AzurePIM

1.0.15183

functions/roleManagement/roleManagementPolicies/Test-AzurePIMroleManagementPolicy.ps1

function Test-AzurePIMroleManagementPolicy {
    <#
        .SYNOPSIS
            Test desired configuration against a Tenant.
        .DESCRIPTION
            Compare current configuration of a resource type with the desired configuration.
            Return a result object with the required changes and actions.
    #>
    [CmdletBinding()]
    Param (
        [System.Management.Automation.PSCmdlet]
        $Cmdlet = $PSCmdlet
    )

    begin
    {
        $resourceName = "roleManagementPolicies"
        Test-AzureConnection
        $token = (Get-AzAccessToken -ResourceUrl $script:apiBaseUrl).Token
        $tenant = Get-AzTenant -TenantId (Get-AzContext).Tenant.Id
    }
    process 
    {
        $definitions = $script:desiredConfiguration[$resourceName]

        foreach ($definition in $definitions) {
            foreach ($property in $definition.Properties()) {
                if ($definition.$property.GetType().Name -eq "String") {
                    $definition.$property = Resolve-String -Text $definition.$property
                }
            }
            
            $result = @{
                Tenant = $tenant.Name
                TenantId = $tenant.Id
                ResourceType = 'roleManagementPolicy'
                ResourceName = "Policy for $($definition.roleReference) on $($definition.scopeReference)"
                DesiredConfiguration = $definition
            }

            $rules = @()
            $rules += ($script:desiredConfiguration["roleManagementPolicyRuleTemplates"] | Where-Object {$_.displayName -eq $definition.ruleTemplate}).rules
            Add-Member -InputObject $result.DesiredConfiguration -MemberType NoteProperty -Name rules -Value $rules -Force

            $subscriptionId = Resolve-Subscription -InputReference $definition.subscriptionReference
            $roleId = Resolve-AzureRoleDefinition -InputReference $definition.roleReference -SubscriptionId $subscriptionId
            switch ($definition.scopeType) {
                "subscription" {
                    $policyId = (Invoke-RestMethod -Method "GET" -Uri "$($script:apiBaseUrl)$($subscriptionId)/providers/Microsoft.Authorization/roleManagementPolicyAssignments?`$filter=roleDefinitionId eq '$($roleId)'&api-version=2020-10-01-preview" -Headers @{"Authorization" = "Bearer $($token)"}).value.properties.policyId
                    $resource = @()
                    $resource += Invoke-RestMethod -Method "GET" -Uri "$($script:apiBaseUrl)$($policyId)?api-version=2020-10-01-preview" -Headers @{"Authorization" = "Bearer $($token)"}
                }
                "resourceGroup" {
                    $policyId = ((Invoke-RestMethod -Method "GET" -Uri "$($script:apiBaseUrl)$($subscriptionId)/ResourceGroups/$($definition.scopeReference)/providers/Microsoft.Authorization/roleManagementPolicyAssignments?api-version=2020-10-01-preview" -Headers @{"Authorization" = "Bearer $($token)"}).value | Where-Object {$_.properties.roleDefinitionId -eq $roleId}).properties.policyId
                    $resource = @()
                    $resource += Invoke-RestMethod -Method "GET" -Uri "$($script:apiBaseUrl)$($policyId)?api-version=2020-10-01-preview" -Headers @{"Authorization" = "Bearer $($token)"}
                }
                "resource" {
                    $policyId = ((Invoke-RestMethod -Method "GET" -Uri "$($script:apiBaseUrl)$($subscriptionId)$($definition.scopeReference)/providers/Microsoft.Authorization/roleManagementPolicyAssignments?api-version=2020-10-01-preview" -Headers @{"Authorization" = "Bearer $($token)"}).value | Where-Object {$_.properties.roleDefinitionId -eq $roleId}).properties.policyId
                    $resource = @()
                    $resource += Invoke-RestMethod -Method "GET" -Uri "$($script:apiBaseUrl)$($policyId)?api-version=2020-10-01-preview" -Headers @{"Authorization" = "Bearer $($token)"}
                }
            }
            

            switch ($resource.count) {
                0    {

                }

                1    {
                    $result["AzureResource"] = $resource
                    $changes = @()
                    if (-not (Compare-PolicyProperties -ReferenceObject $result.DesiredConfiguration.rules -DifferenceObject $resource.properties.rules)) {
                        $change = [PSCustomObject] @{
                            Property = "rules"
                            Actions = @{"Set" = $result.DesiredConfiguration.rules}
                        }
                        $changes += $change
                    }
                    if ($changes.count -gt 0) { $result = New-TestResult @result -Changes $changes -ActionType "Update"}
                    else { $result = New-TestResult @result -ActionType "NoActionRequired" }
                }
                default {
                    Write-PSFMessage -Level Warning -String 'AzurePIM.Test.MultipleResourcesError' -StringValues $resourceName, $result.ResourceName -Tag 'failed'
                    $exception = New-Object System.Data.DataException("Query returned multiple results. Cannot decide which resource to test.")
                    $errorID = 'MultipleResourcesError'
                    $category = [System.Management.Automation.ErrorCategory]::NotSpecified
                    $recordObject = New-Object System.Management.Automation.ErrorRecord($exception, $errorID, $category, $Cmdlet)
                    $cmdlet.ThrowTerminatingError($recordObject)
                }
            }
            $result
        }
    }
}