Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PSRule 'Microsoft.Authorization/roleAssignments' is missing type 'properties.principalType' #1819

Closed
lassehastrup opened this issue May 16, 2024 · 3 comments
Labels
bug Something isn't working downstream An issue for downstream tracking of PSRule repositories

Comments

@lassehastrup
Copy link

Description of the issue

Using a custom rule of type 'Microsoft.Authorization/roleAssignments' with a condition that specifies that the field: 'properties.principalType' should be equal to 'xyz' we receive an error that the property does not exist.

However, when specifying the 'properties.PrincipalType' in a bicep file, and running the custom rule, everything works as expected. So it seems to only be an issue when the bicep property is not set.

To Reproduce

Steps to reproduce the issue:

PSRule rule:

---
apiVersion: github.com/microsoft/PSRule/v1
kind: Rule
recommend: "roleAssignments principalType should be set to ServicePrincipal or Group."
metadata:
  name: "Local.YAML.roleAssignments.principalType"
spec:
  type:
    - Microsoft.Authorization/roleAssignments
  condition:
    anyOf:
      - field: 'properties.principalType'
        equals: 'c3666e92-27d3-4fa3-bfa3-38ddd4d57559'

Bicep file:

param PrincipalObjectId string

resource roleAssignmentPatchManagement 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  name: guid('7a2fd238-abbc-4cd9-b22b-09391bef7bbb')
  properties: {
    principalId: PrincipalObjectId
    roleDefinitionId: guid('b24988ac-6180-42a0-ab88-20f7382dd24c')
  }
}

Error output

Reason:
  - Path properties.principalType: The field 'properties.principalType' does not exist.

When adding the properties.PrincipalType to the bicep file:

param PrincipalObjectId string
resource roleAssignmentPatchManagement 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  name: guid('7a2fd238-abbc-4cd9-b22b-09391bef7bbb')
  properties: {
    principalId: PrincipalObjectId
    roleDefinitionId: guid('b24988ac-6180-42a0-ab88-20f7382dd24c')
    principalType: 'ServicePrincipal'
  }
}

Everything works as expected.

Expected behaviour

As the property clearly exist in bicep, as is working as expected in ARM, we had hoped that PSRule would process the property correctly even when the property is not set in the bicep file.

Module in use and version:

  • Module: PSRule
  • Version: [2.9.0]

Captured output from $PSVersionTable:

Name                           Value
----                           -----
PSVersion                      7.4.2
PSEdition                      Core
GitCommitId                    7.4.2
OS                             Darwin 23.4.0 Darwin Kernel Version 23.4.0: Fri Mar 15 00:10:42 PDT 2024; root:xnu-10063.101.17~1/RELEASE_ARM64_T6000
Platform                       Unix
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Additional context

@BernieWhite
Copy link
Member

@lassehastrup Thanks for reporting the issue. Let me see if I understand the issue correctly.

  • When testing a Microsoft.Authorization/roleAssignments resource you get a failure with reason Path properties.principalType: The field 'properties.principalType' does not exist. if the property is not set in Bicep.
  • However properties.principalType defaults to ServicePrincipal when not set so the reason The field 'properties.principalType' does not exist. is unexpected.

Have I understood the issue correctly?

@BernieWhite BernieWhite added bug Something isn't working downstream An issue for downstream tracking of PSRule repositories labels May 16, 2024
@lassehastrup
Copy link
Author

lassehastrup commented May 16, 2024

Hi @BernieWhite ,

The default value of properties.principalType is default 'user' according to this documentation:

https://learn.microsoft.com/en-us/rest/api/authorization/role-assignments/create-by-id?view=rest-authorization-2022-04-01&tabs=HTTP#roleassignment

You understood the issue correctly

@BernieWhite
Copy link
Member

@lassehastrup This should be fixed in PSRule for Azure v1.40.0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working downstream An issue for downstream tracking of PSRule repositories
Projects
None yet
Development

No branches or pull requests

2 participants