feat: allow specified role definition id and name (#208)

* feat: allow specified role definition id and name

* improve code and tests

* improve test

Author: jaredfholgate

alzlib.go

@@ -20,8 +20,9 @@ import (
 )
 
 const (
-	defaultParallelism = 10 // default number of parallel requests to make to Azure APIs
-	defaultOverwrite   = false
+	defaultParallelism           = 10 // default number of parallel requests to make to Azure APIs
+	defaultOverwrite             = false
+	defaultUniqueRoleDefinitions = true // default to unique role definitions per management group
 )
 
 // AlzLib is the structure that gets built from the the library files
@@ -48,8 +49,9 @@ type azureClients struct {
 
 // AlzLibOptions are options for the AlzLib.
 type AlzLibOptions struct {
-	AllowOverwrite bool // AllowOverwrite allows overwriting of existing policy assignments when processing additional libraries with AlzLib.Init().
-	Parallelism    int  // Parallelism is the number of parallel requests to make to Azure APIs when getting policy definitions and policy set definitions.
+	AllowOverwrite        bool // AllowOverwrite allows overwriting of existing policy assignments when processing additional libraries with AlzLib.Init().
+	Parallelism           int  // Parallelism is the number of parallel requests to make to Azure APIs when getting policy definitions and policy set definitions.
+	UniqueRoleDefinitions bool // UniqueRoleDefinitions indicates whether to update the role definitions to be unique per management group. If this is not set, you may end up with conflicting role definition names.
 }
 
 // NewAlzLib returns a new instance of the alzlib library, optionally using the supplied directory
@@ -77,8 +79,9 @@ func NewAlzLib(opts *AlzLibOptions) *AlzLib {
 
 func defaultAlzLibOptions() *AlzLibOptions {
 	return &AlzLibOptions{
-		Parallelism:    defaultParallelism,
-		AllowOverwrite: defaultOverwrite,
+		Parallelism:           defaultParallelism,
+		AllowOverwrite:        defaultOverwrite,
+		UniqueRoleDefinitions: defaultUniqueRoleDefinitions,
 	}
 }
 

alzlib_test.go

@@ -18,9 +18,22 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-func TestNewAlzLibOptions(t *testing.T) {
+func TestNewAlzLibDefaultOptions(t *testing.T) {
 	az := NewAlzLib(nil)
+	assert.Equal(t, defaultOverwrite, az.Options.AllowOverwrite)
 	assert.Equal(t, defaultParallelism, az.Options.Parallelism)
+	assert.Equal(t, defaultUniqueRoleDefinitions, az.Options.UniqueRoleDefinitions)
+}
+
+func TestNewAlzLibCustomOptions(t *testing.T) {
+	az := NewAlzLib(&AlzLibOptions{
+		AllowOverwrite:        true,
+		Parallelism:           25,
+		UniqueRoleDefinitions: false,
+	})
+	assert.Equal(t, true, az.Options.AllowOverwrite)
+	assert.Equal(t, 25, az.Options.Parallelism)
+	assert.Equal(t, false, az.Options.UniqueRoleDefinitions)
 }
 
 // Test_NewAlzLib_noDir tests the creation of a new AlzLib when supplied with a path

deployment/hierarchy.go

@@ -306,7 +306,7 @@ func (h *Hierarchy) addManagementGroup(ctx context.Context, req managementGroupA
 	h.mgs[req.id] = mg
 
 	// run Update to change all refs, etc.
-	if err := h.mgs[req.id].update(); err != nil {
+	if err := h.mgs[req.id].update(h.alzlib.Options.UniqueRoleDefinitions); err != nil {
 		return nil, fmt.Errorf("Hierarchy.AddManagementGroup: adding `%s` error updating assets at scope %w", req.id, err)
 	}
 

deployment/managementgroup.go

@@ -331,7 +331,7 @@ func (mg *HierarchyManagementGroup) generatePolicyAssignmentAdditionalRoleAssign
 
 // update will update the AlzManagementGroup resources with the correct resource ids, references, etc.
 // Make sure to pass in any updates to the policy assignment parameter values.
-func (mg *HierarchyManagementGroup) update() error {
+func (mg *HierarchyManagementGroup) update(uniqueRoleDefinitions bool) error {
 	pd2mg := mg.hierarchy.policyDefinitionToMg()
 	psd2mg := mg.hierarchy.policySetDefinitionToMg()
 
