.ValidateManagementGroupID, From 6310e4a2319ad3e7a7ab0d217eb9d8b81eab1554 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bindewald=2C=20Andr=C3=A9=20=28UIT=29?= Date: Wed, 14 Aug 2024 10:33:10 +0200 Subject: [PATCH 5/5] removed tests, as the permissions required for these tests may not be available for all developers --- .../role_assignment_resource_test.go | 30 ------------------- 1 file changed, 30 deletions(-) diff --git a/internal/services/authorization/role_assignment_resource_test.go b/internal/services/authorization/role_assignment_resource_test.go index 44c33c19d483..fe48ab290a1e 100644 --- a/internal/services/authorization/role_assignment_resource_test.go +++ b/internal/services/authorization/role_assignment_resource_test.go @@ -263,20 +263,6 @@ func TestAccRoleAssignment_resourceGroupScoped(t *testing.T) { }) } -func TestAccRoleAssignment_capacityProviderScoped(t *testing.T) { - data := acceptance.BuildTestData(t, "azurerm_role_assignment", "test") - r := RoleAssignmentResource{} - data.ResourceTest(t, r, []acceptance.TestStep{ - { - Config: r.capacityProviderScoped(), - Check: acceptance.ComposeTestCheckFunc( - check.That(data.ResourceName).ExistsInAzure(r), - ), - }, - data.ImportStep("skip_service_principal_aad_check"), - }) -} - func (r RoleAssignmentResource) Exists(ctx context.Context, client *clients.Client, state *pluginsdk.InstanceState) (*bool, error) { id, err := parse.RoleAssignmentID(state.ID) if err != nil { @@ -641,19 +627,3 @@ resource "azurerm_role_assignment" "test" { } `, data.RandomInteger, data.Locations.Primary) } - -func (RoleAssignmentResource) capacityProviderScoped() string { - return ` -provider "azurerm" { - features {} -} - -data "azurerm_client_config" "test" {} - -resource "azurerm_role_assignment" "test" { - scope = "/providers/Microsoft.Capacity" - role_definition_name = "Reservations Reader" - principal_id = data.azurerm_client_config.test.object_id -} -` -}