functions/entitlementManagement/accessPackageAssignmentPolicies/Test-TmfAccessPackageAssignmentPolicy.ps1
|
function Test-TmfAccessPackageAssignmentPolicy { <# .SYNOPSIS Test desired configuration against a Tenant. .DESCRIPTION Compare current configuration of a resource type with the desired configuration. Return a result object with the required changes and actions. #> [CmdletBinding()] Param ( [System.Management.Automation.PSCmdlet] $Cmdlet = $PSCmdlet ) begin { Test-GraphConnection -Cmdlet $Cmdlet $resourceName = "accessPackageAssignmentPolicies" $tenant = (Invoke-MgGraphRequest -Method GET -Uri ("$script:graphBaseUrl/organization?`$select=displayname,id")).value } process { foreach ($definition in $script:desiredConfiguration[$resourceName]) { foreach ($property in $definition.Properties()) { if ($definition.$property.GetType().Name -eq "String") { $definition.$property = Resolve-String -Text $definition.$property } } $result = @{ Tenant = $tenant.displayName TenantId = $tenant.Id ResourceType = 'AccessPackageAssignmentPolicy' ResourceName = (Resolve-String -Text $definition.displayName) + " (AP: $($definition.accessPackage))" DesiredConfiguration = $definition } $accessPackageId = $definition.accessPackageId() if (-Not $accessPackageId) { Write-PSFMessage -Level Host -String 'TMF.RelatedResourceDoesNotExist' -StringValues "Access Package", $accessPackage, $result.ResourceType, $result.ResourceName New-TestResult @result -ActionType "Create" continue } try { $resource = (Invoke-MgGraphRequest -Method GET -Uri ("$script:graphBaseUrl1/identityGovernance/entitlementManagement/assignmentPolicies?`$expand=accessPackage&`$filter=(displayname eq '{0}') and (accessPackage/id eq '{1}')" -f [System.Web.HttpUtility]::UrlEncode($definition.displayName), $accessPackageId)).Value if (("oldNames" -in $definition.Properties()) -and (-not($resource))) { foreach ($oldName in $definition.oldNames) { $resource = (Invoke-MgGraphRequest -Method GET -Uri ("$script:graphBaseUrl1/identityGovernance/entitlementManagement/assignmentPolicies?`$expand=accessPackage&`$filter=(displayname eq '{0}') and (accessPackage/id eq '{1}')" -f [System.Web.HttpUtility]::UrlEncode($oldName), $accessPackageId)).Value if ($resource) {break} } } } catch { Write-PSFMessage -Level Warning -String 'TMF.Error.QueryWithFilterFailed' -StringValues $filter -Tag 'failed' $exception = New-Object System.Data.DataException("Query with filter $filter against Microsoft Graph failed. Error: $_") $errorID = 'QueryWithFilterFailed' $category = [System.Management.Automation.ErrorCategory]::NotSpecified $recordObject = New-Object System.Management.Automation.ErrorRecord($exception, $errorID, $category, $Cmdlet) $cmdlet.ThrowTerminatingError($recordObject) } switch ($resource.Count) { 0 { if ($definition.present) { $result = New-TestResult @result -ActionType "Create" } else { $result = New-TestResult @result -ActionType "NoActionRequired" } } 1 { $result["GraphResource"] = $resource if ($definition.present) { $changes = @() foreach ($property in ($definition.Properties() | Where-Object {$_ -notin "present", "sourceConfig", "accessPackage", "oldNames"})) { $change = [PSCustomObject] @{ Property = $property Actions = $null } switch ($property) { {$_ -in "reviewSettings", "requestApprovalSettings", "requestorSettings", "expiration", "automaticRequestSettings"} { $needUpdate = $false foreach ($key in $definition.$property.Keys) { switch ($key) { "stages" { if ($definition.$property.$key.count -ne $resource.$property.$key.count) { $needUpdate = $true } else { for ($i=0;$i -lt $definition.