Skip to content

⭐ azure: roll out private endpoint connections, identity, and provenance#8905

Open
tas50 wants to merge 1 commit into
mainfrom
worktree-azure-security-context-batch
Open

⭐ azure: roll out private endpoint connections, identity, and provenance#8905
tas50 wants to merge 1 commit into
mainfrom
worktree-azure-security-context-batch

Conversation

@tas50

@tas50 tas50 commented Jul 2, 2026

Copy link
Copy Markdown
Member

What

Expands security context across several Azure resources with three verified additions. Every candidate was checked against its vendored SDK before any code was written, so resources whose SDK cannot populate a field were deliberately skipped rather than shipped with dead schema.

1. Private endpoint connections

Adds a typed privateEndpointConnections() []azure.subscription.privateEndpointConnection accessor to resources that lacked one:

Resource How
Service Bus, Event Hubs, IoT Hub, Cognitive Services, App Configuration, SignalR, Web PubSub, Synapse Read connections already embedded in the parent's properties — no extra API call
AKS cluster Dedicated PrivateEndpointConnectionsClient, tolerating 404/403 as "no connections"
API Management Full typed list; the pre-existing privateEndpointConnectionCount is deprecated in favor of it

A shared helper (private_endpoint_connections.go) normalizes any SDK connection type through convert.JsonToDict — every Azure SDK models these with the same JSON shape, so one helper serves them all, including App Configuration's PrivateEndpointConnectionReference and API Management's RemotePrivateEndpointConnectionWrapper. The nested connection-state resource is given a derived __id to avoid empty-key cache collisions.

Skipped (SDK verified): Log Analytics workspace (no PEC type — only PrivateLinkScopedResources, already exposed); Machine Learning workspace and Purview account (already expose PE connections).

2. Managed identity

  • IoT Hub: adds identityType, principalId, tenantId, userAssignedIdentities (previously modeled no identity at all).
  • API Management: adds principalId, tenantId, userAssignedIdentities (identityType already present).

Skipped: customer-managed-key encryption — neither the IoT Hub nor the API Management SDK exposes it.

3. Provenance

  • Purview account: adds systemMetadata(), surfacing the ARM last-modified provenance that its bespoke createdAt/createdBy fields don't carry.

Why

These are standard compliance controls — "is this resource reachable only through a private endpoint?", "what identity does it run as?", "who last modified it?" — that previously couldn't be queried on these services.

Notes

  • No new provider permissions (azure.permissions.json unchanged at 242). Shape-A accessors read already-fetched properties; the AKS List call did not alter the extracted permission set.
  • New .lr.versions entries at 13.24.1 (next patch after the current provider version).

Verification

  • make providers/build/azure compiles the full module cleanly; codegen (mqlr generate) is consistent and generated accessors/setters are present.
  • Live value-verification is pending: none of these resource types exist in the available test subscription, so there was nothing to query against. The private-endpoint helper is a faithful generalization of the shipped Key Vault builder, and all field paths were verified against the vendored SDK structs.

Expand security context across several Azure resources with three
verified additions. Each candidate was checked against its vendored SDK
first, so resources whose SDK cannot populate a field were left alone.

Private endpoint connections — add a typed
`privateEndpointConnections() []azure.subscription.privateEndpointConnection`
accessor to resources that lacked one:

- Service Bus namespace, Event Hubs namespace, IoT Hub, Cognitive
  Services account, App Configuration store, SignalR, Web PubSub, and
  Synapse workspace read the connections already embedded in the parent's
  properties (no extra API call).
- AKS cluster fetches them through the dedicated
  PrivateEndpointConnectionsClient, tolerating 404/403 as "none".
- API Management exposes the full typed list; its
  `privateEndpointConnectionCount` is deprecated in favor of it.

A shared helper (`private_endpoint_connections.go`) normalizes any SDK
connection type through a dict, since they all share the same JSON shape,
and gives the nested connection-state a derived id to avoid cache
collisions.

Managed identity — IoT Hub gains identityType, principalId, tenantId,
and userAssignedIdentities; API Management gains principalId, tenantId,
and userAssignedIdentities. Customer-managed-key encryption was
evaluated and is not exposed by either SDK, so it was not modeled.

Provenance — Purview account gains `systemMetadata()`, adding the ARM
last-modified provenance its bespoke createdAt/createdBy fields lack.

No new provider permissions.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

@mondoo-code-review mondoo-code-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adds private endpoint connections, identity fields, and system metadata across Azure resources with a well-designed shared helper, but has a caching bug when connection IDs are missing.

Comment on lines +49 to +53
id, _ := dict["id"].(string)
args := map[string]*llx.RawData{
"__id": llx.StringData(id),
"id": llx.StringData(id),
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 warning — If dict["id"] is missing or not a string, id will be "" and __id will be set to an empty string. Multiple ID-less connections would collide in the resource cache, silently returning stale data. Consider returning nil, nil (skip the entry) or generating a synthetic __id from the entry index when id is empty:

id, _ := dict["id"].(string)
if id == "" {
    return nil, nil
}

Comment on lines +91 to +92
"__id": llx.StringData(id + "/privateLinkServiceConnectionState"),
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔵 suggestion — When the parent id is empty (see finding above), the __id for the connection-state sub-resource becomes just "/privateLinkServiceConnectionState", which would also collide across entries. This is a consequence of the empty-id issue above — fixing that fixes this too.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Test Results

11 253 tests  ±0   11 246 ✅ ±0   3m 25s ⏱️ - 1m 56s
   546 suites ±0        7 💤 ±0 
    40 files   ±0        0 ❌ ±0 

Results for commit 543e678. ± Comparison against base commit 3be57ed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant