ResourceModules icon indicating copy to clipboard operation
ResourceModules copied to clipboard
verified publisher icon Azure

[Bug Report]: Get-RoleAssignmentList.ps1 wildcard filter is incorrect.

Open jachin84 opened this issue 2 years ago • 1 comments

Describe the bug

Unless I'm missing something, the script Get-RoleAssignmentList.ps1 doesn't seem to be returning the correct results for me. I think the issue is here.

if ("$ProviderNamespace/$ResourceType" -eq 'Microsoft.Authorization/RoleAssignments') {
            # No filter
            $relevantRoles = $roleDefinitions
        } else {
            # Filter Action based
            $relevantRoles += $roleDefinitions | Where-Object {
                $_.Actions -like "$ProviderNamespace/$ResourceType/*" -or
                $_.Actions -like "$ProviderNamespace/`**" -or
                $_.Actions -like '`**'
            }

            # Filter Data Action based
            $relevantRoles += $roleDefinitions | Where-Object {
                $_.DataActions -like "$ProviderNamespace/$ResourceType/*" -or
                $_.DataActions -like "$ProviderNamespace/`**" -or
                $_.DataActions -like '`**'
            }
        }

In PowerShell to match the * character with the -like operator you need to enclose it in brackets like this: [*].

if ("$ProviderNamespace/$ResourceType" -eq 'Microsoft.Authorization/RoleAssignments') {
        # No filter
        $relevantRoles = $roleDefinitions
    } else {
        # Filter Action based
        $relevantRoles += $roleDefinitions | Where-Object {
            $_.Actions -like "$ProviderNamespace/$ResourceType/*" -or
            $_.Actions -like "$ProviderNamespace/[*]*" -or
            $_.Actions -like '[*]*'
        }

        # Filter Data Action based
        $relevantRoles += $roleDefinitions | Where-Object {
            $_.DataActions -like "$ProviderNamespace/$ResourceType/*" -or
            $_.DataActions -like "$ProviderNamespace/[*]*" -or
            $_.DataActions -like '[*]*'
        }
    }

To reproduce

$ProviderNamespace = "Microsoft.Network"
$ResourceType = "routeTables"

$allRoleDefinitions = Get-AzRoleDefinition

$badRoleList = $allRoleDefinitions | Where-Object {
    $_.Actions -like "$ProviderNamespace/$ResourceType/*" -or
    $_.Actions -like "$ProviderNamespace/`**" -or
    $_.Actions -like '`**'
} 

$badRoleList.Count

$goodRoleList = $allRoleDefinitions | Where-Object {
    $_.Actions -like "$ProviderNamespace/$ResourceType/*" -or
    $_.Actions -like "$ProviderNamespace/[*]*" -or
    $_.Actions -like '[*]*'
} 

$goodRoleList.Count

You can further compare the two lists by doing the following: Compare-Object $badRoleList $goodRoleList -PassThru | ft

As an example. The 'Virtual Machine Administrator Login' appears in the original list but none of the actions are relevant to a route table. get-azroledefinition 'Virtual Machine Administrator Login' | Select-Object -ExpandProperty Actions

Microsoft.Network/publicIPAddresses/read
Microsoft.Network/virtualNetworks/read
Microsoft.Network/loadBalancers/read
Microsoft.Network/networkInterfaces/read
Microsoft.Compute/virtualMachines/*/read
Microsoft.HybridCompute/machines/*/read
Microsoft.HybridConnectivity/endpoints/listCredentials/action

Code snippet

No response

Relevant log output

No response

jachin84 avatar May 03 '23 01:05 jachin84

Linking to discussion #3155

AlexanderSehr avatar May 04 '23 17:05 AlexanderSehr