diff --git a/providers/azure/go.mod b/providers/azure/go.mod index e1a0cb4d82..707dcedae4 100644 --- a/providers/azure/go.mod +++ b/providers/azure/go.mod @@ -22,6 +22,7 @@ require ( github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault v1.4.0 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/mariadb/armmariadb v1.2.0 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/monitor/armmonitor v0.11.0 + github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi v1.2.0 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/mysql/armmysql v1.2.0 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/mysql/armmysqlflexibleservers v1.2.0 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork v1.1.0 @@ -65,7 +66,6 @@ require ( github.com/Microsoft/go-winio v0.6.2 // indirect github.com/ProtonMail/go-crypto v1.0.0 // indirect github.com/StackExchange/wmi v1.2.1 // indirect - github.com/aws/aws-sdk-go v1.55.5 // indirect github.com/aws/aws-sdk-go-v2 v1.30.4 // indirect github.com/aws/aws-sdk-go-v2/config v1.27.28 // indirect github.com/aws/aws-sdk-go-v2/credentials v1.17.28 // indirect diff --git a/providers/azure/go.sum b/providers/azure/go.sum index 2216d5d700..347e40689b 100644 --- a/providers/azure/go.sum +++ b/providers/azure/go.sum @@ -59,6 +59,8 @@ github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/mariadb/armmariadb v1.2.0 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/mariadb/armmariadb v1.2.0/go.mod h1:DjMBNXv1qSHIv81Mj/MeAru4hk5WhOW4YZ40c+zo+Us= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/monitor/armmonitor v0.11.0 h1:Ds0KRF8ggpEGg4Vo42oX1cIt/IfOhHWJBikksZbVxeg= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/monitor/armmonitor v0.11.0/go.mod h1:jj6P8ybImR+5topJ+eH6fgcemSFBmU6/6bFF8KkwuDI= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi v1.2.0 h1:z4YeiSXxnUI+PqB46Yj6MZA3nwb1CcJIkEMDrzUd8Cs= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi v1.2.0/go.mod h1:rko9SzMxcMk0NJsNAxALEGaTYyy79bNRwxgJfrH0Spw= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/mysql/armmysql v1.2.0 h1:dhywcZH9yPDIje9aTqwy6psZSPzI6CJLYEprDahIBSQ= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/mysql/armmysql v1.2.0/go.mod h1:6z3b+JdBLH0eMzfBex/cvEIoEFVEwXuB0wbgdfN11iM= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/mysql/armmysqlflexibleservers v1.2.0 h1:3jDMffAwnvs6qmOqhjNVHB29AKxs6brnzJeo65E1YwM= @@ -109,8 +111,6 @@ github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFI github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= -github.com/aws/aws-sdk-go v1.55.5 h1:KKUZBfBoyqy5d3swXyiC7Q76ic40rYcbqH7qjh59kzU= -github.com/aws/aws-sdk-go v1.55.5/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU= github.com/aws/aws-sdk-go-v2 v1.30.4 h1:frhcagrVNrzmT95RJImMHgabt99vkXGslubDaDagTk8= github.com/aws/aws-sdk-go-v2 v1.30.4/go.mod h1:CT+ZPWXbYrci8chcARI3OmI/qgd+f6WtuLOoaIA8PR0= github.com/aws/aws-sdk-go-v2/config v1.27.28 h1:OTxWGW/91C61QlneCtnD62NLb4W616/NM1jA8LhJqbg= diff --git a/providers/azure/resources/azure.lr b/providers/azure/resources/azure.lr index e66158eef3..4eba9feb25 100644 --- a/providers/azure/resources/azure.lr +++ b/providers/azure/resources/azure.lr @@ -1746,6 +1746,10 @@ private azure.subscription.authorizationService { roles() []azure.subscription.authorizationService.roleDefinition // Deprecated: use `roles` instead roleDefinitions() []azure.subscription.authorizationService.roleDefinition + // Role assignments + roleAssignments() []azure.subscription.authorizationService.roleAssignment + // Managed identities + managedIdentities() []azure.subscription.managedIdentity } // Azure role definition @@ -1780,6 +1784,28 @@ private azure.subscription.authorizationService.roleDefinition.permission @defau deniedDataActions []string } +// Azure role assignment +private azure.subscription.authorizationService.roleAssignment @defaults("principalId type role.name") { + id string + description string + type string + scope string + principalId string + condition string + createdAt time + updatedAt time + role() azure.subscription.authorizationService.roleDefinition +} + +// Azure managed identity +private azure.subscription.managedIdentity @defaults("name") { + name string + clientId string + principalId string + tenantId string + roleAssignments() []azure.subscription.authorizationService.roleAssignment +} + // Azure Kubernetes Service private azure.subscription.aksService { // Subscription identifier diff --git a/providers/azure/resources/azure.lr.go b/providers/azure/resources/azure.lr.go index 74721bc0cc..e258087599 100644 --- a/providers/azure/resources/azure.lr.go +++ b/providers/azure/resources/azure.lr.go @@ -382,6 +382,14 @@ func init() { // to override args, implement: initAzureSubscriptionAuthorizationServiceRoleDefinitionPermission(runtime *plugin.Runtime, args map[string]*llx.RawData) (map[string]*llx.RawData, plugin.Resource, error) Create: createAzureSubscriptionAuthorizationServiceRoleDefinitionPermission, }, + "azure.subscription.authorizationService.roleAssignment": { + // to override args, implement: initAzureSubscriptionAuthorizationServiceRoleAssignment(runtime *plugin.Runtime, args map[string]*llx.RawData) (map[string]*llx.RawData, plugin.Resource, error) + Create: createAzureSubscriptionAuthorizationServiceRoleAssignment, + }, + "azure.subscription.managedIdentity": { + // to override args, implement: initAzureSubscriptionManagedIdentity(runtime *plugin.Runtime, args map[string]*llx.RawData) (map[string]*llx.RawData, plugin.Resource, error) + Create: createAzureSubscriptionManagedIdentity, + }, "azure.subscription.aksService": { // to override args, implement: initAzureSubscriptionAksService(runtime *plugin.Runtime, args map[string]*llx.RawData) (map[string]*llx.RawData, plugin.Resource, error) Create: createAzureSubscriptionAksService, @@ -2568,6 +2576,12 @@ var getDataFields = map[string]func(r plugin.Resource) *plugin.DataRes{ "azure.subscription.authorizationService.roleDefinitions": func(r plugin.Resource) *plugin.DataRes { return (r.(*mqlAzureSubscriptionAuthorizationService).GetRoleDefinitions()).ToDataRes(types.Array(types.Resource("azure.subscription.authorizationService.roleDefinition"))) }, + "azure.subscription.authorizationService.roleAssignments": func(r plugin.Resource) *plugin.DataRes { + return (r.(*mqlAzureSubscriptionAuthorizationService).GetRoleAssignments()).ToDataRes(types.Array(types.Resource("azure.subscription.authorizationService.roleAssignment"))) + }, + "azure.subscription.authorizationService.managedIdentities": func(r plugin.Resource) *plugin.DataRes { + return (r.(*mqlAzureSubscriptionAuthorizationService).GetManagedIdentities()).ToDataRes(types.Array(types.Resource("azure.subscription.managedIdentity"))) + }, "azure.subscription.authorizationService.roleDefinition.id": func(r plugin.Resource) *plugin.DataRes { return (r.(*mqlAzureSubscriptionAuthorizationServiceRoleDefinition).GetId()).ToDataRes(types.String) }, @@ -2604,6 +2618,48 @@ var getDataFields = map[string]func(r plugin.Resource) *plugin.DataRes{ "azure.subscription.authorizationService.roleDefinition.permission.deniedDataActions": func(r plugin.Resource) *plugin.DataRes { return (r.(*mqlAzureSubscriptionAuthorizationServiceRoleDefinitionPermission).GetDeniedDataActions()).ToDataRes(types.Array(types.String)) }, + "azure.subscription.authorizationService.roleAssignment.id": func(r plugin.Resource) *plugin.DataRes { + return (r.(*mqlAzureSubscriptionAuthorizationServiceRoleAssignment).GetId()).ToDataRes(types.String) + }, + "azure.subscription.authorizationService.roleAssignment.description": func(r plugin.Resource) *plugin.DataRes { + return (r.(*mqlAzureSubscriptionAuthorizationServiceRoleAssignment).GetDescription()).ToDataRes(types.String) + }, + "azure.subscription.authorizationService.roleAssignment.type": func(r plugin.Resource) *plugin.DataRes { + return (r.(*mqlAzureSubscriptionAuthorizationServiceRoleAssignment).GetType()).ToDataRes(types.String) + }, + "azure.subscription.authorizationService.roleAssignment.scope": func(r plugin.Resource) *plugin.DataRes { + return (r.(*mqlAzureSubscriptionAuthorizationServiceRoleAssignment).GetScope()).ToDataRes(types.String) + }, + "azure.subscription.authorizationService.roleAssignment.principalId": func(r plugin.Resource) *plugin.DataRes { + return (r.(*mqlAzureSubscriptionAuthorizationServiceRoleAssignment).GetPrincipalId()).ToDataRes(types.String) + }, + "azure.subscription.authorizationService.roleAssignment.condition": func(r plugin.Resource) *plugin.DataRes { + return (r.(*mqlAzureSubscriptionAuthorizationServiceRoleAssignment).GetCondition()).ToDataRes(types.String) + }, + "azure.subscription.authorizationService.roleAssignment.createdAt": func(r plugin.Resource) *plugin.DataRes { + return (r.