Skip to content

Commit

Permalink
feat: set implicit condition_version on azurerm_role_assignment (h…
Browse files Browse the repository at this point in the history
…ashicorp#27189)

* feat: allow implicit condition version when setting condition in role_assignment

* feat: test implicit condition in role_assignment

* chore: unnecessary trailing newline
  • Loading branch information
logan-bobo authored Nov 21, 2024
1 parent 956bb5a commit ab63347
Show file tree
Hide file tree
Showing 2 changed files with 54 additions and 10 deletions.
19 changes: 11 additions & 8 deletions internal/services/authorization/role_assignment_resource.go
Original file line number Diff line number Diff line change
Expand Up @@ -138,15 +138,14 @@ func resourceArmRoleAssignment() *pluginsdk.Resource {
Type: pluginsdk.TypeString,
Optional: true,
ForceNew: true,
RequiredWith: []string{"condition_version"},
ValidateFunc: validation.StringIsNotEmpty,
},

"condition_version": {
Type: pluginsdk.TypeString,
Optional: true,
ForceNew: true,
RequiredWith: []string{"condition"},
Type: pluginsdk.TypeString,
Optional: true,
ForceNew: true,
Computed: true,
ValidateFunc: validation.StringInSlice([]string{
"1.0",
"2.0",
Expand Down Expand Up @@ -238,11 +237,15 @@ func resourceArmRoleAssignmentCreate(d *pluginsdk.ResourceData, meta interface{}
condition := d.Get("condition").(string)
conditionVersion := d.Get("condition_version").(string)

if condition != "" && conditionVersion != "" {
switch {
case condition != "" && conditionVersion != "":
properties.RoleAssignmentProperties.Condition = utils.String(condition)
properties.RoleAssignmentProperties.ConditionVersion = utils.String(conditionVersion)
} else if condition != "" || conditionVersion != "" {
return fmt.Errorf("`condition` and `conditionVersion` should be both set or unset")
case condition != "" && conditionVersion == "":
properties.RoleAssignmentProperties.Condition = utils.String(condition)
properties.RoleAssignmentProperties.ConditionVersion = utils.String("2.0")
case condition == "" && conditionVersion != "":
return fmt.Errorf("`conditionVersion` should not be set without `condition`")
}

skipPrincipalCheck := d.Get("skip_service_principal_aad_check").(bool)
Expand Down
45 changes: 43 additions & 2 deletions internal/services/authorization/role_assignment_resource_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -214,6 +214,23 @@ func TestAccRoleAssignment_condition(t *testing.T) {
})
}

func TestAccRoleAssignment_implicitCondition(t *testing.T) {
data := acceptance.BuildTestData(t, "azurerm_role_assignment", "test")
id := uuid.New().String()

r := RoleAssignmentResource{}

data.ResourceTest(t, r, []acceptance.TestStep{
{
Config: r.implicitConditionVersion(id),
Check: acceptance.ComposeTestCheckFunc(
check.That(data.ResourceName).ExistsInAzure(r),
),
},
data.ImportStep("skip_service_principal_aad_check"),
})
}

func TestAccRoleAssignment_resourceScoped(t *testing.T) {
data := acceptance.BuildTestData(t, "azurerm_role_assignment", "test")
id := uuid.New().String()
Expand Down Expand Up @@ -576,8 +593,32 @@ resource "azurerm_role_assignment" "test" {
role_definition_name = "Monitoring Reader"
principal_id = data.azurerm_client_config.test.object_id
description = "Monitoring Reader except "
condition = "@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase 'foo_storage_container'"
condition_version = "1.0"
condition = "@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEqualsIgnoreCase 'foo_storage_container'"
condition_version = "2.0"
}
`, groupId)
}

func (RoleAssignmentResource) implicitConditionVersion(groupId string) string {
return fmt.Sprintf(`
provider "azurerm" {
features {}
}
data "azurerm_subscription" "primary" {
}
data "azurerm_client_config" "test" {
}
resource "azurerm_role_assignment" "test" {
name = "%s"
scope = data.azurerm_subscription.primary.id
role_definition_name = "Monitoring Reader"
principal_id = data.azurerm_client_config.test.object_id
description = "Monitoring Reader except "
condition = "@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEqualsIgnoreCase 'foo_storage_container'"
}
`, groupId)
}
Expand Down

0 comments on commit ab63347

Please sign in to comment.