search

microsoftgraph / msgraph-bicep-types

Repo contains Microsoft Graph resource types to integrate with bicep templates.
MIT License
28 stars 2 forks source link

Support for `unifiedRoleAssignment` for different RBAC providers #123

Open MartinM85 opened 1 month ago

MartinM85 commented 1 month ago

Is your feature request related to a problem? Please describe. I'm trying to add a new resource unifiedRoleAssignment, but there are several issues.

  1. Resource is under more URIs The resource unifiedRoleAssignmentrepresents a role assignment, but the type is returned by more RBAC providers. All these endpoints return unifiedRoleAssignment: /roleManagement/directory/roleAssignments /roleManagement/entitlementManagement/roleAssignments /roleManagement/exchange/roleAssignments - beta only

Now, it's possible to specify only one RootUri. 

  - Name: microsoft.graph.unifiedRoleAssignment
    RootUri: /roleManagement/directory/roleAssignments
    AvailableProperty:
      - appScopeId
      - directoryScopeId
      - principalId
      - roleDefinitionId
    RequiredOnWrite:
      - appScopeId
      - directoryScopeId
      - principalId
      - roleDefinitionId
  1. Wrong path generated Generated path for 
  - Name: microsoft.graph.unifiedRoleAssignment
    RootUri: /roleManagement/directory/roleAssignments
    AvailableProperty:
      - appScopeId
      - directoryScopeId
      - principalId
      - roleDefinitionId
    RequiredOnWrite:
      - appScopeId
      - directoryScopeId
      - principalId
      - roleDefinitionId

Generated path is /{rootScope}/providers/Microsoft.Graph/directory/{directoryId}/roleAssignments/{unifiedRoleAssignmentId} which seems to me wrong. It should be /{rootScope}/providers/Microsoft.Graph/roleManagement/directory/roleAssignments/{unifiedRoleAssignmentId}/

Describe the solution you'd like Maybe add new property EntityType. Config.yml can contain the same EntityType but with different combination of Name and RootUri

  - Name: microsoft.graph.entraRoleAssignment
    EntityType: microsoft.graph.unifiedRoleAssignment
    RootUri: /roleManagement/directory/roleAssignments
  - Name: microsoft.graph.exchangeRoleAssignment
    EntityType: microsoft.graph.unifiedRoleAssignment
    RootUri: /roleManagement/exchange/roleAssignments

Additional context Add any other context or screenshots about the feature request here.

dkershaw10 commented 1 month ago

@MartinM85 It looks like you are trying to add a new Bicep type for unifiedRoleAssignments? As you point out, there could be changes required to configure the Bicep type generation, for this case - so thank you for pointing this out!

However, doing this is probably moot at this point. Unfortunately Graph is not the same as Azure APIs, which can be automatically onboarded, as they have the correct signature for declarative IaC. Existing Microsoft Graph APIs do not have this. To onboard new types to Graph Bicep, we need updates to the underlying Graph REST APIs to support tracked resources (client provided keys) and deployment repeatability. This is the reason why we have a small number of supported Bicep types currently.

This is also why we have an explicit issue type that you can use to request support for a Graph Bicep type that is not currently supported - just like you did for #121 . We can use this to help prioritize underlying API service teams to make the changes so their resource types can be supported in Bicep.

SimonRousingBerg commented 2 weeks ago

I think this would help solving some issues in the future

dkershaw10 commented 2 weeks ago

Thanks @SimonRousingBerg - please vote for this, by clicking on the thumbs-up in the original post.