(*mqlAzureSubscriptionAuthorizationServiceRoleAssignment).GetCreatedAt()).ToDataRes(types.Time) + }, + "azure.subscription.authorizationService.roleAssignment.updatedAt": func(r plugin.Resource) *plugin.DataRes { + return (r.(*mqlAzureSubscriptionAuthorizationServiceRoleAssignment).GetUpdatedAt()).ToDataRes(types.Time) + }, + "azure.subscription.authorizationService.roleAssignment.role": func(r plugin.Resource) *plugin.DataRes { + return (r.(*mqlAzureSubscriptionAuthorizationServiceRoleAssignment).GetRole()).ToDataRes(types.Resource("azure.subscription.authorizationService.roleDefinition")) + }, + "azure.subscription.managedIdentity.name": func(r plugin.Resource) *plugin.DataRes { + return (r.(*mqlAzureSubscriptionManagedIdentity).GetName()).ToDataRes(types.String) + }, + "azure.subscription.managedIdentity.clientId": func(r plugin.Resource) *plugin.DataRes { + return (r.(*mqlAzureSubscriptionManagedIdentity).GetClientId()).ToDataRes(types.String) + }, + "azure.subscription.managedIdentity.principalId": func(r plugin.Resource) *plugin.DataRes { + return (r.(*mqlAzureSubscriptionManagedIdentity).GetPrincipalId()).ToDataRes(types.String) + }, + "azure.subscription.managedIdentity.tenantId": func(r plugin.Resource) *plugin.DataRes { + return (r.(*mqlAzureSubscriptionManagedIdentity).GetTenantId()).ToDataRes(types.String) + }, + "azure.subscription.managedIdentity.roleAssignments": func(r plugin.Resource) *plugin.DataRes { + return (r.(*mqlAzureSubscriptionManagedIdentity).GetRoleAssignments()).ToDataRes(types.Array(types.Resource("azure.subscription.authorizationService.roleAssignment"))) + }, "azure.subscription.aksService.subscriptionId": func(r plugin.Resource) *plugin.DataRes { return (r.(*mqlAzureSubscriptionAksService).GetSubscriptionId()).ToDataRes(types.String) }, @@ -5928,6 +5984,14 @@ var setDataFields = map[string]func(r plugin.Resource, v *llx.RawData) bool { r.(*mqlAzureSubscriptionAuthorizationService).RoleDefinitions, ok = plugin.RawToTValue[[]interface{}](v.Value, v.Error) return }, + "azure.subscription.authorizationService.roleAssignments": func(r plugin.Resource, v *llx.RawData) (ok bool) { + r.(*mqlAzureSubscriptionAuthorizationService).RoleAssignments, ok = plugin.RawToTValue[[]interface{}](v.Value, v.Error) + return + }, + "azure.subscription.authorizationService.managedIdentities": func(r plugin.Resource, v *llx.RawData) (ok bool) { + r.(*mqlAzureSubscriptionAuthorizationService).ManagedIdentities, ok = plugin.RawToTValue[[]interface{}](v.Value, v.Error) + return + }, "azure.subscription.authorizationService.roleDefinition.__id": func(r plugin.Resource, v *llx.RawData) (ok bool) { r.(*mqlAzureSubscriptionAuthorizationServiceRoleDefinition).__id, ok = v.Value.(string) return @@ -5984,6 +6048,70 @@ var setDataFields = map[string]func(r plugin.Resource, v *llx.RawData) bool { r.(*mqlAzureSubscriptionAuthorizationServiceRoleDefinitionPermission).DeniedDataActions, ok = plugin.RawToTValue[[]interface{}](v.Value, v.Error) return }, + "azure.subscription.authorizationService.roleAssignment.__id": func(r plugin.Resource, v *llx.RawData) (ok bool) { + r.(*mqlAzureSubscriptionAuthorizationServiceRoleAssignment).__id, ok = v.Value.(string) + return + }, + "azure.subscription.authorizationService.roleAssignment.id": func(r plugin.Resource, v *llx.RawData) (ok bool) { + r.(*mqlAzureSubscriptionAuthorizationServiceRoleAssignment).Id, ok = plugin.RawToTValue[string](v.Value, v.Error) + return + }, + "azure.subscription.authorizationService.roleAssignment.description": func(r plugin.Resource, v *llx.RawData) (ok bool) { + r.(*mqlAzureSubscriptionAuthorizationServiceRoleAssignment).Description, ok = plugin.RawToTValue[string](v.Value, v.Error) + return + }, + "azure.subscription.authorizationService.roleAssignment.type": func(r plugin.Resource, v *llx.RawData) (ok bool) { + r.(*mqlAzureSubscriptionAuthorizationServiceRoleAssignment).Type, ok = plugin.RawToTValue[string](v.Value, v.Error) + return + }, + "azure.subscription.authorizationService.roleAssignment.scope": func(r plugin.Resource, v *llx.RawData) (ok bool) { + r.(*mqlAzureSubscriptionAuthorizationServiceRoleAssignment).Scope, ok = plugin.RawToTValue[string](v.Value, v.Error) + return + }, + "azure.subscription.authorizationService.roleAssignment.principalId": func(r plugin.Resource, v *llx.RawData) (ok bool) { + r.