Merge pull request #25900 from oWretch/f/pim-policies

`azurerm_role_management_policy` New resource & data source

internal/services/authorization/client/client.go

@@ -15,6 +15,8 @@ import (
 	"github.com/hashicorp/go-azure-sdk/resource-manager/authorization/2020-10-01/roleeligibilityscheduleinstances"
 	"github.com/hashicorp/go-azure-sdk/resource-manager/authorization/2020-10-01/roleeligibilityschedulerequests"
 	"github.com/hashicorp/go-azure-sdk/resource-manager/authorization/2020-10-01/roleeligibilityschedules"
+	"github.com/hashicorp/go-azure-sdk/resource-manager/authorization/2020-10-01/rolemanagementpolicies"
+	"github.com/hashicorp/go-azure-sdk/resource-manager/authorization/2020-10-01/rolemanagementpolicyassignments"
 	"github.com/hashicorp/go-azure-sdk/resource-manager/authorization/2022-04-01/roleassignments"
 	"github.com/hashicorp/go-azure-sdk/resource-manager/authorization/2022-05-01-preview/roledefinitions"
 	"github.com/hashicorp/terraform-provider-azurerm/internal/common"
@@ -28,6 +30,8 @@ type Client struct {
 	RoleEligibilityScheduleRequestClient   *roleeligibilityschedulerequests.RoleEligibilityScheduleRequestsClient
 	RoleEligibilityScheduleInstancesClient *roleeligibilityscheduleinstances.RoleEligibilityScheduleInstancesClient
 	RoleEligibilitySchedulesClient         *roleeligibilityschedules.RoleEligibilitySchedulesClient
+	RoleManagementPoliciesClient           *rolemanagementpolicies.RoleManagementPoliciesClient
+	RoleManagementPolicyAssignmentsClient  *rolemanagementpolicyassignments.RoleManagementPolicyAssignmentsClient
 	ScopedRoleAssignmentsClient            *roleassignments.RoleAssignmentsClient
 	ScopedRoleDefinitionsClient            *roledefinitions.RoleDefinitionsClient
 }
@@ -73,6 +77,18 @@ func NewClient(o *common.ClientOptions) (*Client, error) {
 	}
 	o.Configure(roleEligibilitySchedulesClient.Client, o.Authorizers.ResourceManager)
 
+	roleManagementPoliciesClient, err := rolemanagementpolicies.NewRoleManagementPoliciesClientWithBaseURI(o.Environment.ResourceManager)
+	if err != nil {
+		return nil, fmt.Errorf("creating roleManagementPoliciesClient: %+v", err)
+	}
+	o.Configure(roleManagementPoliciesClient.Client, o.Authorizers.ResourceManager)
+
+	roleManagementPolicyAssignmentClient, err := rolemanagementpolicyassignments.NewRoleManagementPolicyAssignmentsClientWithBaseURI(o.Environment.ResourceManager)
+	if err != nil {
+		return nil, fmt.Errorf("creating roleManagementPolicyAssignmentClient: %+v", err)
+	}
+	o.Configure(roleManagementPolicyAssignmentClient.Client, o.Authorizers.ResourceManager)
+
 	scopedRoleAssignmentsClient, err := roleassignments.NewRoleAssignmentsClientWithBaseURI(o.Environment.ResourceManager)
 	if err != nil {
 		return nil, fmt.Errorf("building Role Assignment Client:  %+v", err)
@@ -93,6 +109,8 @@ func NewClient(o *common.ClientOptions) (*Client, error) {
 		RoleEligibilityScheduleRequestClient:   roleEligibilityScheduleRequestClient,
 		RoleEligibilityScheduleInstancesClient: roleEligibilityScheduleInstancesClient,
 		RoleEligibilitySchedulesClient:         roleEligibilitySchedulesClient,
+		RoleManagementPoliciesClient:           roleManagementPoliciesClient,
+		RoleManagementPolicyAssignmentsClient:  roleManagementPolicyAssignmentClient,
 		ScopedRoleAssignmentsClient:            scopedRoleAssignmentsClient,
 		ScopedRoleDefinitionsClient:            scopedRoleDefinitionsClient,
 	}, nil

internal/services/authorization/parse/role_management_policy.go

@@ -0,0 +1,66 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package parse
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/hashicorp/go-azure-helpers/resourcemanager/resourceids"
+)
+
+type RoleManagementPolicyId struct {
+	RoleDefinitionId string
+	Scope            string
+}
+
+var _ resourceids.Id = RoleManagementPolicyId{}
+
+func NewRoleManagementPolicyId(roleDefinitionId string, scope string) RoleManagementPolicyId {
+	return RoleManagementPolicyId{
+		RoleDefinitionId: roleDefinitionId,
+		Scope:            scope,
+	}
+}
+
+// RoleManagementPolicyID parses 'input' into a RoleManagementPolicyId
+func RoleManagementPolicyID(input string) (*RoleManagementPolicyId, error) {
+	parts := strings.Split(input, "|")
+	if len(parts) != 2 {
+		return nil, fmt.Errorf("could not parse Role Management Policy ID, invalid format %q", input)
+	}
+
+	return &RoleManagementPolicyId{
+		RoleDefinitionId: parts[0],
+		Scope:            parts[1],
+	}, nil
+}
+
+func (id RoleManagementPolicyId) ID() string {
+	return fmt.Sprintf("%s|%s", id.RoleDefinitionId, id.Scope)
+}
+
+func (id RoleManagementPolicyId) String() string {
+	components := []string{
+		fmt.Sprintf("Role Definition ID: %q", id.RoleDefinitionId),
+	}
+	if id.Scope != "" {
+		components = append(components, fmt.Sprintf("Scope: %q", id.Scope))
+	}
+	return fmt.Sprintf("Role Definition (%s)", strings.Join(components, "\n"))
+}
+
+func ValidateRoleManagementPolicyId(input interface{}, key string) (warnings []string, errors []error) {
+	v, ok := input.(string)
+	if !ok {
+		errors = append(errors, fmt.Errorf("expected %q to be a string", key))
+		return
+	}
+
+	if _, err := RoleManagementPolicyID(v); err != nil {
+		errors = append(errors, err)
+	}
+
+	return
+}

internal/services/authorization/registration.go

@@ -48,6 +48,7 @@ func (r Registration) SupportedResources() map[string]*pluginsdk.Resource {
 func (r Registration) DataSources() []sdk.DataSource {
 	return []sdk.DataSource{
 		RoleDefinitionDataSource{},
+		RoleManagementPolicyDataSource{},
 	}
 }
 
@@ -57,6 +58,7 @@ func (r Registration) Resources() []sdk.Resource {
 		PimEligibleRoleAssignmentResource{},
 		RoleAssignmentMarketplaceResource{},
 		RoleDefinitionResource{},
+		RoleManagementPolicyResource{},
 	}
 	return resources
 }