Custom resource for Azure PIM role management policies

[thomas11]

About

This PR adds support for Role Management Policies, part of Privileged Identity Management (PIM) in the Microsoft.Authentication namespace. It's one part of #2455.

Note that this is about the ARM part of PIM; there's also a Microsoft Graph API part which is not covered by this provider.

This resource wasn't automatically included because it supports only GET and PATCH. The policies are singletons that cannot be created or deleted, only modified via PATCH.

Implementation

Role Management Policies essentially consist of a name which is actually a GUID, and a list of ~20 rules.

Using our existing singleton support defaults.GetDefaultResourceState was tricky because

1. there are many policies with many rules, for a total of ~300k lines of JSON for a subscription scope, and there are more scopes, plus
2. I believe the defaults can vary per scope and possibly also per customer.

So instead, I've implemented a custom resource that captures the original state of a policy when it's first "created", i.e., added to Pulumi state. When a rule or the whole policy is removed from Pulumi, we look up the original state and re-apply it.

Testing

The e2e/integration test for this resource is special because using PIM requires a paid Entra ID P2 license. We have one that you can see here.

[github-actions]

Does the PR have any schema changes?

Looking good! No breaking changes found.

New resources:

• authorization.RoleManagementPolicy

New functions:

• authorization.getRoleManagementPolicy

[codecov]

Codecov Report

Attention: Patch coverage is 67.80488% with 66 lines in your changes missing coverage. Please review.

Project coverage is 57.24%. Comparing base (4c5e043) to head (2843ac9).
Report is 1 commits behind head on master.

Files with missing lines	Patch %	Lines
...ovider/pkg/resources/customresources/custom_pim.go	67.88%	36 Missing and 8 partials ⚠️
provider/pkg/provider/crud/crud.go	22.22%	7 Missing ⚠️
provider/pkg/openapi/discover.go	0.00%	5 Missing and 1 partial ⚠️
provider/pkg/provider/provider.go	85.00%	4 Missing and 2 partials ⚠️
...r/pkg/resources/customresources/customresources.go	62.50%	2 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #3663      +/-   ##
==========================================
+ Coverage   57.03%   57.24%   +0.21%     
==========================================
  Files          79       80       +1     
  Lines       12548    12732     +184     
==========================================
+ Hits         7157     7289     +132     
- Misses       4840     4883      +43     
- Partials      551      560       +9     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[danielrbradley]

Let's open a follow up issue to expand this to capture initial states for all resources to be able to remove the need to manually curate a list of default resource states where there's no delete operation in the spec.

[thomas11]

Let's open a follow up issue to expand this to capture initial states for all resources to be able to remove the need to manually curate a list of default resource states where there's no delete operation in the spec.

#3942

[pulumi-bot]

This PR has been shipped in release v2.87.0.