(*mqlAzureSubscriptionAuthorizationServiceRoleAssignment).PrincipalId, ok = plugin.RawToTValue[string](v.Value, v.Error) + return + }, + "azure.subscription.authorizationService.roleAssignment.condition": func(r plugin.Resource, v *llx.RawData) (ok bool) { + r.(*mqlAzureSubscriptionAuthorizationServiceRoleAssignment).Condition, ok = plugin.RawToTValue[string](v.Value, v.Error) + return + }, + "azure.subscription.authorizationService.roleAssignment.createdAt": func(r plugin.Resource, v *llx.RawData) (ok bool) { + r.(*mqlAzureSubscriptionAuthorizationServiceRoleAssignment).CreatedAt, ok = plugin.RawToTValue[*time.Time](v.Value, v.Error) + return + }, + "azure.subscription.authorizationService.roleAssignment.updatedAt": func(r plugin.Resource, v *llx.RawData) (ok bool) { + r.(*mqlAzureSubscriptionAuthorizationServiceRoleAssignment).UpdatedAt, ok = plugin.RawToTValue[*time.Time](v.Value, v.Error) + return + }, + "azure.subscription.authorizationService.roleAssignment.role": func(r plugin.Resource, v *llx.RawData) (ok bool) { + r.(*mqlAzureSubscriptionAuthorizationServiceRoleAssignment).Role, ok = plugin.RawToTValue[*mqlAzureSubscriptionAuthorizationServiceRoleDefinition](v.Value, v.Error) + return + }, + "azure.subscription.managedIdentity.__id": func(r plugin.Resource, v *llx.RawData) (ok bool) { + r.(*mqlAzureSubscriptionManagedIdentity).__id, ok = v.Value.(string) + return + }, + "azure.subscription.managedIdentity.name": func(r plugin.Resource, v *llx.RawData) (ok bool) { + r.(*mqlAzureSubscriptionManagedIdentity).Name, ok = plugin.RawToTValue[string](v.Value, v.Error) + return + }, + "azure.subscription.managedIdentity.clientId": func(r plugin.Resource, v *llx.RawData) (ok bool) { + r.(*mqlAzureSubscriptionManagedIdentity).ClientId, ok = plugin.RawToTValue[string](v.Value, v.Error) + return + }, + "azure.subscription.managedIdentity.principalId": func(r plugin.Resource, v *llx.RawData) (ok bool) { + r.(*mqlAzureSubscriptionManagedIdentity).PrincipalId, ok = plugin.RawToTValue[string](v.Value, v.Error) + return + }, + "azure.subscription.managedIdentity.tenantId": func(r plugin.Resource, v *llx.RawData) (ok bool) { + r.(*mqlAzureSubscriptionManagedIdentity).TenantId, ok = plugin.RawToTValue[string](v.Value, v.Error) + return + }, + "azure.subscription.managedIdentity.roleAssignments": func(r plugin.Resource, v *llx.RawData) (ok bool) { + r.(*mqlAzureSubscriptionManagedIdentity).RoleAssignments, ok = plugin.RawToTValue[[]interface{}](v.Value, v.Error) + return + }, "azure.subscription.aksService.__id": func(r plugin.Resource, v *llx.RawData) (ok bool) { r.(*mqlAzureSubscriptionAksService).__id, ok = v.Value.(string) return @@ -14947,6 +15075,8 @@ type mqlAzureSubscriptionAuthorizationService struct { SubscriptionId plugin.TValue[string] Roles plugin.TValue[[]interface{}] RoleDefinitions plugin.TValue[[]interface{}] + RoleAssignments plugin.TValue[[]interface{}] + ManagedIdentities plugin.TValue[[]interface{}] } // createAzureSubscriptionAuthorizationService creates a new instance of this resource @@ -15022,6 +15152,38 @@ func (c *mqlAzureSubscriptionAuthorizationService) GetRoleDefinitions() *plugin. }) } +func (c *mqlAzureSubscriptionAuthorizationService) GetRoleAssignments() *plugin.TValue[[]interface{}] { + return plugin.GetOrCompute[[]interface{}](&c.RoleAssignments, func() ([]interface{}, error) { + if c.MqlRuntime.HasRecording { + d, err := c.MqlRuntime.FieldResourceFromRecording("azure.subscription.authorizationService", c.__id, "roleAssignments") + if err != nil { + return nil, err + } + if d != nil { + return d.Value.([]interface{}), nil + } + } + + return c.roleAssignments() + }) +} + +func (c *mqlAzureSubscriptionAuthorizationService) GetManagedIdentities() *plugin.TValue[[]interface{}] { + return plugin.GetOrCompute[[]interface{}](&c.ManagedIdentities, func() ([]interface{}, error) { + if c.MqlRuntime.HasRecording { + d, err := c.MqlRuntime.FieldResourceFromRecording("azure.subscription.authorizationService", c.__id, "managedIdentities") + if err != nil { + return nil, err + } + if d != nil { + return d.Value.([]interface{}), nil + } + } + + return c.managedIdentities() + }) +} + // mqlAzureSubscriptionAuthorizationServiceRoleDefinition for the azure.subscription.authorizationService.roleDefinition resource type mqlAzureSubscriptionAuthorizationServiceRoleDefinition struct { MqlRuntime *plugin.Runtime @@ -15047,12 +15209,7 @@ func createAzureSubscriptionAuthorizationServiceRoleDefinition(runtime *plugin.R return res, err } - if res.