@@ -345,7 +345,7 @@ func (mg *HierarchyManagementGroup) update() error {
 	}
 
 	// re-write the assignableScopes for the role definitions.
-	updateRoleDefinitions(mg)
+	updateRoleDefinitions(mg, uniqueRoleDefinitions)
 
 	if err := updatePolicyAsignments(mg, pd2mg, psd2mg); err != nil {
 		return fmt.Errorf("HierarchyManagementGroup.update: error updating policy assignments: %w", err)
@@ -540,12 +540,15 @@ func updatePolicyAsignments(mg *HierarchyManagementGroup, pd2mg, psd2mg map[stri
 	return nil
 }
 
-func updateRoleDefinitions(alzmg *HierarchyManagementGroup) {
+func updateRoleDefinitions(alzmg *HierarchyManagementGroup, uniqueRoleDefinitions bool) {
 	for _, roledef := range alzmg.roleDefinitions {
-		u := uuidV5(alzmg.id, *roledef.Name)
-		roledef.Name = to.Ptr(u.String())
-		roledef.ID = to.Ptr(fmt.Sprintf(RoleDefinitionIdFmt, alzmg.id, u))
-		roledef.Properties.RoleName = to.Ptr(fmt.Sprintf("%s (%s)", *roledef.Properties.RoleName, alzmg.id))
+		if uniqueRoleDefinitions {
+			u := uuidV5(alzmg.id, *roledef.Name)
+			roledef.Name = to.Ptr(u.String())
+			roledef.Properties.RoleName = to.Ptr(fmt.Sprintf("%s (%s)", *roledef.Properties.RoleName, alzmg.id))
+		}
+		roledef.ID = to.Ptr(fmt.Sprintf(RoleDefinitionIdFmt, alzmg.id, *roledef.Name))
+
 		if len(roledef.Properties.AssignableScopes) == 0 {
 			roledef.Properties.AssignableScopes = make([]*string, 1)
 		}

deployment/managementgroup_test.go

@@ -413,10 +413,10 @@ func TestManagementGroupUpdate(t *testing.T) {
 	h.mgs["mg1a"] = mg1a
 	h.mgs["mg2"] = mg2
 	mgRoot.children = mapset.NewThreadUnsafeSet(mg1, mg2)
-	require.NoError(t, mgRoot.update())
-	require.NoError(t, mg1.update())
-	require.NoError(t, mg2.update())
-	require.NoError(t, mg1a.update())
+	require.NoError(t, mgRoot.update(true))
+	require.NoError(t, mg1.update(true))
+	require.NoError(t, mg2.update(true))
+	require.NoError(t, mg1a.update(true))
 
 	// Check that the policy assignments reference the correct policy definitions.
 	assert.Equal(t, fmt.Sprintf(PolicyDefinitionIdFmt, "mg1", "pdDeployedTwice"), *mg1a.policyAssignments["paAtMg1a"].Properties.PolicyDefinitionID)
@@ -445,7 +445,7 @@ func TestManagementGroupUpdate(t *testing.T) {
 		roleDefinitions:      map[string]*assets.RoleDefinition{},
 	}
 	h.mgs["mgOtherRoot"] = mgOtherRoot
-	require.NoError(t, mgOtherRoot.update())
+	require.NoError(t, mgOtherRoot.update(true))
 