$property.$key.count;$i++) { "primaryApprovers", "escalationApprovers", "fallbackPrimaryApprovers", "fallbackEscalationApprovers" | Where-Object { $_ -in $definition.$property.$key[$i].Keys } | Foreach-Object { if (Check-SubjectSetRequiresUpdate -Reference $resource.$property.$key[$i].$_ -Difference $definition.$property.$key[$i].$_ -Cmdlet $Cmdlet) { $needUpdate = $true } } "durationBeforeAutomaticDenial", "isApproverJustificationRequired", "isEscalationEnabled", "durationBeforeEscalation" | Where-Object { $_ -in $definition.$property.$key[$i].Keys } | Foreach-Object { if ($definition.$property.$key[$i].$_ -ne $resource.$property.$key[$i].$_) { $needUpdate = $true } } } } } "schedule" { foreach ($item in $definition.$property.$key.recurrence.pattern.GetEnumerator().Name) { if ($definition.$property.$key.recurrence.pattern.$item -ne $resource.$property.$key.recurrence.pattern.$item){ $change.Actions = @{"Set" = $definition.$property.$key.recurrence.pattern} } } foreach ($item in $definition.$property.$key.recurrence.range.GetEnumerator().Name) { if ($definition.$property.$key.recurrence.range.$item -ne $resource.$property.$key.recurrence.range.$item){ $change.Actions = @{"Set" = $definition.$property.$key.recurrence.range} } } foreach ($item in $definition.$property.$key.expiration.GetEnumerator().Name) { switch ($item) { "endDateTime" { if ($definition.$property.$key.$item) { if (([datetime]$definition.$property.$key.$item).ToUniversalTime().ToString() -ne $resource.$property.$key.$item.toString()) { $change.Actions = @{"Set" = $definition.$property.$key.$item} } } } default { if ($definition.$property.$key.$item -ne $resource.$property.$key.$item) { $change.Actions = @{"Set" = $definition.$property.$key.$item} } } } } } {$_ -in "primaryReviewers", "fallbackReviewers", "onBehalfRequestors"} { if (Check-SubjectSetRequiresUpdate -Reference $resource.$property.$key -Difference $definition.$property.$key -Cmdlet $Cmdlet) { $needUpdate = $true } } default { if ($key -eq "endDateTime") { if ($definition.$property.$key) { if (([datetime]$definition.$property.$key).touniversaltime().tostring() -ne $resource.$property.$key.tostring()) { $needUpdate = $true } } } else { if ($definition.$property.$key -ne $resource.$property.$key) { $needUpdate = $true } } } } } if ($needUpdate) { $change.Actions = @{"Set" = $definition.$property} } } "specificAllowedTargets" { if (Check-SubjectSetRequiresUpdate -Reference $resource.$property -Difference $definition.$property -Cmdlet $Cmdlet) { $change.Actions = @{"Set" = $definition.$property} } } default { if ($definition.$property -ne $resource.$property) { $change.Actions = @{"Set" = $definition.$property} } } } if ($change.Actions) {$changes += $change} } if ($changes.count -gt 0) { $result = New-TestResult @result -Changes $changes -ActionType "Update"} else { $result = New-TestResult @result -ActionType "NoActionRequired" } } else { $result = New-TestResult @result -ActionType "Delete" } } default { Write-PSFMessage -Level Warning -String 'TMF.Test.MultipleResourcesError' -StringValues $resourceName, $definition.displayName -Tag 'failed' $exception = New-Object System.Data.DataException("Query returned multiple results. Cannot decide which resource to test.") $errorID = 'MultipleResourcesError' $category = [System.Management.Automation.ErrorCategory]::NotSpecified $recordObject = New-Object System.Management.Automation.ErrorRecord($exception, $errorID, $category, $Cmdlet) $cmdlet.ThrowTerminatingError($recordObject) } } $result } } } |