Custom resource for Azure PIM role management policies

[thomas11]

About

This PR adds support for Role Management Policies, part of Privileged Identity Management (PIM) in the Microsoft.Authentication namespace. It's one part of #2455.

Note that this is about the ARM part of PIM; there's also a Microsoft Graph API part which is not covered by this provider.

This resource wasn't automatically included because it supports only GET and PATCH. The policies are singletons that cannot be created or deleted, only modified via PATCH.

Implementation

Role Management Policies essentially consist of a name which is actually a GUID, and a list of ~20 rules.

Using our existing singleton support defaults.GetDefaultResourceState was tricky because

1. there are many policies with many rules, for a total of ~300k lines of JSON for a subscription scope, and there are more scopes, plus
2. I believe the defaults can vary per scope and possibly also per customer.

So instead, I've implemented a custom resource that captures the original state of a policy when it's first "created", i.e., added to Pulumi state. When a rule or the whole policy is removed from Pulumi, we look up the original state and re-apply it.

Testing

The e2e/integration test for this resource is special because using PIM requires a paid Entra ID P2 license. We have one that you can see here.

[github-actions]

Does the PR have any schema changes?

Looking good! No breaking changes found.

New resources:

• authorization.RoleManagementPolicy

New functions:

• authorization.getRoleManagementPolicy

[codecov]

Codecov Report

Attention: Patch coverage is 65.75342% with 75 lines in your changes missing coverage. Please review.

Project coverage is 57.24%. Comparing base (84b62e5) to head (4546aa8).

Files with missing lines	Patch %	Lines
...ovider/pkg/resources/customresources/custom_pim.go	67.88%	36 Missing and 8 partials ⚠️
provider/pkg/provider/crud/crud.go	22.22%	7 Missing ⚠️
provider/pkg/openapi/discover.go	0.00%	5 Missing and 1 partial ⚠️
provider/pkg/provider/provider.go	85.36%	4 Missing and 2 partials ⚠️
...r/pkg/resources/customresources/customresources.go	62.50%	2 Missing and 1 partial ⚠️
...r/pkg/resources/customresources/custom_keyvault.go	0.00%	0 Missing and 2 partials ⚠️
...ources/customresources/custom_keyvault_autorest.go	0.00%	2 Missing ⚠️
...er/pkg/resources/customresources/custom_storage.go	0.00%	2 Missing ⚠️
...es/customresources/custom_keyvault_accesspolicy.go	0.00%	1 Missing ⚠️
...esources/customresources/custom_postgres_config.go	0.00%	0 Missing and 1 partial ⚠️
... and 1 more

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #3663      +/-   ##
==========================================
+ Coverage   57.02%   57.24%   +0.21%     
==========================================
  Files          79       80       +1     
  Lines       12548    12732     +184     
==========================================
+ Hits         7156     7288     +132     
- Misses       4841     4884      +43     
- Partials      551      560       +9     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[danielrbradley]

So it seems we were previously assuming all custom resources have Read but now we're guarding in case it's nil? If it's nil (the resource doesn't override Read), should be be using the default Read implementation instead (like any other resource derived from the specs)?