__id == "" { - res.__id, err = res.id() - if err != nil { - return nil, err - } - } + // to override __id implement: id() (string, error) if runtime.HasRecording { args, err = runtime.ResourceFromRecording("azure.subscription.authorizationService.roleDefinition", res.__id) @@ -15124,12 +15281,7 @@ func createAzureSubscriptionAuthorizationServiceRoleDefinitionPermission(runtime return res, err } - if res.__id == "" { - res.__id, err = res.id() - if err != nil { - return nil, err - } - } + // to override __id implement: id() (string, error) if runtime.HasRecording { args, err = runtime.ResourceFromRecording("azure.subscription.authorizationService.roleDefinition.permission", res.__id) @@ -15170,6 +15322,178 @@ func (c *mqlAzureSubscriptionAuthorizationServiceRoleDefinitionPermission) GetDe return &c.DeniedDataActions } +// mqlAzureSubscriptionAuthorizationServiceRoleAssignment for the azure.subscription.authorizationService.roleAssignment resource +type mqlAzureSubscriptionAuthorizationServiceRoleAssignment struct { + MqlRuntime *plugin.Runtime + __id string + mqlAzureSubscriptionAuthorizationServiceRoleAssignmentInternal + Id plugin.TValue[string] + Description plugin.TValue[string] + Type plugin.TValue[string] + Scope plugin.TValue[string] + PrincipalId plugin.TValue[string] + Condition plugin.TValue[string] + CreatedAt plugin.TValue[*time.Time] + UpdatedAt plugin.TValue[*time.Time] + Role plugin.TValue[*mqlAzureSubscriptionAuthorizationServiceRoleDefinition] +} + +// createAzureSubscriptionAuthorizationServiceRoleAssignment creates a new instance of this resource +func createAzureSubscriptionAuthorizationServiceRoleAssignment(runtime *plugin.Runtime, args map[string]*llx.RawData) (plugin.Resource, error) { + res := &mqlAzureSubscriptionAuthorizationServiceRoleAssignment{ + MqlRuntime: runtime, + } + + err := SetAllData(res, args) + if err != nil { + return res, err + } + + // to override __id implement: id() (string, error) + + if runtime.HasRecording { + args, err = runtime.ResourceFromRecording("azure.subscription.authorizationService.roleAssignment", res.__id) + if err != nil || args == nil { + return res, err + } + return res, SetAllData(res, args) + } + + return res, nil +} + +func (c *mqlAzureSubscriptionAuthorizationServiceRoleAssignment) MqlName() string { + return "azure.subscription.authorizationService.roleAssignment" +} + +func (c *mqlAzureSubscriptionAuthorizationServiceRoleAssignment) MqlID() string { + return c.__id +} + +func (c *mqlAzureSubscriptionAuthorizationServiceRoleAssignment) GetId() *plugin.TValue[string] { + return &c.Id +} + +func (c *mqlAzureSubscriptionAuthorizationServiceRoleAssignment) GetDescription() *plugin.TValue[string] { + return &c.Description +} + +func (c *mqlAzureSubscriptionAuthorizationServiceRoleAssignment) GetType() *plugin.TValue[string] { + return &c.Type +} + +func (c *mqlAzureSubscriptionAuthorizationServiceRoleAssignment) GetScope() *plugin.TValue[string] { + return &c.Scope +} + +func (c *mqlAzureSubscriptionAuthorizationServiceRoleAssignment) GetPrincipalId() *plugin.TValue[string] { + return &c.PrincipalId +} + +func (c *mqlAzureSubscriptionAuthorizationServiceRoleAssignment) GetCondition() *plugin.TValue[string] { + return &c.Condition +} + +func (c *mqlAzureSubscriptionAuthorizationServiceRoleAssignment) GetCreatedAt() *plugin.TValue[*time.Time] { + return &c.CreatedAt +} + +func (c *mqlAzureSubscriptionAuthorizationServiceRoleAssignment) GetUpdatedAt() *plugin.TValue[*time.Time] { + return &c.UpdatedAt +} + +func (c *mqlAzureSubscriptionAuthorizationServiceRoleAssignment) GetRole() *plugin.TValue[*mqlAzureSubscriptionAuthorizationServiceRoleDefinition] { + return plugin.GetOrCompute[*mqlAzureSubscriptionAuthorizationServiceRoleDefinition](&c.Role, func() (*mqlAzureSubscriptionAuthorizationServiceRoleDefinition, error) { + if c.MqlRuntime.HasRecording { + d, err := c.MqlRuntime.FieldResourceFromRecording("azure.subscription.authorizationService.roleAssignment", c.__id, "role") + if err != nil { + return nil, err + } + if d != nil { + return d.Value.