 	mg1.policyAssignments["defNotInHierarchy"] = &assets.PolicyAssignment{
 		Assignment: armpolicy.Assignment{
@@ -455,7 +455,130 @@ func TestManagementGroupUpdate(t *testing.T) {
 			},
 		},
 	}
-	assert.ErrorContains(t, mg1.update(), "policy assignment defNotInHierarchy has a policy definition pdOtherRoot that is not in the same hierarchy")
+	assert.ErrorContains(t, mg1.update(true), "policy assignment defNotInHierarchy has a policy definition pdOtherRoot that is not in the same hierarchy")
+}
+
+func TestManagementGroupUpdateWithUniqueRoleDefinitions(t *testing.T) {
+	h := NewHierarchy(nil)
+	mgRoot := &HierarchyManagementGroup{
+		id:                   "mgRoot",
+		parent:               nil,
+		level:                0,
+		parentExternal:       to.Ptr("external"),
+		location:             "changeme",
+		hierarchy:            h,
+		policyAssignments:    map[string]*assets.PolicyAssignment{},
+		policyDefinitions:    map[string]*assets.PolicyDefinition{},
+		policySetDefinitions: map[string]*assets.PolicySetDefinition{},
+		roleDefinitions: map[string]*assets.RoleDefinition{
+			"rdRoot01": {
+				RoleDefinition: armauthorization.RoleDefinition{
+					Name: to.Ptr("8a60c97f-9cb6-536b-b5db-9c997ee1de03"),
+					Properties: &armauthorization.RoleDefinitionProperties{
+						RoleName:    to.Ptr("[ALZ] Application-Owners"),
+						Description: to.Ptr("Contributor role granted for application/operations team at resource group level"),
+					},
+				},
+			},
+		},
+	}
+	mg1 := &HierarchyManagementGroup{
+		id:                   "mg1",
+		parent:               mgRoot,
+		level:                1,
+		location:             "changeme",
+		hierarchy:            h,
+		policyAssignments:    map[string]*assets.PolicyAssignment{},
+		policyDefinitions:    map[string]*assets.PolicyDefinition{},
+		policySetDefinitions: map[string]*assets.PolicySetDefinition{},
+		roleDefinitions: map[string]*assets.RoleDefinition{
+			"rdMg101": {
+				RoleDefinition: armauthorization.RoleDefinition{
+					Name: to.Ptr("8a60c97f-9cb6-536b-b5db-9c997ee1de03"),
+					Properties: &armauthorization.RoleDefinitionProperties{
+						RoleName:    to.Ptr("[ALZ] Application-Owners"),
+						Description: to.Ptr("Contributor role granted for application/operations team at resource group level"),
+					},
+				},
+			},
+		},
+	}
+
+	h.mgs["mgRoot"] = mgRoot
+	h.mgs["mg1"] = mg1
+
+	mgRoot.children = mapset.NewThreadUnsafeSet(mg1)
+	require.NoError(t, mgRoot.update(true))
+	require.NoError(t, mg1.update(true))
+
+	// Check that the role definitions are unique
+	assert.NotEqual(t, *mgRoot.roleDefinitions["rdRoot01"].Name, *mg1.roleDefinitions["rdMg101"].Name, "Role definitions should not have the same ID")
+	assert.NotEqual(t, *mgRoot.roleDefinitions["rdRoot01"].Properties.RoleName, *mg1.roleDefinitions["rdMg101"].Properties.RoleName, "Role definitions should not have the same ID")
+	assert.NotEqual(t, *mgRoot.roleDefinitions["rdRoot01"].ID, "/providers/Microsoft.Management/managementGroups/mgRoot/providers/Microsoft.Authorization/roleDefinitions/8a60c97f-9cb6-536b-b5db-9c997ee1de03", "Role definitions should not have the same ID after update")
+	assert.Equal(t, *mgRoot.roleDefinitions["rdRoot01"].ID, fmt.Sprintf("/providers/Microsoft.Management/managementGroups/mgRoot/providers/Microsoft.Authorization/roleDefinitions/%s", *mgRoot.roleDefinitions["rdRoot01"].Name), "Role definitions should have the same ID after update")
+	assert.NotEqual(t, *mgRoot.roleDefinitions["rdRoot01"].Name, "8a60c97f-9cb6-536b-b5db-9c997ee1de03", "Role definitions should have the same Name after update")
+	assert.Equal(t, *mgRoot.roleDefinitions["rdRoot01"].Properties.RoleName, fmt.Sprintf("[ALZ] Application-Owners (%s)", mgRoot.id), "Role definitions should have the same RoleName after update")
+}
+
+func TestManagementGroupUpdateWithNonUniqueRoleDefinitions(t *testing.T) {
+	h := NewHierarchy(nil)
+	mgRoot := &HierarchyManagementGroup{
+		id:                   "mgRoot",
+		parent:               nil,
+		level:                0,
+		parentExternal:       to.Ptr("external"),
+		location:             "changeme",
+		hierarchy:            h,
+		policyAssignments:    map[string]*assets.PolicyAssignment{},
+		policyDefinitions:    map[string]*assets.PolicyDefinition{},
+		policySetDefinitions: map[string]*assets.PolicySetDefinition{},
+		roleDefinitions: map[string]*assets.RoleDefinition{
+			"rdRoot01": {
+				RoleDefinition: armauthorization.RoleDefinition{
+					Name: to.Ptr("8a60c97f-9cb6-536b-b5db-9c997ee1de03"),
+					Properties: &armauthorization.RoleDefinitionProperties{
+						RoleName:    to.Ptr("[ALZ] Application-Owners"),
+						Description: to.Ptr("Contributor role granted for application/operations team at resource group level"),
+					},
+				},
+			},
+		},
+	}
+	mg1 := &HierarchyManagementGroup{
+		id:                   "mg1",
+		parent:               mgRoot,
+		level:                1,
+		location:             "changeme",
+		hierarchy:            h,
+		policyAssignments:    map[string]*assets.PolicyAssignment{},
+		policyDefinitions:    map[string]*assets.PolicyDefinition{},
+		policySetDefinitions: map[string]*assets.PolicySetDefinition{},
+		roleDefinitions: map[string]*assets.RoleDefinition{
+			"rdMg101": {
+				RoleDefinition: armauthorization.RoleDefinition{
+					Name: to.Ptr("8a60c97f-9cb6-536b-b5db-9c997ee1de03"),
+					Properties: &armauthorization.RoleDefinitionProperties{
+						RoleName:    to.Ptr("[ALZ] Application-Owners"),
+						Description: to.Ptr("Contributor role granted for application/operations team at resource group level"),
+					},
+				},
+			},
+		},
+	}
+
+	h.mgs["mgRoot"] = mgRoot
+	h.mgs["mg1"] = mg1
+
+	mgRoot.children = mapset.NewThreadUnsafeSet(mg1)
+	require.NoError(t, mgRoot.update(false))
+	require.NoError(t, mg1.update(false))
+
+	// Check that the role definitions are still not unique after update
+	assert.Equal(t, *mgRoot.roleDefinitions["rdRoot01"].Name, *mg1.roleDefinitions["rdMg101"].Name, "Role definitions should not have the same ID after update")
+	assert.Equal(t, *mgRoot.roleDefinitions["rdRoot01"].Properties.RoleName, *mg1.roleDefinitions["rdMg101"].Properties.RoleName, "Role definitions should not have the same ID after update")
+	assert.Equal(t, *mgRoot.roleDefinitions["rdRoot01"].ID, "/providers/Microsoft.Management/managementGroups/mgRoot/providers/Microsoft.Authorization/roleDefinitions/8a60c97f-9cb6-536b-b5db-9c997ee1de03", "Role definitions should have the same ID after update")
+	assert.Equal(t, *mgRoot.roleDefinitions["rdRoot01"].Name, "8a60c97f-9cb6-536b-b5db-9c997ee1de03", "Role definitions should have the same Name after update")
+	assert.Equal(t, *mgRoot.roleDefinitions["rdRoot01"].Properties.RoleName, "[ALZ] Application-Owners", "Role definitions should have the same RoleName after update")
 }
 
