⭐ azure: roll out private endpoint connections, identity, and provenance#8905
Open
tas50 wants to merge 1 commit into
Open
⭐ azure: roll out private endpoint connections, identity, and provenance#8905tas50 wants to merge 1 commit into
tas50 wants to merge 1 commit into
Conversation
Expand security context across several Azure resources with three verified additions. Each candidate was checked against its vendored SDK first, so resources whose SDK cannot populate a field were left alone. Private endpoint connections — add a typed `privateEndpointConnections() []azure.subscription.privateEndpointConnection` accessor to resources that lacked one: - Service Bus namespace, Event Hubs namespace, IoT Hub, Cognitive Services account, App Configuration store, SignalR, Web PubSub, and Synapse workspace read the connections already embedded in the parent's properties (no extra API call). - AKS cluster fetches them through the dedicated PrivateEndpointConnectionsClient, tolerating 404/403 as "none". - API Management exposes the full typed list; its `privateEndpointConnectionCount` is deprecated in favor of it. A shared helper (`private_endpoint_connections.go`) normalizes any SDK connection type through a dict, since they all share the same JSON shape, and gives the nested connection-state a derived id to avoid cache collisions. Managed identity — IoT Hub gains identityType, principalId, tenantId, and userAssignedIdentities; API Management gains principalId, tenantId, and userAssignedIdentities. Customer-managed-key encryption was evaluated and is not exposed by either SDK, so it was not modeled. Provenance — Purview account gains `systemMetadata()`, adding the ARM last-modified provenance its bespoke createdAt/createdBy fields lack. No new provider permissions. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Comment on lines
+49
to
+53
| id, _ := dict["id"].(string) | ||
| args := map[string]*llx.RawData{ | ||
| "__id": llx.StringData(id), | ||
| "id": llx.StringData(id), | ||
| } |
There was a problem hiding this comment.
🟡 warning — If dict["id"] is missing or not a string, id will be "" and __id will be set to an empty string. Multiple ID-less connections would collide in the resource cache, silently returning stale data. Consider returning nil, nil (skip the entry) or generating a synthetic __id from the entry index when id is empty:
id, _ := dict["id"].(string)
if id == "" {
return nil, nil
}
Comment on lines
+91
to
+92
| "__id": llx.StringData(id + "/privateLinkServiceConnectionState"), | ||
| } |
There was a problem hiding this comment.
🔵 suggestion — When the parent id is empty (see finding above), the __id for the connection-state sub-resource becomes just "/privateLinkServiceConnectionState", which would also collide across entries. This is a consequence of the empty-id issue above — fixing that fixes this too.
Contributor
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Expands security context across several Azure resources with three verified additions. Every candidate was checked against its vendored SDK before any code was written, so resources whose SDK cannot populate a field were deliberately skipped rather than shipped with dead schema.
1. Private endpoint connections
Adds a typed
privateEndpointConnections() []azure.subscription.privateEndpointConnectionaccessor to resources that lacked one:PrivateEndpointConnectionsClient, tolerating 404/403 as "no connections"privateEndpointConnectionCountis deprecated in favor of itA shared helper (
private_endpoint_connections.go) normalizes any SDK connection type throughconvert.JsonToDict— every Azure SDK models these with the same JSON shape, so one helper serves them all, including App Configuration'sPrivateEndpointConnectionReferenceand API Management'sRemotePrivateEndpointConnectionWrapper. The nested connection-state resource is given a derived__idto avoid empty-key cache collisions.Skipped (SDK verified): Log Analytics workspace (no PEC type — only
PrivateLinkScopedResources, already exposed); Machine Learning workspace and Purview account (already expose PE connections).2. Managed identity
identityType,principalId,tenantId,userAssignedIdentities(previously modeled no identity at all).principalId,tenantId,userAssignedIdentities(identityTypealready present).Skipped: customer-managed-key encryption — neither the IoT Hub nor the API Management SDK exposes it.
3. Provenance
systemMetadata(), surfacing the ARM last-modified provenance that its bespokecreatedAt/createdByfields don't carry.Why
These are standard compliance controls — "is this resource reachable only through a private endpoint?", "what identity does it run as?", "who last modified it?" — that previously couldn't be queried on these services.
Notes
azure.permissions.jsonunchanged at 242). Shape-A accessors read already-fetched properties; the AKS List call did not alter the extracted permission set..lr.versionsentries at13.24.1(next patch after the current provider version).Verification
make providers/build/azurecompiles the full module cleanly; codegen (mqlr generate) is consistent and generated accessors/setters are present.