Custom resource for Azure PIM role management policies

[thomas11]

About

This PR adds support for Role Management Policies, part of Privileged Identity Management (PIM) in the Microsoft.Authentication namespace. It's one part of #2455.

Note that this is about the ARM part of PIM; there's also a Microsoft Graph API part which is not covered by this provider.

This resource wasn't automatically included because it supports only GET and PATCH. The policies are singletons that cannot be created or deleted, only modified via PATCH.

Implementation

Role Management Policies essentially consist of a name which is actually a GUID, and a list of ~20 rules.

Using our existing singleton support defaults.GetDefaultResourceState was tricky because

1. there are many policies with many rules, for a total of ~300k lines of JSON for a subscription scope, and there are more scopes, plus
2. I believe the defaults can vary per scope and possibly also per customer.

So instead, I've implemented a custom resource that captures the original state of a policy when it's first "created", i.e., added to Pulumi state. When a rule or the whole policy is removed from Pulumi, we look up the original state and re-apply it.

Testing

The e2e/integration test for this resource is special because using PIM requires a paid Entra ID P2 license. We have one that you can see here.

[github-actions]

Does the PR have any schema changes?

Looking good! No breaking changes found.

New resources:

• authorization.RoleManagementPolicy

New functions:

• authorization.getRoleManagementPolicy

[codecov]

Codecov Report

Attention: Patch coverage is 44.01914% with 117 lines in your changes missing coverage. Please review.

Project coverage is 57.03%. Comparing base (7d76160) to head (dd99599).

Files with missing lines	Patch %	Lines
...ovider/pkg/resources/customresources/custom_pim.go	44.96%	72 Missing and 10 partials ⚠️
provider/pkg/provider/provider.go	36.36%	9 Missing and 5 partials ⚠️
provider/pkg/openapi/discover.go	0.00%	5 Missing and 1 partial ⚠️
provider/pkg/provider/crud/crud.go	66.66%	3 Missing ⚠️
...r/pkg/resources/customresources/customresources.go	62.50%	2 Missing and 1 partial ⚠️
...r/pkg/resources/customresources/custom_keyvault.go	0.00%	0 Missing and 2 partials ⚠️
...ources/customresources/custom_keyvault_autorest.go	0.00%	2 Missing ⚠️
...er/pkg/resources/customresources/custom_storage.go	0.00%	2 Missing ⚠️
...es/customresources/custom_keyvault_accesspolicy.go	0.00%	1 Missing ⚠️
...esources/customresources/custom_postgres_config.go	0.00%	0 Missing and 1 partial ⚠️
... and 1 more

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #3663      +/-   ##
==========================================
- Coverage   57.26%   57.03%   -0.23%     
==========================================
  Files          78       79       +1     
  Lines       12438    12621     +183     
==========================================
+ Hits         7122     7198      +76     
- Misses       4769     4860      +91     
- Partials      547      563      +16     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.