Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add test cases for nested role assignmnents #3168

Closed
wants to merge 6 commits into from
Closed

Add test cases for nested role assignmnents #3168

wants to merge 6 commits into from

Conversation

JPEasier
Copy link
Contributor

@JPEasier JPEasier commented May 5, 2023

Description

Added a Pester test to check if the resource type in the nested roleAssignment bicep is the same as the module.

ToDo: add role assignments to all common test deployments

Issue Referenc: #3162

Pipeline references

Pipeline Description
Network - DNS Resolvers failed pester test - wrong resource type
KeyVault - Vaults succeded pester test - correct resource type

Type of Change

Please delete options that are not relevant.

  • Bugfix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)

Checklist

  • I'm sure there are no other open Pull Requests for the same update/change
  • My corresponding pipelines / checks run clean and green without any errors or warnings
  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation (readme)
  • I did format my code

@JPEasier JPEasier added [cat] modules category: modules [cat] testing category: testing labels May 5, 2023
@JPEasier JPEasier self-assigned this May 5, 2023
AlexanderSehr
AlexanderSehr reviewed May 5, 2023
View reviewed changes
modules/Microsoft.Network/dnsResolvers/.test/common/deploy.test.bicep Outdated
roleDefinitionIdOrName: 'Reader'
description: 'Reader Role Assignment'
principalIds: [
'c99b4f9a-4268-4ab0-bd02-85d160b29a36' // carml-contributor-group
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should/must be the ID of an MSI that is deployed in the dependencies.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

True

AlexanderSehr
AlexanderSehr reviewed May 5, 2023
View reviewed changes
utilities/pipelines/staticValidation/module.tests.ps1
Comment on lines +814 to +815
#$resourceTypeIdentifier = $moduleFolderPath.Replace('\', '/').Split('/modules/')[1]
$resourceTypeIdentifier = (Get-Content (Join-Path $moduleFolderPath 'readme.md')).split('`')[1].substring(1).Replace(']', '')
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
#$resourceTypeIdentifier = $moduleFolderPath.Replace('\', '/').Split('/modules/')[1]
$resourceTypeIdentifier = (Get-Content (Join-Path $moduleFolderPath 'readme.md')).split('`')[1].substring(1).Replace(']', '')
$readMeContent = Get-Content (Join-Path $moduleFolderPath 'readme.md')
$resourceTypeIdentifier = [regex]::Match($readMeContent[0], '^.*`\[([a-zA-Z\.\/]+)\]`$').Captures.Groups[1].Value

AlexanderSehr
AlexanderSehr reviewed May 5, 2023
View reviewed changes
utilities/pipelines/staticValidation/module.tests.ps1
foreach ($moduleFolderPath in $moduleFolderPaths) {
$rbacFilePath = Join-Path $moduleFolderPath '.bicep/nested_roleAssignments.bicep'
if (Test-Path $rbacFilePath) {
$nestedFileContent = Get-Content $rbacFilePath
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd suggest to call it not $nestedFileContent but for example $rbacFileContent which would also match the $rbacFilePath

AlexanderSehr
AlexanderSehr reviewed May 5, 2023
View reviewed changes
utilities/pipelines/staticValidation/module.tests.ps1
[string] $resourceTypeIdentifier
)

$hasExpectedResourceType = ($nestedFileContent | Out-String) -match $resourceTypeIdentifier
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While fine by itself, I would suggest to rather have a test that compares the used resource type with the one we expect as the $resourceTypeIdentifier. So the test would be like $usedExistingResourceType | Should -Be $resourceTypeIdentifier, which has the nice benefit, that a failing tests also tells you how you can fix the error.

To make this work however, you'd need to find the used resource type in the $nestedFileContent. This should be possible by searching for the line that matches 'resource ... existing = {' and then extracting the used resource type.

This final step can be done using the snippet

[regex]::Match($nestedFileContent[$existingResourceTypeRow], "^resource.+'([a-zA-Z\.\/]+)@.+' existing = {$").Captures.Groups[1].Value

@JPEasier JPEasier closed this Nov 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AlexanderSehr AlexanderSehr AlexanderSehr left review comments

Assignees

@JPEasier JPEasier

Labels
[cat] modules category: modules [cat] testing category: testing
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@JPEasier @AlexanderSehr