π§ Azure Subscription Custom Subscription Administrator Roles exist - prod.logic.yaml π’
- Contextual name: π§ prod.logic.yaml π’
- ID:
/ce/ca/azure/subscription/custom-subscription-administrator-roles-exist/prod.logic.yaml - Located in: π Azure Subscription Custom Subscription Administrator Roles exist π’
Flagsβ
- π’ Logic test success
- π’ Logic with extracts
- π’ Logic with test data
Input Typeβ
| Type | API Name | Extracts | Extract Files | Logic Files | |
|---|---|---|---|---|---|
| π | π Azure Subscription | CA10__CaAzureAccount__c | 13 | 1 | 31 |
Usesβ
Test Results π’β
Generated at: 2025-04-24T23:46:14.722850431Z Open
| Result | Id | Condition Index | Condition Text | Runtime Error |
|---|---|---|---|---|
| π’ | test1 | βοΈ 199 | βοΈ CA10__Azure_Authorization_Role_Definitions__r.has(INCOMPLIANT) | βοΈ null |
| π’ | test2 | βοΈ 200 | βοΈ otherwise | βοΈ null |
| π’ | test3 | βοΈ 200 | βοΈ otherwise | βοΈ null |
| π’ | test4 | βοΈ 200 | βοΈ otherwise | βοΈ null |
| π’ | test5 | βοΈ 200 | βοΈ otherwise | βοΈ null |
Generationβ
| File | MD5 | |
|---|---|---|
| Open | /ce/ca/azure/subscription/custom-subscription-administrator-roles-exist/policy.yaml | 513C8C5836BF33FDFCBA20DB5FD40742 |
| Open | /ce/ca/azure/subscription/custom-subscription-administrator-roles-exist/prod.logic.yaml | 73DFCC88B98DBCD02F77722E23EC9D31 |
| Open | /ce/ca/azure/subscription/custom-subscription-administrator-roles-exist/test-data.json | 765AF2CAA1D3B3A38E0FC73D056B3314 |
| Open | /types/CA10__CaAzureAuthorizationRole__c/object.extracts.yaml | 4CDB79E4A44CCA84E7046E7B9C7C8873 |
Generate FULL scriptβ
java -jar repo-manager.jar policies generate FULL /ce/ca/azure/subscription/custom-subscription-administrator-roles-exist/prod.logic.yaml
Generate DEBUG scriptβ
java -jar repo-manager.jar policies generate DEBUG /ce/ca/azure/subscription/custom-subscription-administrator-roles-exist/prod.logic.yaml
Generate CAPTURE_TEST_DATA scriptβ
java -jar repo-manager.jar policies generate CAPTURE_TEST_DATA /ce/ca/azure/subscription/custom-subscription-administrator-roles-exist/prod.logic.yaml
Generate TESTS scriptβ
java -jar repo-manager.jar policies generate TESTS /ce/ca/azure/subscription/custom-subscription-administrator-roles-exist/prod.logic.yaml
Execute testsβ
java -jar repo-manager.jar policies test /ce/ca/azure/subscription/custom-subscription-administrator-roles-exist/prod.logic.yaml
Contentβ
---
inputType: "CA10__CaAzureAccount__c"
testData:
- file: "test-data.json"
conditions:
- status: "INCOMPLIANT"
currentStateMessage: "This subscription has a custom role with owner permissions\
\ and assignable scope is set to subscription."
remediationMessage: "Consider removing the custom role."
check:
RELATED_LIST_HAS:
relationshipName: "CA10__Azure_Authorization_Role_Definitions__r"
status: "INCOMPLIANT"
otherwise:
status: "COMPLIANT"
currentStateMessage: "This subscription doesn't have a custom role with owner permissions."
relatedLists:
- relationshipName: "CA10__Azure_Authorization_Role_Definitions__r"
importExtracts:
- file: "/types/CA10__CaAzureAuthorizationRole__c/object.extracts.yaml"
conditions:
- status: "INAPPLICABLE"
currentStateMessage: "This is not a Custom role."
check:
NOT_EQUAL:
left:
EXTRACT: "CA10__roleType__c"
right:
TEXT: "CustomRole"
- status: "INAPPLICABLE"
currentStateMessage: "Permissions do not have * actions."
check:
# Returns true if permissions' actions have "*" action
IS_EQUAL:
left:
JSON_QUERY_BOOLEAN:
arg:
JSON_FROM:
arg:
EXTRACT: "CA10__permissionsJson__c"
undeterminedIf:
isInvalid: "The provided Permissions JSON is invalid."
expression: "contains([*].actions[], '*')"
undeterminedIf:
evaluationError: "JSON query boolean has failed."
resultTypeMismatch: "JSON query did not return boolean type."
right:
BOOLEAN: false
- status: "INCOMPLIANT"
currentStateMessage: "This custom role has owner permissions and subscription scopes."
remediationMessage: "Consider removing this role."
check:
# JSON_QUERY_NUMBER returns the number of scopes that fall into the filter:
# the scope start with '/subscriptions/' and does not contain 'resourceGroups'
GREATER_THAN:
left:
JSON_QUERY_NUMBER:
arg:
JSON_FROM:
arg:
EXTRACT: "CA10__assignableScopesJson__c"
undeterminedIf:
isInvalid: "The provided Assignable Scopes JSON is invalid."
expression: "length([?starts_with(@, '/subscriptions/') && !contains(@, 'resourceGroups')])"
undeterminedIf:
evaluationError: "JSON query number has failed."
resultTypeMismatch: "JSON query did not return number type."
right:
NUMBER: 0.0
otherwise:
status: "INAPPLICABLE"
currentStateMessage: "A role has owner permissions without subscription scopes."