 func TestModifyPolicyDefinitions(t *testing.T) {
@@ -589,7 +712,7 @@ func TestModifyRoleDefinitions(t *testing.T) {
 			}),
 		},
 	}
-	updateRoleDefinitions(alzmg)
+	updateRoleDefinitions(alzmg, true)
 	expected := fmt.Sprintf(RoleDefinitionIdFmt, "mg1", uuidV5("mg1", "role1"))
 	assert.Equal(t, expected, *alzmg.roleDefinitions["rd1"].ID)
 	assert.Len(t, alzmg.roleDefinitions["rd1"].Properties.AssignableScopes, 1)
@@ -616,7 +739,7 @@ func TestModifyRoleDefinitions(t *testing.T) {
 			}),
 		},
 	}
-	updateRoleDefinitions(alzmg)
+	updateRoleDefinitions(alzmg, true)
 	expected = fmt.Sprintf(RoleDefinitionIdFmt, "mg1", uuidV5("mg1", "role1"))
 	assert.Equal(t, expected, *alzmg.roleDefinitions["rd1"].ID)
 	assert.Len(t, alzmg.roleDefinitions["rd1"].Properties.AssignableScopes, 1)
@@ -633,7 +756,7 @@ func TestModifyRoleDefinitions(t *testing.T) {
 		id:              "mg1",
 		roleDefinitions: map[string]*assets.RoleDefinition{},
 	}
-	updateRoleDefinitions(alzmg)
+	updateRoleDefinitions(alzmg, true)
 	assert.Empty(t, alzmg.roleDefinitions)
 }