search

microsoft / PSRule

Validate infrastructure as code (IaC) and objects using PowerShell rules.
https://microsoft.github.io/PSRule/v2/
MIT License
375 stars 49 forks source link

PSRule 'Microsoft.Authorization/roleAssignments' is missing type 'properties.principalType' #1819

Open lassehastrup opened 3 months ago

lassehastrup commented 3 months ago

Description of the issue

Using a custom rule of type 'Microsoft.Authorization/roleAssignments' with a condition that specifies that the field: 'properties.principalType' should be equal to 'xyz' we receive an error that the property does not exist.

However, when specifying the 'properties.PrincipalType' in a bicep file, and running the custom rule, everything works as expected. So it seems to only be an issue when the bicep property is not set.

To Reproduce

Steps to reproduce the issue:

PSRule rule:

---
apiVersion: github.com/microsoft/PSRule/v1
kind: Rule
recommend: "roleAssignments principalType should be set to ServicePrincipal or Group."
metadata:
  name: "Local.YAML.roleAssignments.principalType"
spec:
  type:
    - Microsoft.Authorization/roleAssignments
  condition:
    anyOf:
      - field: 'properties.principalType'
        equals: 'c3666e92-27d3-4fa3-bfa3-38ddd4d57559'

Bicep file:

param PrincipalObjectId string

resource roleAssignmentPatchManagement 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  name: guid('7a2fd238-abbc-4cd9-b22b-09391bef7bbb')
  properties: {
    principalId: PrincipalObjectId
    roleDefinitionId: guid('b24988ac-6180-42a0-ab88-20f7382dd24c')
  }
}

Error output

Reason:
  - Path properties.principalType: The field 'properties.principalType' does not exist.

When adding the properties.PrincipalType to the bicep file:

param PrincipalObjectId string
resource roleAssignmentPatchManagement 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  name: guid('7a2fd238-abbc-4cd9-b22b-09391bef7bbb')
  properties: {
    principalId: PrincipalObjectId
    roleDefinitionId: guid('b24988ac-6180-42a0-ab88-20f7382dd24c')
    principalType: 'ServicePrincipal'
  }
}

Everything works as expected.

Expected behaviour

As the property clearly exist in bicep, as is working as expected in ARM, we had hoped that PSRule would process the property correctly even when the property is not set in the bicep file.

Module in use and version:

Captured output from $PSVersionTable:

Name                           Value
----                           -----
PSVersion                      7.4.2
PSEdition                      Core
GitCommitId                    7.4.2
OS                             Darwin 23.4.0 Darwin Kernel Version 23.4.0: Fri Mar 15 00:10:42 PDT 2024; root:xnu-10063.101.17~1/RELEASE_ARM64_T6000
Platform                       Unix
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Additional context

BernieWhite commented 3 months ago

@lassehastrup Thanks for reporting the issue. Let me see if I understand the issue correctly.

Have I understood the issue correctly?

lassehastrup commented 3 months ago

Hi @BernieWhite ,

The default value of properties.principalType is default 'user' according to this documentation:

[https://learn.microsoft.com/en-us/rest/api/authorization/role-assignments/create-by-id?view=rest-authorization-2022-04-01&tabs=HTTP#roleassignment]()

You understood the issue correctly