(*mqlAzureSubscriptionAuthorizationServiceRoleDefinition), nil + } + } + + return c.role() + }) +} + +// mqlAzureSubscriptionManagedIdentity for the azure.subscription.managedIdentity resource +type mqlAzureSubscriptionManagedIdentity struct { + MqlRuntime *plugin.Runtime + __id string + // optional: if you define mqlAzureSubscriptionManagedIdentityInternal it will be used here + Name plugin.TValue[string] + ClientId plugin.TValue[string] + PrincipalId plugin.TValue[string] + TenantId plugin.TValue[string] + RoleAssignments plugin.TValue[[]interface{}] +} + +// createAzureSubscriptionManagedIdentity creates a new instance of this resource +func createAzureSubscriptionManagedIdentity(runtime *plugin.Runtime, args map[string]*llx.RawData) (plugin.Resource, error) { + res := &mqlAzureSubscriptionManagedIdentity{ + MqlRuntime: runtime, + } + + err := SetAllData(res, args) + if err != nil { + return res, err + } + + // to override __id implement: id() (string, error) + + if runtime.HasRecording { + args, err = runtime.ResourceFromRecording("azure.subscription.managedIdentity", res.__id) + if err != nil || args == nil { + return res, err + } + return res, SetAllData(res, args) + } + + return res, nil +} + +func (c *mqlAzureSubscriptionManagedIdentity) MqlName() string { + return "azure.subscription.managedIdentity" +} + +func (c *mqlAzureSubscriptionManagedIdentity) MqlID() string { + return c.__id +} + +func (c *mqlAzureSubscriptionManagedIdentity) GetName() *plugin.TValue[string] { + return &c.Name +} + +func (c *mqlAzureSubscriptionManagedIdentity) GetClientId() *plugin.TValue[string] { + return &c.ClientId +} + +func (c *mqlAzureSubscriptionManagedIdentity) GetPrincipalId() *plugin.TValue[string] { + return &c.PrincipalId +} + +func (c *mqlAzureSubscriptionManagedIdentity) GetTenantId() *plugin.TValue[string] { + return &c.TenantId +} + +func (c *mqlAzureSubscriptionManagedIdentity) GetRoleAssignments() *plugin.TValue[[]interface{}] { + return plugin.GetOrCompute[[]interface{}](&c.RoleAssignments, func() ([]interface{}, error) { + if c.MqlRuntime.HasRecording { + d, err := c.MqlRuntime.FieldResourceFromRecording("azure.subscription.managedIdentity", c.__id, "roleAssignments") + if err != nil { + return nil, err + } + if d != nil { + return d.Value.([]interface{}), nil + } + } + + return c.roleAssignments() + }) +} + // mqlAzureSubscriptionAksService for the azure.subscription.aksService resource type mqlAzureSubscriptionAksService struct { MqlRuntime *plugin.Runtime diff --git a/providers/azure/resources/azure.lr.manifest.yaml b/providers/azure/resources/azure.lr.manifest.yaml index 0231fbb2cb..b072b269d8 100644 --- a/providers/azure/resources/azure.lr.manifest.yaml +++ b/providers/azure/resources/azure.lr.manifest.yaml @@ -293,6 +293,10 @@ resources: url: https://learn.microsoft.com/en-us/azure/role-based-access-control/ azure.subscription.authorizationService: fields: + managedIdentities: + min_mondoo_version: 9.0.0 + roleAssignments: + min_mondoo_version: 9.0.0 roleDefinitions: {} roles: min_mondoo_version: 9.0.0 @@ -305,6 +309,24 @@ resources: refs: - title: Azure RBAC documentation url: https://learn.microsoft.com/en-us/azure/role-based-access-control/ + azure.subscription.authorizationService.roleAssignment: + fields: + condition: {} + createdAt: {} + description: {} + id: {} + name: {} + principalId: {} + principalType: {} + role: {} + scope: {} + type: {} + updatedAt: {} + is_private: true + min_mondoo_version: 9.0.0 + platform: + name: + - azure azure.subscription.authorizationService.roleDefinition: fields: description: {} @@ -774,6 +796,19 @@ resources: refs: - title: Azure Key Vault url: https://learn.microsoft.com/en-us/azure/key-vault/ + azure.subscription.managedIdentity: + fields: + clientId: {} + id: {} + name: {} + principalId: {} + roleAssignments: {} + tenantId: {} + is_private: true + min_mondoo_version: 9.0.0 + platform: + name: + - azure azure.subscription.managedIdentityService: fields: managedIdentities: {} diff --git a/providers/azure/resources/iam.go b/providers/azure/resources/iam.go index cbcf0456f3..9144542104 100644 --- a/providers/azure/resources/iam.go +++ b/providers/azure/resources/iam.go @@ -7,15 +7,16 @@ import ( "context" "errors" "fmt" + "strings" "github.com/Azure/azure-sdk-for-go/sdk/azcore/arm" + authorization "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2" + "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi" "go.mondoo.com/cnquery/v11/llx" "go.mondoo.com/cnquery/v11/providers-sdk/v1/plugin" "go.mondoo.com/cnquery/v11/providers-sdk/v1/util/convert" "go.mondoo.com/cnquery/v11/providers/azure/connection" "go.mondoo.com/cnquery/v11/types" - - authorization "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2" ) func (a *mqlAzureSubscription) iam() (*mqlAzureSubscriptionAuthorizationService, error) { @@ -52,14 +53,6 @@ func initAzureSubscriptionAuthorizationService(runtime *plugin.Runtime, args map return args, nil, nil } -func (a *mqlAzureSubscriptionAuthorizationServiceRoleDefinition) id() (string, error) { - return a.Id.Data, nil -} - -func (a *mqlAzureSubscriptionAuthorizationServiceRoleDefinitionPermission) id() (string, error) { - return a.Id.Data, nil -} - // Deprecated: use roles instead func (a *mqlAzureSubscriptionAuthorizationService) roleDefinitions() ([]interface{}, error) { return a.roles() @@ -99,7 +92,7 @@ func (a *mqlAzureSubscriptionAuthorizationService) roles() ([]interface{}, error permissions := []interface{}{} for idx, p := range roleDef.Properties.Permissions { id := fmt.Sprintf("%s/azure.subscription.authorizationService.roleDefinition.permission/%d", *roleDef.ID, idx) - permission, err := azureToMqlPermission(a.MqlRuntime, id, p) + permission, err := newMqlRolePermission(a.MqlRuntime, id, p) if err != nil { return nil, err } @@ -107,6 +100,7 @@ func (a *mqlAzureSubscriptionAuthorizationService) roles() ([]interface{}, error } mqlRoleDefinition, err := CreateResource(a.MqlRuntime, "azure.subscription.authorizationService.roleDefinition", map[string]*llx.RawData{ + "__id": llx.StringDataPtr(roleDef.ID), "id": llx.StringDataPtr(roleDef.ID), "name": llx.StringDataPtr(roleDef.Properties.RoleName), "description": llx.StringDataPtr(roleDef.Properties.Description), @@ -124,7 +118,7 @@ func (a *mqlAzureSubscriptionAuthorizationService) roles() ([]interface{}, error return res, nil } -func azureToMqlPermission(runtime *plugin.Runtime, id string, permission *authorization.Permission) (interface{}, error) { +func newMqlRolePermission(runtime *plugin.Runtime, id string, permission *authorization.Permission) (interface{}, error) { allowedActions := []interface{}{} deniedActions := []interface{}{} allowedDataActions := []interface{}{} @@ -153,6 +147,7 @@ func azureToMqlPermission(runtime *plugin.Runtime, id string, permission *author p, err := CreateResource(runtime, "azure.subscription.authorizationService.roleDefinition.permission", map[string]*llx.RawData{ + "__id": llx.StringData(id), "id": llx.StringData(id), "allowedActions": llx.ArrayData(allowedActions, types.String), "deniedActions": llx.ArrayData(deniedActions, types.String), @@ -164,3 +159,180 @@ func azureToMqlPermission(runtime *plugin.Runtime, id string, permission *author } return p, nil } + +func (a *mqlAzureSubscriptionAuthorizationService) roleAssignments() ([]interface{}, error) { + conn := a.MqlRuntime.Connection.(*connection.AzureConnection) + token := conn.Token() + subId := a.SubscriptionId.Data + + var client, err = authorization.NewRoleAssignmentsClient(subId, token, &arm.ClientOptions{ + ClientOptions: conn.ClientOptions(), + }) + if err != nil { + return nil, err + } + + ctx := context.Background() + // we're interested in subscription-level role definitions, so we scope this to the subscription, + // on which this connection is running + pager := client.NewListForSubscriptionPager(&authorization.RoleAssignmentsClientListForSubscriptionOptions{}) + res := []interface{}{} + for pager.More() { + page, err := pager.NextPage(ctx) + if err != nil { + return nil, err + } + for _, roleAssignment := range page.Value { + mqlRoleAssignment, err := newMqlRoleAssignment(a.MqlRuntime, roleAssignment) + if err != nil { + return nil, err + } + res = append(res, mqlRoleAssignment) + } + } + return res, nil +} + +type mqlAzureSubscriptionAuthorizationServiceRoleAssignmentInternal struct { + roleDefinitionId string +} + +func newMqlRoleAssignment(runtime *plugin.Runtime, roleAssignment *authorization.RoleAssignment) (*mqlAzureSubscriptionAuthorizationServiceRoleAssignment, error) { + r, err := CreateResource(runtime, "azure.subscription.authorizationService.roleAssignment", + map[string]*llx.RawData{ + "__id": llx.StringDataPtr(roleAssignment.ID), + "id": llx.StringDataPtr(roleAssignment.Name), // name is the id :-) + "description": llx.StringDataPtr(roleAssignment.Properties.Description), + "scope": llx.StringDataPtr(roleAssignment.Properties.Scope), + "type": llx.StringData(string(*roleAssignment.Properties.PrincipalType)), + "principalId": llx.StringData(*roleAssignment.Properties.PrincipalID), + "condition": llx.StringDataPtr(roleAssignment.Properties.Condition), + "createdAt": llx.TimeDataPtr(roleAssignment.Properties.CreatedOn), + "updatedAt": llx.TimeDataPtr(roleAssignment.Properties.UpdatedOn), + }) + if err != nil { + return nil, err + } + + mqlRoleDefinition := r.(*mqlAzureSubscriptionAuthorizationServiceRoleAssignment) + if roleAssignment.Properties.RoleDefinitionID != nil { + mqlRoleDefinition.roleDefinitionId = *roleAssignment.Properties.RoleDefinitionID + } + return mqlRoleDefinition, nil +} + +func extractSubscriptionID(roleDefinitionID string) (string, error) { + parts := strings.Split(roleDefinitionID, "/") + + for i, part := range parts { + if part == "subscriptions" && i+1 < len(parts) { + return parts[i+1], nil + } + } + + return "", fmt.Errorf("subscription ID not found in role definition ID") +} + +func (a *mqlAzureSubscriptionAuthorizationServiceRoleAssignment) role() (*mqlAzureSubscriptionAuthorizationServiceRoleDefinition, error) { + if a.roleDefinitionId == "" { + return nil, nil + } + + // extract subscription id from role definition id + subId, err := extractSubscriptionID(a.roleDefinitionId) + if err != nil { + return nil, err + } + + r, err := CreateResource(a.MqlRuntime, "azure.subscription", map[string]*llx.RawData{ + "subscriptionId": llx.StringData(subId), + }) + if err != nil { + return nil, err + } + mqlResource := r.(*mqlAzureSubscription) + iamResource := mqlResource.GetIam().Data + roles := iamResource.GetRoles().Data + for i := range roles { + role := roles[i].(*mqlAzureSubscriptionAuthorizationServiceRoleDefinition) + if role.__id == a.roleDefinitionId { + return role, nil + } + } + + return nil, errors.New("role definition not found") +} + +func (a *mqlAzureSubscriptionAuthorizationService) managedIdentities() ([]interface{}, error) { + conn := a.MqlRuntime.Connection.(*connection.AzureConnection) + token := conn.Token() + subId := a.SubscriptionId.Data + + var client, err = armmsi.NewUserAssignedIdentitiesClient(subId, token, &arm.ClientOptions{ + ClientOptions: conn.ClientOptions(), + }) + if err != nil { + return nil, err + } + + ctx := context.Background() + + // list all role assignemnts since we need to attach them to the managed identities + roleAssignments := a.GetRoleAssignments().Data + + // list user assigned identities + pager := client.NewListBySubscriptionPager(nil) + res := []interface{}{} + for pager.More() { + page, err := pager.NextPage(ctx) + if err != nil { + return nil, err + } + for _, v := range page.Value { + mqlManagedIdentity, err := newMqlManagedIdentity(a.MqlRuntime, v) + if err != nil { + return nil, err + } + + // set assigned roles to nil + mqlManagedIdentity.RoleAssignments = plugin.TValue[[]interface{}]{Error: nil, State: plugin.StateIsSet | plugin.StateIsNull} + + assignedRoles := []interface{}{} + for i := range roleAssignments { + roleAssignment := roleAssignments[i].(*mqlAzureSubscriptionAuthorizationServiceRoleAssignment) + if roleAssignment.PrincipalId == mqlManagedIdentity.PrincipalId { + assignedRoles = append(assignedRoles, roleAssignment) + } + } + + if len(assignedRoles) > 0 { + mqlManagedIdentity.RoleAssignments = plugin.TValue[[]interface{}]{Error: nil, Data: assignedRoles, State: plugin.StateIsSet} + } + + res = append(res, mqlManagedIdentity) + } + } + return res, nil +} + +func newMqlManagedIdentity(runtime *plugin.Runtime, managedIdentity *armmsi.Identity) (*mqlAzureSubscriptionManagedIdentity, error) { + r, err := CreateResource(runtime, "azure.subscription.managedIdentity", + map[string]*llx.RawData{ + "__id": llx.StringDataPtr(managedIdentity.ID), + "name": llx.StringDataPtr(managedIdentity.Name), + "clientId": llx.StringDataPtr(managedIdentity.Properties.ClientID), + "principalId": llx.StringDataPtr(managedIdentity.Properties.PrincipalID), + "tenantId": llx.StringData(string(*managedIdentity.Properties.TenantID)), + }) + if err != nil { + return nil, err + } + + mqlManagedIdentity := r.(*mqlAzureSubscriptionManagedIdentity) + return mqlManagedIdentity, nil +} + +func (a *mqlAzureSubscriptionManagedIdentity) roleAssignments() ([]interface{}, error) { + // NOTE: this should never be called since we assign roles during the managed identities query + return nil, errors.New("could not fetch role assignments for managed identities") +}