functions/roleManagement/roleManagementPolicies/Test-AzurePIMroleManagementPolicy.ps1
|
function Test-AzurePIMroleManagementPolicy { <# .SYNOPSIS Test desired configuration against a Tenant. .DESCRIPTION Compare current configuration of a resource type with the desired configuration. Return a result object with the required changes and actions. #> [CmdletBinding()] Param ( [System.Management.Automation.PSCmdlet] $Cmdlet = $PSCmdlet ) begin { $resourceName = "roleManagementPolicies" Test-AzureConnection $secureStringToken = (Get-AzAccessToken -AsSecureString -ResourceUrl $script:apiBaseUrl).Token $token = [System.Net.NetworkCredential]::new('', $secureStringToken).Password $tenant = Get-AzTenant -TenantId (Get-AzContext).Tenant.Id } process { $definitions = $script:desiredConfiguration[$resourceName] foreach ($definition in $definitions) { foreach ($property in $definition.Properties()) { if ($definition.$property.GetType().Name -eq "String") { $definition.$property = Resolve-String -Text $definition.$property } } $result = @{ Tenant = $tenant.Name TenantId = $tenant.Id ResourceType = 'roleManagementPolicy' ResourceName = "Policy for $($definition.roleReference) on $($definition.scopeReference)" DesiredConfiguration = $definition } $rules = @() $rules += ($script:desiredConfiguration["roleManagementPolicyRuleTemplates"] | Where-Object {$_.displayName -eq $definition.ruleTemplate}).rules Add-Member -InputObject $result.DesiredConfiguration -MemberType NoteProperty -Name rules -Value $rules -Force $subscriptionId = Resolve-Subscription -InputReference $definition.subscriptionReference $roleId = Resolve-AzureRoleDefinition -InputReference $definition.roleReference -SubscriptionId $subscriptionId -SearchInDesiredConfiguration if ($roleId -ne $definition.roleReference) { switch ($definition.scopeType) { "subscription" { $policyId = (Invoke-RestMethod -Method "GET" -Uri "$($script:apiBaseUrl)$($subscriptionId)/providers/Microsoft.Authorization/roleManagementPolicyAssignments?`$filter=roleDefinitionId eq '$($roleId)'&api-version=2020-10-01-preview" -Headers @{"Authorization" = "Bearer $($token)"}).value.properties.policyId $resource = @() $resource += Invoke-RestMethod -Method "GET" -Uri "$($script:apiBaseUrl)$($policyId)?api-version=2020-10-01-preview" -Headers @{"Authorization" = "Bearer $($token)"} } "resourceGroup" { $policyId = ((Invoke-RestMethod -Method "GET" -Uri "$($script:apiBaseUrl)$($subscriptionId)/ResourceGroups/$($definition.scopeReference)/providers/Microsoft.Authorization/roleManagementPolicyAssignments?api-version=2020-10-01-preview" -Headers @{"Authorization" = "Bearer $($token)"}).value | Where-Object {$_.properties.roleDefinitionId -eq $roleId}).properties.policyId $resource = @() $resource += Invoke-RestMethod -Method "GET" -Uri "$($script:apiBaseUrl)$($policyId)?api-version=2020-10-01-preview" -Headers @{"Authorization" = "Bearer $($token)"} } "resource" { $policyId = ((Invoke-RestMethod -Method "GET" -Uri "$($script:apiBaseUrl)$($subscriptionId)$($definition.scopeReference)/providers/Microsoft.Authorization/roleManagementPolicyAssignments?api-version=2020-10-01-preview" -Headers @{"Authorization" = "Bearer $($token)"}).value | Where-Object {$_.properties.roleDefinitionId -eq $roleId}).properties.policyId $resource = @() $resource += Invoke-RestMethod -Method "GET" -Uri "$($script:apiBaseUrl)$($policyId)?api-version=2020-10-01-preview" -Headers @{"Authorization" = "Bearer $($token)"} } } } else { $resource = @() } switch ($resource.count) { 0 { $changes = @() $change = [PSCustomObject] @{ Property = "roleDefinition" Actions = @{"Set" = "roleDefinition not yet created"} } $changes += $change $result = New-TestResult @result -Changes $changes -ActionType "Update" } 1 { $result["AzureResource"] = $resource $changes = @() if (-not (Compare-PolicyProperties -ReferenceObject $result.DesiredConfiguration.rules -DifferenceObject $resource.properties.rules)) { $change = [PSCustomObject] @{ Property = "rules" Actions = @{"Set" = $result.DesiredConfiguration.rules} } $changes += $change } if ($changes.count -gt 0) { $result = New-TestResult @result -Changes $changes -ActionType "Update"} else { $result = New-TestResult @result -ActionType "NoActionRequired" } } default { Write-PSFMessage -Level Warning -String 'AzurePIM.Test.MultipleResourcesError' -StringValues $resourceName, $result.ResourceName -Tag 'failed' $exception = New-Object System.Data.DataException("Query returned multiple results. Cannot decide which resource to test.") $errorID = 'MultipleResourcesError' $category = [System.Management.Automation.ErrorCategory]::NotSpecified $recordObject = New-Object System.Management.Automation.ErrorRecord($exception, $errorID, $category, $Cmdlet) $cmdlet.ThrowTerminatingError($recordObject) } } $result } } } |