New Resource - azurerm_role_assignment_marketplace

[ms-zhenhua]

Related Links

#18387
#22178
#18439

Test Result

--- PASS: TestAccRoleAssignmentMarketplace_roleName (79.79s)
--- PASS: TestAccRoleAssignmentMarketplace_requiresImport (66.15s)
--- PASS: TestAccRoleAssignmentMarketplace_emptyName (71.63s)
--- PASS: TestAccRoleAssignmentMarketplace_ServicePrincipalWithType (71.94s)
--- PASS: TestAccRoleAssignmentMarketplace_builtin (72.01s)
--- PASS: TestAccRoleAssignmentMarketplace_ServicePrincipalGroup (78.87s)
--- PASS: TestAccRoleAssignmentMarketplace_ServicePrincipal (83.01s)
PASS
ok github.com/hashicorp/terraform-provider-azurerm/internal/services/authorization 249.838s

[stephybun]

Thanks for this PR @ms-zhenhua! I made a first pass and this looks mostly good. I'm unsure about the scoped ID parser that we're adding in this PR though and will need some time to discuss this internally.

Other than that just a few minor comments/suggestions/questions left in line.

[stephybun]

Could we use commonids.ValidateUserAssignedIdentityID here?

[ms-zhenhua]

Probably no. According to this issue: this property does not mean the managed identity resource id, but the resource which contains a managed identity.

[stephybun]

This is personal preference but the multiple layers of if/else make this difficult to understand at first glance - could we refactor this to

Suggested change

	if v, ok := metadata.ResourceData.GetOk("role_definition_id"); ok {
	roleDefinitionId = v.(string)
	} else if v, ok := metadata.ResourceData.GetOk("role_definition_name"); ok {
	roleName := v.(string)
	roleDefinitions, err := roleDefinitionsClient.List(ctx, commonids.NewScopeID(scope), roledefinitions.ListOperationOptions{Filter: pointer.To(fmt.Sprintf("roleName eq '%s'", roleName))})
	if err != nil {
	return fmt.Errorf("loading Role Definition List: %+v", err)
	}
	if roleDefinitions.Model != nil && len(*roleDefinitions.Model) == 1 && (*roleDefinitions.Model)[0].Id != nil {
	roleDefinitionId = *(*roleDefinitions.Model)[0].Id
	} else {
	return fmt.Errorf("loading Role Definition List: failed to find role '%s'", roleName)
	}
	} else {
	return fmt.Errorf("either 'role_definition_id' or 'role_definition_name' needs to be set")
	}
	if v, ok := metadata.ResourceData.GetOk("role_definition_id"); ok {
	roleDefinitionId = v.(string)
	}
	if v, ok := metadata.ResourceData.GetOk("role_definition_name"); ok {
	roleName := v.(string)
	roleDefinitions, err := roleDefinitionsClient.List(ctx, commonids.NewScopeID(scope), roledefinitions.ListOperationOptions{Filter: pointer.To(fmt.Sprintf("roleName eq '%s'", roleName))})
	if err != nil {
	return fmt.Errorf("loading Role Definition List for %s: %+v", roleName, err)
	}
	if roleDefinitions.Model == nil || len(*roleDefinitions.Model) != 1 || (*roleDefinitions.Model)[0].Id == nil {
	return fmt.Errorf("loading Role Definition List: failed to find role '%s'", roleName)
	}
	roleDefinitionId = *(*roleDefinitions.Model)[0].Id
	}
	if roleDefinitionId == "" {
	return fmt.Errorf("either 'role_definition_id' or 'role_definition_name' needs to be set")
	}

[ms-zhenhua]

code updated

[stephybun]

