[Bug Fix] azurerm_pim_active_role_assignment, `azurerm_pim_eligible…

…_role_assignment` (#24524) * Fix PIM related issues 1. Replace the Instance API by Schedule API 2. Use the Schedule Request ID to get the Schedule Request not Schedule ID 3. Use cancel API to cancel the pending role assignment * fix acctest * update filter * update vendor * update test case * update test case * go mod tidy && go mod vendor * linting, use switch statement instead of map lookup --------- Co-authored-by: Tom Bamford <tom@bamford.io>
hashicorp · Feb 29, 2024 · c79f4ce · c79f4ce
1 parent e53ba7e
commit c79f4ce
Show file tree

Hide file tree

Showing 35 changed files with 1,882 additions and 148 deletions.
diff --git a/internal/services/authorization/client/client.go b/internal/services/authorization/client/client.go
@@ -11,8 +11,10 @@ import (
 	// To swap sdk for `azurerm_role_definition` without changing API version
 	"github.com/hashicorp/go-azure-sdk/resource-manager/authorization/2020-10-01/roleassignmentscheduleinstances"
 	"github.com/hashicorp/go-azure-sdk/resource-manager/authorization/2020-10-01/roleassignmentschedulerequests"
+	"github.com/hashicorp/go-azure-sdk/resource-manager/authorization/2020-10-01/roleassignmentschedules"
 	"github.com/hashicorp/go-azure-sdk/resource-manager/authorization/2020-10-01/roleeligibilityscheduleinstances"
 	"github.com/hashicorp/go-azure-sdk/resource-manager/authorization/2020-10-01/roleeligibilityschedulerequests"
+	"github.com/hashicorp/go-azure-sdk/resource-manager/authorization/2020-10-01/roleeligibilityschedules"
 	"github.com/hashicorp/go-azure-sdk/resource-manager/authorization/2022-04-01/roleassignments"
 	"github.com/hashicorp/go-azure-sdk/resource-manager/authorization/2022-05-01-preview/roledefinitions"
 	"github.com/hashicorp/terraform-provider-azurerm/internal/common"
@@ -22,8 +24,10 @@ type Client struct {
 	RoleAssignmentsClient                  *authorization.RoleAssignmentsClient
 	RoleAssignmentScheduleRequestClient    *roleassignmentschedulerequests.RoleAssignmentScheduleRequestsClient
 	RoleAssignmentScheduleInstancesClient  *roleassignmentscheduleinstances.RoleAssignmentScheduleInstancesClient
+	RoleAssignmentSchedulesClient          *roleassignmentschedules.RoleAssignmentSchedulesClient
 	RoleEligibilityScheduleRequestClient   *roleeligibilityschedulerequests.RoleEligibilityScheduleRequestsClient
 	RoleEligibilityScheduleInstancesClient *roleeligibilityscheduleinstances.RoleEligibilityScheduleInstancesClient
+	RoleEligibilitySchedulesClient         *roleeligibilityschedules.RoleEligibilitySchedulesClient
 	ScopedRoleAssignmentsClient            *roleassignments.RoleAssignmentsClient
 	ScopedRoleDefinitionsClient            *roledefinitions.RoleDefinitionsClient
 }
@@ -45,6 +49,12 @@ func NewClient(o *common.ClientOptions) (*Client, error) {
 	}
 	o.Configure(roleAssignmentScheduleInstancesClient.Client, o.Authorizers.ResourceManager)
 
+	roleAssignmentSchedulesClient, err := roleassignmentschedules.NewRoleAssignmentSchedulesClientWithBaseURI(o.Environment.ResourceManager)
+	if err != nil {
+		return nil, fmt.Errorf("creating roleAssignmentSchedulesClient: %+v", err)
+	}
+	o.Configure(roleAssignmentSchedulesClient.Client, o.Authorizers.ResourceManager)
+
 	roleEligibilityScheduleRequestClient, err := roleeligibilityschedulerequests.NewRoleEligibilityScheduleRequestsClientWithBaseURI(o.Environment.ResourceManager)
 	if err != nil {
 		return nil, fmt.Errorf("creating roleEligibilityScheduleRequestClient: %+v", err)
@@ -57,6 +67,12 @@ func NewClient(o *common.ClientOptions) (*Client, error) {
 	}
 	o.Configure(roleEligibilityScheduleInstancesClient.Client, o.Authorizers.ResourceManager)
 
+	roleEligibilitySchedulesClient, err := roleeligibilityschedules.NewRoleEligibilitySchedulesClientWithBaseURI(o.Environment.ResourceManager)
+	if err != nil {
+		return nil, fmt.Errorf("creating roleEligibilitySchedulesClient: %+v", err)
+	}
+	o.Configure(roleEligibilitySchedulesClient.Client, o.Authorizers.ResourceManager)
+
 	scopedRoleAssignmentsClient, err := roleassignments.NewRoleAssignmentsClientWithBaseURI(o.Environment.ResourceManager)
 	if err != nil {
 		return nil, fmt.Errorf("building Role Assignment Client:  %+v", err)
@@ -73,8 +89,10 @@ func NewClient(o *common.ClientOptions) (*Client, error) {
 		RoleAssignmentsClient:                  &roleAssignmentsClient,
 		RoleAssignmentScheduleRequestClient:    roleAssignmentScheduleRequestsClient,
 		RoleAssignmentScheduleInstancesClient:  roleAssignmentScheduleInstancesClient,
+		RoleAssignmentSchedulesClient:          roleAssignmentSchedulesClient,
 		RoleEligibilityScheduleRequestClient:   roleEligibilityScheduleRequestClient,
 		RoleEligibilityScheduleInstancesClient: roleEligibilityScheduleInstancesClient,
+		RoleEligibilitySchedulesClient:         roleEligibilitySchedulesClient,
 		ScopedRoleAssignmentsClient:            scopedRoleAssignmentsClient,
 		ScopedRoleDefinitionsClient:            scopedRoleDefinitionsClient,
 	}, nil

diff --git a/internal/services/authorization/parse/pim_role_assignment.go b/internal/services/authorization/parse/pim_role_assignment.go
@@ -9,8 +9,8 @@ import (
 	"strings"
 
 	"github.com/hashicorp/go-azure-helpers/resourcemanager/commonids"
-	"github.com/hashicorp/go-azure-sdk/resource-manager/authorization/2020-10-01/roleassignmentscheduleinstances"
-	"github.com/hashicorp/go-azure-sdk/resource-manager/authorization/2020-10-01/roleeligibilityscheduleinstances"
+	"github.com/hashicorp/go-azure-sdk/resource-manager/authorization/2020-10-01/roleassignmentschedules"
+	"github.com/hashicorp/go-azure-sdk/resource-manager/authorization/2020-10-01/roleeligibilityschedules"
 )
 
 type PimRoleAssignmentId struct {
@@ -70,20 +70,20 @@ func RoleAssignmentScheduleID(input string) (*string, error) {
 	return &matches[1], nil
 }
 
-func RoleAssignmentScheduleIdFromInstance(r *roleassignmentscheduleinstances.RoleAssignmentScheduleInstance) (*string, error) {
-	re := regexp.MustCompile(`^.+/providers/Microsoft.Authorization/roleAssignmentSchedules/(.+)`)
-	matches := re.FindStringSubmatch(*r.Properties.RoleAssignmentScheduleId)
+func RoleAssignmentScheduleRequestIdFromSchedule(r *roleassignmentschedules.RoleAssignmentSchedule) (*string, error) {
+	re := regexp.MustCompile(`^.+/providers/Microsoft.Authorization/roleAssignmentScheduleRequests/(.+)`)
+	matches := re.FindStringSubmatch(*r.Properties.RoleAssignmentScheduleRequestId)
 	if len(matches) != 2 {
-		return nil, fmt.Errorf("parsing %s", *r.Properties.RoleAssignmentScheduleId)
+		return nil, fmt.Errorf("parsing %s", *r.Properties.RoleAssignmentScheduleRequestId)
 	}
 	return &matches[1], nil
 }
 
-func RoleEligibilityScheduleIdFromInstance(r *roleeligibilityscheduleinstances.RoleEligibilityScheduleInstance) (*string, error) {
-	re := regexp.MustCompile(`^.+/providers/Microsoft.Authorization/roleEligibilitySchedules/(.+)`)
-	matches := re.FindStringSubmatch(*r.Properties.RoleEligibilityScheduleId)
+func RoleEligibilityScheduleRequestIdFromSchedule(r *roleeligibilityschedules.RoleEligibilitySchedule) (*string, error) {
+	re := regexp.MustCompile(`^.+/providers/Microsoft.Authorization/roleEligibilityScheduleRequests/(.+)`)
+	matches := re.FindStringSubmatch(*r.Properties.RoleEligibilityScheduleRequestId)
 	if len(matches) != 2 {
-		return nil, fmt.Errorf("parsing %s", *r.Properties.RoleEligibilityScheduleId)
+		return nil, fmt.Errorf("parsing %s", *r.Properties.RoleEligibilityScheduleRequestId)
 	}
 	return &matches[1], nil
 }