Skip to content

Commit

Permalink
Multiple fixes (#610)
Browse files Browse the repository at this point in the history
  • Loading branch information
techlake authored May 2, 2024
1 parent f7b9e06 commit 33d384c
Show file tree
Hide file tree
Showing 5 changed files with 82 additions and 53 deletions.
11 changes: 10 additions & 1 deletion Scripts/Helpers/Add-SelectedPacArray.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,17 @@ function Add-SelectedPacArray {
[Parameter(Mandatory = $true)]
[string] $PacSelector,

[System.Collections.ArrayList] $OutputArrayList
[Parameter(Mandatory = $false)]
$ExistingList = $null
)

$OutputArrayList = [System.Collections.ArrayList]::new()
if ($null -ne $ExistingList) {
if ($ExistingList -isnot [System.Collections.IList]) {
throw "ExistingList must be of type System.Collections.IList"
}
$null = $OutputArrayList.AddRange($ExistingList)
}
$array = $InputObject.$PacSelector
if ($null -ne $array) {
if ($array -isnot [array]) {
Expand All @@ -25,4 +33,5 @@ function Add-SelectedPacArray {
}
$null = $OutputArrayList.AddRange($array)
}
Write-Output $OutputArrayList -NoEnumerate
}
7 changes: 4 additions & 3 deletions Scripts/Helpers/Build-AssignmentDefinitionAtLeaf.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -590,7 +590,7 @@ function Build-AssignmentDefinitionAtLeaf {
# $null = $null
# }
$requiredRoleAssignment = @{
scope = $scopeEntry.scope
scope = $scope
roleDefinitionId = $roleDefinitionId
roleDisplayName = $roleDisplayName
description = "Policy Assignment '$id': Role Assignment required by Policy, deployed by: '$($PacEnvironment.deployedBy)'"
Expand All @@ -603,14 +603,15 @@ function Build-AssignmentDefinitionAtLeaf {
if ($additionalRoleAssignments) {
foreach ($additionalRoleAssignment in $additionalRoleAssignments) {
$roleDefinitionId = $additionalRoleAssignment.roleDefinitionId
$roleAssignmentScope = $additionalRoleAssignment.scope
$roleDisplayName = "Unknown"
if ($RoleDefinitions.ContainsKey($roleDefinitionId)) {
$roleDisplayName = $RoleDefinitions.$roleDefinitionId
}
$requiredRoleAssignment = $null
if ($additionalRoleAssignment.crossTenant -eq $true) {
$requiredRoleAssignment = @{
scope = $additionalRoleAssignment.scope
scope = $roleAssignmentScope
roleDefinitionId = $roleDefinitionId
roleDisplayName = $roleDisplayName
description = "Policy Assignment '$id': additional cross tenant Role Assignment deployed by: '$($PacEnvironment.deployedBy)'"
Expand All @@ -619,7 +620,7 @@ function Build-AssignmentDefinitionAtLeaf {
}
else {
$requiredRoleAssignment = @{
scope = $additionalRoleAssignment.scope
scope = $roleAssignmentScope
roleDefinitionId = $roleDefinitionId
roleDisplayName = $roleDisplayName
description = "Policy Assignment '$id': additional Role Assignment deployed by: '$($PacEnvironment.deployedBy)'"
Expand Down
9 changes: 4 additions & 5 deletions Scripts/Helpers/Build-AssignmentDefinitionNode.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -313,15 +313,14 @@ function Build-AssignmentDefinitionNode {
# may define notScope or notScopes
$definitionNotScopesList = $definition.notScopesList
if ($DefinitionNode.notScope) {
Add-SelectedPacArray -InputObject $DefinitionNode.notScope -PacSelector $pacSelector -OutputArrayList $definitionNotScopesList
$definition.notScopesList = Add-SelectedPacArray -InputObject $DefinitionNode.notScope -PacSelector $pacSelector -ExistingList $definitionNotScopesList
}
if ($DefinitionNode.notScopes) {
Add-SelectedPacArray -InputObject $DefinitionNode.notScopes -PacSelector $pacSelector -OutputArrayList $definitionNotScopesList
$definition.notScopesList = Add-SelectedPacArray -InputObject $DefinitionNode.notScopes -PacSelector $pacSelector -ExistingList $definitionNotScopesList
}
if ($DefinitionNode.scope) {
## Found a scope list - process scope notScopes
$scopeList = [System.Collections.ArrayList]::new()
Add-SelectedPacArray -InputObject $DefinitionNode.scope -PacSelector $pacSelector -OutputArrayList $scopeList
$scopeList = Add-SelectedPacArray -InputObject $DefinitionNode.scope -PacSelector $pacSelector
if ($scopeList.Count -eq 0) {
# This branch does not have a scope for this assignment's pacSelector; ignore branch
$definition.hasOnlyNotSelectedEnvironments = $true
Expand Down Expand Up @@ -384,7 +383,7 @@ function Build-AssignmentDefinitionNode {
#region identity and additionalRoleAssignments (optional, specific to an EPAC environment)
if ($DefinitionNode.additionalRoleAssignments) {
# Process additional permissions needed to execute remediations; for example permissions to log to Event Hub, Storage Account or Log Analytics
Add-SelectedPacArray -InputObject $DefinitionNode.additionalRoleAssignments -PacSelector $pacSelector -OutputArrayList $definition.additionalRoleAssignments
$definition.additionalRoleAssignments = Add-SelectedPacArray -InputObject $DefinitionNode.additionalRoleAssignments -PacSelector $pacSelector -ExistingList $definition.additionalRoleAssignments
}

if ($DefinitionNode.managedIdentityLocations) {
Expand Down
Loading

0 comments on commit 33d384c

Please sign in to comment.