Suggested change

	if name == "" {
	uuid, err := uuid.GenerateUUID()
	if err != nil {
	return fmt.Errorf("generating UUID for Role Assignment: %+v", err)
	}
	name = uuid
	}
	tenantId := ""
	delegatedManagedIdentityResourceID := metadata.ResourceData.Get("delegated_managed_identity_resource_id").(string)
	if len(delegatedManagedIdentityResourceID) > 0 {
	var err error
	tenantId, err = getTenantIdBySubscriptionId(ctx, subscriptionClient, subscriptionId)
	if err != nil {
	return err
	}
	}
	var err error
	if name == "" {
	name, err = uuid.GenerateUUID()
	if err != nil {
	return fmt.Errorf("generating UUID for Role Assignment: %+v", err)
	}
	}
	tenantId := ""
	delegatedManagedIdentityResourceID := metadata.ResourceData.Get("delegated_managed_identity_resource_id").(string)
	if len(delegatedManagedIdentityResourceID) > 0 {
	tenantId, err = getTenantIdBySubscriptionId(ctx, subscriptionClient, subscriptionId)
	if err != nil {
	return err
	}
	}

[ms-zhenhua]

code updated

[stephybun]

Won't the RequiredWith in the schema already validate this/prevent this scenario from happening?

[ms-zhenhua]

yes, duplicated. Code updated.

[stephybun]

Suggested change

	log.Printf("[DEBUG] Role Assignment ID %s was not found - removing from state", id)
	log.Printf("[DEBUG] %s was not found - removing from state", id)

[ms-zhenhua]

code updated

[stephybun]

Suggested change

	if props.PrincipalType != nil {
	metadata.ResourceData.Set("principal_type", string(*props.PrincipalType))
	}
	metadata.ResourceData.Set("principal_type", pointer.From(props.PrincipalType))

[ms-zhenhua]

code updated

[stephybun]

Suggested change

	Assigns a given Principal (User or Group) to a given Role in Private Azure Marketplace.
	---
	# azurerm_role_assignment_marketplace
	Assigns a given Principal (User or Group) to a given Role in Private Azure Marketplace.
	Assigns a given Principal (User or Group) to a given Role in a Private Azure Marketplace.
	---
	# azurerm_role_assignment_marketplace
	Assigns a given Principal (User or Group) to a given Role in a Private Azure Marketplace.

[ms-zhenhua]

doc updated

[stephybun]

Suggested change

	~> **NOTE:** this field is only used in cross tenant scenario.
	~> **NOTE:** This field is only used in cross tenant scenarios.

[ms-zhenhua]

doc updated

[stephybun]

This note isn't clear on what we're expecting from the user - is this note saying that the principal_id cannot be set to any other type other than a Service Principal? Or should skip_service_principal_aad_check always be set to false if principal_id is something other than a Service Principal?

Suggested change

	~> **NOTE:** If it is not a `Service Principal` identity it will cause the role assignment to fail.
	~> **NOTE:** If it is not a `Service Principal` identity it will cause the role assignment to fail.

[ms-zhenhua]

doc updated: This field takes effect only when principal_id is a Service Principal identity.

[stephybun]

Suggested change

	~> **NOTE:** for cross tenant scenario, the format of `resource id` is composed of Azure resource ID and tenantId. for example:
	~> **NOTE:** For cross tenant scenarios, the format of the `resource id` consists of the Azure resource ID and and the tenant ID, for example:

[ms-zhenhua]

doc updated

[ms-zhenhua]

Hi @stephybun, thank you for your review. I have resolved all comments. Kindly help take another review. Thanks.

[stephybun]

After internal discussion, this is fine for now. But we will want to create a composite ID type in the commonids package in the go-azure-helpers repo that can handle cases like these and will replace this in time. Just as an FYI.

[stephybun]

We have other role assignment resources where the scope comes before the resource name, can we do that here aswell please?

Suggested change

	return "azurerm_role_assignment_marketplace"
	return "azurerm_marketplace_role_assignment"

[ms-zhenhua]

make sense. Code updated.

[ms-zhenhua]

Hi @stephybun, thank you for your review. I have renamed the resource. Kindly take another review. Thanks.

[stephybun]

Thanks @ms-zhenhua LGTM 🥟

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.