From e0f90685623bb97da29852ccb397f5daecff1939 Mon Sep 17 00:00:00 2001 From: Sebastian Graef Date: Sat, 2 Mar 2024 12:37:10 +1000 Subject: [PATCH 1/7] Refactor role assignment filtering in Get-RoleAssignmentList.ps1 --- utilities/tools/Get-RoleAssignmentList.ps1 | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/utilities/tools/Get-RoleAssignmentList.ps1 b/utilities/tools/Get-RoleAssignmentList.ps1 index a4d1da43bc..1b42022b4c 100644 --- a/utilities/tools/Get-RoleAssignmentList.ps1 +++ b/utilities/tools/Get-RoleAssignmentList.ps1 @@ -62,14 +62,17 @@ function Get-RoleAssignmentList { $relevantRoles += $roleDefinitions | Where-Object { $_.Actions -like "$ProviderNamespace/$ResourceType/*" -or $_.Actions -like "$ProviderNamespace/`**" -or - $_.Actions -like '`**' + $_.Id -eq 'b24988ac-6180-42a0-ab88-20f7382dd24c' -or # Contributor + $_.Id -eq '8e3af657-a8ff-443c-a75c-2fe8c4bcb635' -or # Owner + $_.Id -eq 'acdd72a7-3385-48ef-bd42-f606fba81ae7' -or # Reader + $_.Id -eq 'f58310d9-a9f6-439a-9e8d-f62e7b41a168' -or # Role Based Access Control Administrator + $_.Id -eq '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9' # User Access Administrator } # Filter Data Action based $relevantRoles += $roleDefinitions | Where-Object { $_.DataActions -like "$ProviderNamespace/$ResourceType/*" -or - $_.DataActions -like "$ProviderNamespace/`**" -or - $_.DataActions -like '`**' + $_.DataActions -like "$ProviderNamespace/`**" } } From a881985cc6dd8d248ef8411269593b09d8e67e19 Mon Sep 17 00:00:00 2001 From: Sebastian Graef Date: Sat, 2 Mar 2024 12:47:22 +1000 Subject: [PATCH 2/7] fmt --- utilities/tools/Get-RoleAssignmentList.ps1 | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/utilities/tools/Get-RoleAssignmentList.ps1 b/utilities/tools/Get-RoleAssignmentList.ps1 index 1b42022b4c..b3bf3601a1 100644 --- a/utilities/tools/Get-RoleAssignmentList.ps1 +++ b/utilities/tools/Get-RoleAssignmentList.ps1 @@ -57,11 +57,13 @@ function Get-RoleAssignmentList { if ("$ProviderNamespace/$ResourceType" -eq 'Microsoft.Authorization/RoleAssignments') { # No filter $relevantRoles = $roleDefinitions - } else { + } + else { # Filter Action based $relevantRoles += $roleDefinitions | Where-Object { $_.Actions -like "$ProviderNamespace/$ResourceType/*" -or $_.Actions -like "$ProviderNamespace/`**" -or + # Leave general roles (https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#general) $_.Id -eq 'b24988ac-6180-42a0-ab88-20f7382dd24c' -or # Contributor $_.Id -eq '8e3af657-a8ff-443c-a75c-2fe8c4bcb635' -or # Owner $_.Id -eq 'acdd72a7-3385-48ef-bd42-f606fba81ae7' -or # Reader @@ -83,17 +85,20 @@ function Get-RoleAssignmentList { foreach ($role in $relevantRoles | Sort-Object -Property 'Name' -Unique) { if ($role.Name -match '\s') { $resBicep += "'{0}': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '{1}')" -f $role.Name, $role.Id - } else { + } + else { $resBicep += "{0}: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '{1}')" -f $role.Name, $role.Id } $resArm += "`"{0}`": `"[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '{1}')]`"," -f $role.Name, $role.Id } - } else { + } + else { # different output format for the 'Microsoft.Authorization/RoleAssignments' module foreach ($role in $relevantRoles | Sort-Object -Property 'Name' -Unique) { if ($role.Name -match '\s') { $resBicep += "'{0}': '/providers/Microsoft.Authorization/roleDefinitions/{1}'" -f $role.Name, $role.Id - } else { + } + else { $resBicep += "{0}: '/providers/Microsoft.Authorization/roleDefinitions/{1}'" -f $role.Name, $role.Id } $resArm += "`"{0}`": `"/providers/Microsoft.Authorization/roleDefinitions/{1}`"" -f $role.Name, $role.Id From f430b63ac704957d6a69194cd3b5798169a11d6a Mon Sep 17 00:00:00 2001 From: Sebastian Graef Date: Sat, 2 Mar 2024 21:23:51 +1000 Subject: [PATCH 3/7] Add optional parameter to fetch all available roles --- utilities/tools/Get-RoleAssignmentList.ps1 | 106 ++++++++++++--------- 1 file changed, 61 insertions(+), 45 deletions(-) diff --git a/utilities/tools/Get-RoleAssignmentList.ps1 b/utilities/tools/Get-RoleAssignmentList.ps1 index b3bf3601a1..5129fb2435 100644 --- a/utilities/tools/Get-RoleAssignmentList.ps1 +++ b/utilities/tools/Get-RoleAssignmentList.ps1 @@ -15,6 +15,9 @@ Optional. The ResourceType to fetch the role definitions for .PARAMETER IncludeCustomRoles Optional. Whether to include custom roles or not +.PARAMETER All +Optional. Fetch all available roles. By default it only fetches the relevant roles + .EXAMPLE Get-RoleAssignmentList -ProviderNamespace 'Microsoft.KeyVault' -ResourceType 'vaults' @@ -31,7 +34,10 @@ function Get-RoleAssignmentList { [string] $ResourceType, [Parameter(Mandatory = $false)] - [switch] $IncludeCustomRoles + [switch] $IncludeCustomRoles, + + [Parameter(Mandatory = $false)] + [switch] $All ) begin { @@ -60,59 +66,69 @@ function Get-RoleAssignmentList { } else { # Filter Action based - $relevantRoles += $roleDefinitions | Where-Object { - $_.Actions -like "$ProviderNamespace/$ResourceType/*" -or - $_.Actions -like "$ProviderNamespace/`**" -or - # Leave general roles (https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#general) - $_.Id -eq 'b24988ac-6180-42a0-ab88-20f7382dd24c' -or # Contributor - $_.Id -eq '8e3af657-a8ff-443c-a75c-2fe8c4bcb635' -or # Owner - $_.Id -eq 'acdd72a7-3385-48ef-bd42-f606fba81ae7' -or # Reader - $_.Id -eq 'f58310d9-a9f6-439a-9e8d-f62e7b41a168' -or # Role Based Access Control Administrator - $_.Id -eq '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9' # User Access Administrator + if ($All) { + $relevantRoles += $roleDefinitions | Where-Object { + $_.Actions -like "$ProviderNamespace/$ResourceType/*" -or + $_.Actions -like "$ProviderNamespace/`**" -or + $_.Actions -like '`**' -or + $_.DataActions -like "$ProviderNamespace/$ResourceType/*" -or + $_.DataActions -like "$ProviderNamespace/`**" -or + $_.DataActions -like '`**' + Write-Debug "Actions: ALL" + } } - - # Filter Data Action based - $relevantRoles += $roleDefinitions | Where-Object { - $_.DataActions -like "$ProviderNamespace/$ResourceType/*" -or - $_.DataActions -like "$ProviderNamespace/`**" + else { + $relevantRoles += $roleDefinitions | Where-Object { + $_.Actions -like "$ProviderNamespace/$ResourceType/*" -or + $_.Actions -like "$ProviderNamespace/`**" -or + $_.DataActions -like "$ProviderNamespace/$ResourceType/*" -or + $_.DataActions -like "$ProviderNamespace/`**" -or + # Leave general roles (https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#general) + $_.Id -eq 'b24988ac-6180-42a0-ab88-20f7382dd24c' -or # Contributor + $_.Id -eq '8e3af657-a8ff-443c-a75c-2fe8c4bcb635' -or # Owner + $_.Id -eq 'acdd72a7-3385-48ef-bd42-f606fba81ae7' -or # Reader + $_.Id -eq 'f58310d9-a9f6-439a-9e8d-f62e7b41a168' -or # Role Based Access Control Administrator + $_.Id -eq '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9' # User Access Administrator + Write-Debug "Actions: Default" + } } - } - # (Bicep-only) To comply with Bicep Linter Rule prefer-unquoted-property-names, remove quotes from role names not containing spaces - $resBicep = [System.Collections.ArrayList]@() - $resArm = [System.Collections.ArrayList]@() - if ("$ProviderNamespace/$ResourceType" -ne 'Microsoft.Authorization/RoleAssignments') { - foreach ($role in $relevantRoles | Sort-Object -Property 'Name' -Unique) { - if ($role.Name -match '\s') { - $resBicep += "'{0}': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '{1}')" -f $role.Name, $role.Id - } - else { - $resBicep += "{0}: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '{1}')" -f $role.Name, $role.Id + # (Bicep-only) To comply with Bicep Linter Rule prefer-unquoted-property-names, remove quotes from role names not containing spaces + $resBicep = [System.Collections.ArrayList]@() + $resArm = [System.Collections.ArrayList]@() + if ("$ProviderNamespace/$ResourceType" -ne 'Microsoft.Authorization/RoleAssignments') { + foreach ($role in $relevantRoles | Sort-Object -Property 'Name' -Unique) { + if ($role.Name -match '\s') { + $resBicep += "'{0}': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '{1}')" -f $role.Name, $role.Id + } + else { + $resBicep += "{0}: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '{1}')" -f $role.Name, $role.Id + } + $resArm += "`"{0}`": `"[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '{1}')]`"," -f $role.Name, $role.Id } - $resArm += "`"{0}`": `"[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '{1}')]`"," -f $role.Name, $role.Id } - } - else { - # different output format for the 'Microsoft.Authorization/RoleAssignments' module - foreach ($role in $relevantRoles | Sort-Object -Property 'Name' -Unique) { - if ($role.Name -match '\s') { - $resBicep += "'{0}': '/providers/Microsoft.Authorization/roleDefinitions/{1}'" -f $role.Name, $role.Id + else { + # different output format for the 'Microsoft.Authorization/RoleAssignments' module + foreach ($role in $relevantRoles | Sort-Object -Property 'Name' -Unique) { + if ($role.Name -match '\s') { + $resBicep += "'{0}': '/providers/Microsoft.Authorization/roleDefinitions/{1}'" -f $role.Name, $role.Id + } + else { + $resBicep += "{0}: '/providers/Microsoft.Authorization/roleDefinitions/{1}'" -f $role.Name, $role.Id + } + $resArm += "`"{0}`": `"/providers/Microsoft.Authorization/roleDefinitions/{1}`"" -f $role.Name, $role.Id } - else { - $resBicep += "{0}: '/providers/Microsoft.Authorization/roleDefinitions/{1}'" -f $role.Name, $role.Id - } - $resArm += "`"{0}`": `"/providers/Microsoft.Authorization/roleDefinitions/{1}`"" -f $role.Name, $role.Id } - } - # Return arrays - return @{ - bicepFormat = $resBicep - armFormat = $resArm + # Return arrays + return @{ + bicepFormat = $resBicep + armFormat = $resArm + } } - } - end { - Write-Debug ('{0} exited' -f $MyInvocation.MyCommand) + end { + Write-Debug ('{0} exited' -f $MyInvocation.MyCommand) + } } } From 71caff2ae20d18ab8865dd5f59e1a8fccbd1a396 Mon Sep 17 00:00:00 2001 From: Sebastian Graef Date: Sat, 2 Mar 2024 21:25:57 +1000 Subject: [PATCH 4/7] Refactor Get-RoleAssignmentList.ps1 to fetch relevant Role Definitions by default --- utilities/tools/Get-RoleAssignmentList.ps1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/utilities/tools/Get-RoleAssignmentList.ps1 b/utilities/tools/Get-RoleAssignmentList.ps1 index 5129fb2435..1e30c78940 100644 --- a/utilities/tools/Get-RoleAssignmentList.ps1 +++ b/utilities/tools/Get-RoleAssignmentList.ps1 @@ -1,9 +1,9 @@ <# .SYNOPSIS -Fetch all available Role Definitions for the given ProviderNamespace +Fetch relevant Role Definitions for the given ProviderNamespace .DESCRIPTION -Fetch all available Role Definitions for the given ProviderNamespace +Fetch relevant Role Definitions for the given ProviderNamespace by default. Optionally, you can fetch all available roles or include custom roles as well. Leverges Microsoft Docs's [https://learn.microsoft.com/en-us/powershell/module/az.resources/get-azroledefinition?view=azps-8.3.0] to fetch the data .PARAMETER ProviderNamespace From 962b2227289d3d1498c084af98304788aab9e7f4 Mon Sep 17 00:00:00 2001 From: Sebastian Graef Date: Sat, 2 Mar 2024 21:28:08 +1000 Subject: [PATCH 5/7] Remove unnecessary debug statements in Get-RoleAssignmentList.ps1 --- utilities/tools/Get-RoleAssignmentList.ps1 | 2 -- 1 file changed, 2 deletions(-) diff --git a/utilities/tools/Get-RoleAssignmentList.ps1 b/utilities/tools/Get-RoleAssignmentList.ps1 index 1e30c78940..f61253ac05 100644 --- a/utilities/tools/Get-RoleAssignmentList.ps1 +++ b/utilities/tools/Get-RoleAssignmentList.ps1 @@ -74,7 +74,6 @@ function Get-RoleAssignmentList { $_.DataActions -like "$ProviderNamespace/$ResourceType/*" -or $_.DataActions -like "$ProviderNamespace/`**" -or $_.DataActions -like '`**' - Write-Debug "Actions: ALL" } } else { @@ -89,7 +88,6 @@ function Get-RoleAssignmentList { $_.Id -eq 'acdd72a7-3385-48ef-bd42-f606fba81ae7' -or # Reader $_.Id -eq 'f58310d9-a9f6-439a-9e8d-f62e7b41a168' -or # Role Based Access Control Administrator $_.Id -eq '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9' # User Access Administrator - Write-Debug "Actions: Default" } } From ec7f8e3f96d4375a7168ae00e2b69e787ade7cb5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20Gr=C3=A4f?= Date: Mon, 4 Mar 2024 08:54:22 +1000 Subject: [PATCH 6/7] Update utilities/tools/Get-RoleAssignmentList.ps1 Co-authored-by: Alexander Sehr --- utilities/tools/Get-RoleAssignmentList.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/utilities/tools/Get-RoleAssignmentList.ps1 b/utilities/tools/Get-RoleAssignmentList.ps1 index f61253ac05..5893c2cc18 100644 --- a/utilities/tools/Get-RoleAssignmentList.ps1 +++ b/utilities/tools/Get-RoleAssignmentList.ps1 @@ -3,7 +3,7 @@ Fetch relevant Role Definitions for the given ProviderNamespace .DESCRIPTION -Fetch relevant Role Definitions for the given ProviderNamespace by default. Optionally, you can fetch all available roles or include custom roles as well. +Fetch relevant Role Definitions for the given ProviderNamespace by default. Optionally, you can fetch all available roles or include custom roles as well. 'Relevant' roles include the most common roles (e.g., Reader, Owner, etc.), as well as those that tie directly into the targeted resource type (e.g., a `Key Vault Secrets Reader` for a Key Vault). Leverges Microsoft Docs's [https://learn.microsoft.com/en-us/powershell/module/az.resources/get-azroledefinition?view=azps-8.3.0] to fetch the data .PARAMETER ProviderNamespace From db267341bad41ceb183acbae38255590fb499fe3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20Gr=C3=A4f?= Date: Mon, 4 Mar 2024 08:54:28 +1000 Subject: [PATCH 7/7] Update utilities/tools/Get-RoleAssignmentList.ps1 Co-authored-by: Alexander Sehr --- utilities/tools/Get-RoleAssignmentList.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/utilities/tools/Get-RoleAssignmentList.ps1 b/utilities/tools/Get-RoleAssignmentList.ps1 index 5893c2cc18..3f5d7b209b 100644 --- a/utilities/tools/Get-RoleAssignmentList.ps1 +++ b/utilities/tools/Get-RoleAssignmentList.ps1 @@ -16,7 +16,7 @@ Optional. The ResourceType to fetch the role definitions for Optional. Whether to include custom roles or not .PARAMETER All -Optional. Fetch all available roles. By default it only fetches the relevant roles +Optional. Fetch all available roles that can be applied to the given Resource Type. By default it only fetches the relevant roles. .EXAMPLE Get-RoleAssignmentList -ProviderNamespace 'Microsoft.KeyVault' -ResourceType 'vaults'