Add AzureRM Privileged Identity Management to Provider #2455
Comments
phantlantis
added
kind/enhancement
|
Hi @phantlantis - thank you for bringing this to our attention! This is due to Azure's API specs neither defining an endpoint to From there, a simple We'll get this queued up when we can, but if there are any enterprising souls out there, that would be the desired starting point. Thank you again! |
kpitzen
added
good-first-issue
thomas11
added
size/L
|
I just spent a couple of hours looking into this under-documented API and I’m afraid it’s a size L task. I don’t think our existing "reset to default state" mechanism actually applies here.
The way to support both would be through custom resources. RoleEligibilityScheduleRequests would be pretty simple, we’d only need to override DELETE and replace it with a PUT request. RoleManagementPolicies would probably required custom-implementing all CRUD methods since it has weird semantics. I don’t even know what its DELETE method really does since there’s no creation of this resource and no PUT. Another complication is that we cannot simply try the API to see how it behaves until we get the required "AAD Premium 2" license. |
I take that back, since its PUT endpoint is only for creation, not for updates, so those would be custom. |
## About This PR adds support for [Role Management Policies](https://learn.microsoft.com/en-us/rest/api/authorization/privileged-role-policy-rest-sample), part of [Privileged Identity Management (PIM)](https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure) in the Microsoft.Authentication namespace. It's one part of #2455. Note that this is about the ARM part of PIM; there's also a Microsoft Graph API part which is not covered by this provider. This resource wasn't automatically included because it supports only GET and PATCH. The policies are singletons that cannot be created or deleted, only modified via PATCH. ## Implementation Role Management Policies essentially consist of a name which is actually a GUID, and a list of ~20 rules. Using our existing singleton support `defaults.GetDefaultResourceState` was tricky because 1. there are many policies with many rules, for a total of ~300k lines of JSON for a subscription scope, and there are more scopes, plus 2. I believe the defaults can vary per scope and possibly also per customer. So instead, I've implemented a custom resource that captures the original state of a policy when it's first "created", i.e., added to Pulumi state. When a rule or the whole policy is removed from Pulumi, we look up the original state and re-apply it. ## Testing The e2e/integration test for this resource is special because using PIM requires a paid [Entra ID P2 license](https://www.microsoft.com/en-us/security/business/microsoft-entra-pricing). We have one that you can see [here](https://admin.microsoft.com/Adminportal/Home?referrer=entra#/licensedetailpage/84a661c4-e949-4bd2-a560-ed7766fcaf2b).
|
We just released v2.87 of the provider which adds support for Role Management Policies via the authorization.RoleManagementPolicy resource. Role Eligibility Schedules are in progress. |
Resolves #2455 - add support for PIM (Privileged Identity Management) Role Eligibility Schedules. - [Azure docs](https://learn.microsoft.com/en-us/rest/api/authorization/privileged-role-eligibility-rest-sample) - [Spec](https://github.com/Azure/azure-rest-api-specs/tree/main/specification/authorization/resource-manager/Microsoft.Authorization/stable/2020-10-01) This API has some peculiarities that required writing a custom resource: 1. It's divided into schedules and schedule requests (an endpoint `/roleEligibilityScheduleRequests`, not HTTP requests). Requests are created to create and also delete schedules; there's no DELETE endpoint. Requests are short-lived but can require approval. 2. Because of this duality where two types are used, schedule and schedule request, I extended custom resources with the ability to derive their schema from type A in the spec but define a different resource name B. We want the resource to be named `...Schedule` but need the `...ScheduleRequest` types. 3. While a schedule request is pending, a `/cancel` endpoint is used to delete the request. 4. Both schedules and schedule requests cannot be modified; new ones must be created instead. This isn't properly annotated in the spec, though. The SDKs are correct in that they don't offer update operations. I tried to comment the code pretty well, please refer to the Godoc comments for more in-depth information.
Hello!
Issue details
Hello! Looking through the available resources, one set that is missing that could be majorly helpful is the Privileged Identity Management endpoint (the ones specifically for ARM, not the ones for Graph).
These currently sit under the Microsoft.Authorization namespace - the ones I'm specifically hoping for are:
https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleEligibilityScheduleRequests/{roleEligibilityScheduleRequestName}as documented here.Furthermore, the role management policies that govern PIM activation on each resource scope:
https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleManagementPolicies/{roleManagementPolicyId}?api-version=2020-10-01- as documented hereAffected area/feature
Likely the authorization section of the SDKs as a new resource.
Thanks!
The text was updated successfully, but these errors were encountered: