allow definition of roleDefinitionIDs without subscription prefix

Signed-off-by: Markus Blaschke <mblaschke82@gmail.com>

Author: mblaschke

config/opts.go

@@ -52,7 +52,7 @@ type (
 			RoleAssignments struct {
 				Enable               bool          `long:"janitor.roleassignments"                    env:"JANITOR_ROLEASSIGNMENTS_ENABLE"                          description:"Enable Azure RoleAssignments cleanup"`
 				Ttl                  time.Duration `long:"janitor.roleassignments.ttl"                env:"JANITOR_ROLEASSIGNMENTS_TTL"                             description:"Janitor roleassignment ttl (time.duration)"  default:"6h"`
-				RoleDefintionIds     []string      `long:"janitor.roleassignments.roledefinitionid"   env:"JANITOR_ROLEASSIGNMENTS_ROLEDEFINITIONID"  env-delim:" " description:"Janitor roledefinition ID (eg: /subscriptions/xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx/providers/Microsoft.Authorization/roleDefinitions/xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx)  (space delimiter)"`
+				RoleDefintionIds     []string      `long:"janitor.roleassignments.roledefinitionid"   env:"JANITOR_ROLEASSIGNMENTS_ROLEDEFINITIONID"  env-delim:" " description:"Janitor roledefinition ID (eg: /subscriptions/xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx/providers/Microsoft.Authorization/roleDefinitions/xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx or /providers/Microsoft.Authorization/roleDefinitions/xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx for subscription independent roleDefinitions)  (space delimiter)"`
 				AdditionalFilter     *string       `long:"janitor.roleassignments.filter"             env:"JANITOR_ROLEASSIGNMENTS_FILTER"                          description:"Additional $filter for Azure REST API for RoleAssignments"`
 				Filter               string
 				DescriptionTtl       *string `long:"janitor.roleassignments.descriptionttl"           env:"JANITOR_ROLEASSIGNMENTS_DESCRIPTIONTTL"                  description:"Regexp for detecting ttl inside description of RoleAssignment"`

janitor/deployments.go

@@ -2,6 +2,7 @@ package janitor
 
 import (
 	"context"
+	"strings"
 	"time"
 
 	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources"
@@ -66,16 +67,16 @@ func (j *Janitor) runDeployments(ctx context.Context, logger *zap.SugaredLogger,
 					contextLogger.Infof("%s: successfully deleted", to.String(deployment.ID))
 
 					j.Prometheus.MetricDeletedResource.With(prometheus.Labels{
-						"subscriptionID": stringPtrToStringLower(subscription.SubscriptionID),
-						"resourceType":   stringToStringLower(resourceType),
+						"subscriptionID": to.StringLower(subscription.SubscriptionID),
+						"resourceType":   strings.ToLower(resourceType),
 					}).Inc()
 				} else {
 					// failed delete
 					contextLogger.Errorf("%s: ERROR %s", to.String(deployment.ID), err.Error())
 
 					j.Prometheus.MetricErrors.With(prometheus.Labels{
-						"subscriptionID": stringPtrToStringLower(subscription.SubscriptionID),
-						"resourceType":   stringToStringLower(resourceType),
+						"subscriptionID": to.StringLower(subscription.SubscriptionID),
+						"resourceType":   strings.ToLower(resourceType),
 					}).Inc()
 				}
 			} else {
@@ -138,16 +139,16 @@ func (j *Janitor) runDeployments(ctx context.Context, logger *zap.SugaredLogger,
 							resourceLogger.Infof("%s: successfully deleted", to.String(deployment.ID))
 
 							j.Prometheus.MetricDeletedResource.With(prometheus.Labels{
-								"subscriptionID": stringPtrToStringLower(subscription.SubscriptionID),
-								"resourceType":   stringToStringLower(resourceType),
+								"subscriptionID": to.StringLower(subscription.SubscriptionID),
+								"resourceType":   strings.ToLower(resourceType),
 							}).Inc()
 						} else {
 							// failed delete
 							resourceLogger.Errorf("%s: ERROR %s", to.String(deployment.ID), err.Error())
 
 							j.Prometheus.MetricErrors.With(prometheus.Labels{
-								"subscriptionID": stringPtrToStringLower(subscription.SubscriptionID),
-								"resourceType":   stringToStringLower(resourceType),
+								"subscriptionID": to.StringLower(subscription.SubscriptionID),
+								"resourceType":   strings.ToLower(resourceType),
 							}).Inc()
 						}
 					} else {

janitor/misc.go

@@ -2,6 +2,7 @@ package janitor
 
 import (
 	"context"
+	"strings"
 
 	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources"
 	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armsubscriptions"
@@ -37,10 +38,10 @@ func (j *Janitor) runResourceGroups(ctx context.Context, logger *zap.SugaredLogg
 
 				if resourceExpiryTime != nil {
 					labels := prometheus.Labels{
-						"subscriptionID": stringPtrToStringLower(subscription.SubscriptionID),
-						"resourceID":     stringPtrToStringLower(resourceGroup.ID),
-						"resourceGroup":  stringPtrToStringLower(resourceGroup.Name),
-						"resourceType":   stringToStringLower(resourceType),
+						"subscriptionID": to.StringLower(subscription.SubscriptionID),
+						"resourceID":     to.StringLower(resourceGroup.ID),
+						"resourceGroup":  to.StringLower(resourceGroup.Name),
+						"resourceType":   strings.ToLower(resourceType),
 					}
 					labels = j.Azure.ResourceTagManager.AddResourceTagsToPrometheusLabels(ctx, labels, *resourceGroup.ID)
 					resourceTtl.AddTime(labels, *resourceExpiryTime)
@@ -60,8 +61,8 @@ func (j *Janitor) runResourceGroups(ctx context.Context, logger *zap.SugaredLogg
 						resourceLogger.Error(err.Error())
 
 						j.Prometheus.MetricErrors.With(prometheus.Labels{
-							"subscriptionID": stringPtrToStringLower(subscription.SubscriptionID),
-							"resourceType":   stringToStringLower(resourceType),
+							"subscriptionID": to.StringLower(subscription.SubscriptionID),
+							"resourceType":   strings.ToLower(resourceType),
 						}).Inc()
 					}
 				}
@@ -73,16 +74,16 @@ func (j *Janitor) runResourceGroups(ctx context.Context, logger *zap.SugaredLogg
 						resourceLogger.Infof("successfully deleted")
 
 						j.Prometheus.MetricDeletedResource.With(prometheus.Labels{
-							"subscriptionID": stringPtrToStringLower(subscription.SubscriptionID),
-							"resourceType":   stringToStringLower(resourceType),
+							"subscriptionID": to.StringLower(subscription.SubscriptionID),
+							"resourceType":   strings.ToLower(resourceType),
 						}).Inc()
 					} else {
 						// failed delete
 						resourceLogger.Error(err.Error())
 
 						j.Prometheus.MetricErrors.With(prometheus.Labels{
-							"subscriptionID": stringPtrToStringLower(subscription.SubscriptionID),
-							"resourceType":   stringToStringLower(resourceType),
+							"subscriptionID": to.StringLower(subscription.SubscriptionID),
+							"resourceType":   strings.ToLower(resourceType),
 						}).Inc()
 					}
 				}

janitor/resourcegroups.go

@@ -2,6 +2,7 @@ package janitor
 
 import (
 	"context"
+	"strings"
 
 	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources"
 	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armsubscriptions"
@@ -43,8 +44,8 @@ func (j *Janitor) runResources(ctx context.Context, logger *zap.SugaredLogger, s
 				resourceLogger.Errorf("unable to detect apiVersion for Azure resource, cannot delete resource (please report this issue as bug)")
 
 				j.Prometheus.MetricErrors.With(prometheus.Labels{
-					"subscriptionID": stringPtrToStringLower(subscription.SubscriptionID),
-					"resourceType":   stringToStringLower(resourceType),
+					"subscriptionID": to.StringLower(subscription.SubscriptionID),
+					"resourceType":   strings.ToLower(resourceType),
 				}).Inc()
 
 				continue
@@ -57,8 +58,8 @@ func (j *Janitor) runResources(ctx context.Context, logger *zap.SugaredLogger, s
 
 				if resourceExpiryTime != nil {
 					labels := prometheus.Labels{
-						"subscriptionID": stringPtrToStringLower(subscription.SubscriptionID),
-						"resourceID":     stringPtrToStringLower(resource.ID),
+						"subscriptionID": to.StringLower(subscription.SubscriptionID),
+						"resourceID":     to.StringLower(resource.ID),
 						"resourceGroup":  azureResource.ResourceGroup,
 						"resourceType":   azureResource.ResourceType,
 					}

janitor/resources.go

@@ -2,6 +2,7 @@ package janitor
 
 import (
 	"context"
+	"strings"
 	"time"
 
 	armauthorization "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2"
@@ -39,18 +40,18 @@ func (j *Janitor) runRoleAssignments(ctx context.Context, logger *zap.SugaredLog
 			azureResource, _ := armclient.ParseResourceId(*roleAssignment.Properties.Scope)
 
 			roleAssignmentLogger := contextLogger.With(
-				zap.String("roleAssignmentId", stringPtrToStringLower(roleAssignment.ID)),
-				zap.String("scope", stringPtrToStringLower(roleAssignment.Properties.Scope)),
-				zap.String("principalId", stringPtrToStringLower(roleAssignment.Properties.PrincipalID)),
-				zap.String("principalType", stringToStringLower(string(*roleAssignment.Properties.PrincipalType))),
-				zap.String("roleDefinitionId", stringPtrToStringLower(roleAssignment.Properties.RoleDefinitionID)),
-				zap.String("subscriptionID", stringPtrToStringLower(subscription.SubscriptionID)),
+				zap.String("roleAssignmentId", to.StringLower(roleAssignment.ID)),
+				zap.String("scope", to.StringLower(roleAssignment.Properties.Scope)),
+				zap.String("principalId", to.StringLower(roleAssignment.Properties.PrincipalID)),
+				zap.String("principalType", strings.ToLower(string(*roleAssignment.Properties.PrincipalType))),
+				zap.String("roleDefinitionId", to.StringLower(roleAssignment.Properties.RoleDefinitionID)),
+				zap.String("subscriptionID", to.StringLower(subscription.SubscriptionID)),
 				zap.String("resourceGroup", azureResource.ResourceGroup),
 			)
 
-			// check if RoleDefinitionID is set
+			// check if roleAssignment is allowed for cleanup
 			// do not want to touch other RoleAssignments
-			if stringInSlice(*roleAssignment.Properties.RoleDefinitionID, j.Conf.Janitor.RoleAssignments.RoleDefintionIds) {
+			if j.isRoleAssignmentCleanupAllowed(roleAssignment) {
 				var roleAssignmentTtl *time.Duration
 				roleAssignmentLogger.Debug("checking ttl")
 
@@ -77,12 +78,12 @@ func (j *Janitor) runRoleAssignments(ctx context.Context, logger *zap.SugaredLog
 				roleAssignmentLogger.Debugf("detected ttl %v", roleAssignmentTtl.String())
 
 				resourceTtl.AddTime(prometheus.Labels{
-					"roleAssignmentId": stringPtrToStringLower(roleAssignment.ID),
-					"scope":            stringPtrToStringLower(roleAssignment.Properties.Scope),
-					"principalId":      stringPtrToStringLower(roleAssignment.Properties.PrincipalID),
-					"principalType":    stringPtrToStringLower(roleAssignment.Type),
-					"roleDefinitionId": stringPtrToStringLower(roleAssignment.Properties.RoleDefinitionID),
-					"subscriptionID":   stringPtrToStringLower(subscription.SubscriptionID),
+					"roleAssignmentId": to.StringLower(roleAssignment.ID),
+					"scope":            to.StringLower(roleAssignment.Properties.Scope),
+					"principalId":      to.StringLower(roleAssignment.Properties.PrincipalID),
+					"principalType":    to.StringLower(roleAssignment.Type),
+					"roleDefinitionId": to.StringLower(roleAssignment.Properties.RoleDefinitionID),
+					"subscriptionID":   to.StringLower(subscription.SubscriptionID),
 					"resourceGroup":    azureResource.ResourceGroup,
 				}, roleAssignmentExpiry)
 
@@ -94,16 +95,16 @@ func (j *Janitor) runRoleAssignments(ctx context.Context, logger *zap.SugaredLog
 							roleAssignmentLogger.Infof("successfully deleted")
 
 							j.Prometheus.MetricDeletedResource.With(prometheus.Labels{
-								"subscriptionID": stringPtrToStringLower(subscription.SubscriptionID),
-								"resourceType":   stringToStringLower(resourceType),
+								"subscriptionID": to.StringLower(subscription.SubscriptionID),
+								"resourceType":   strings.ToLower(resourceType),
 							}).Inc()
 						} else {
 							// failed delete
 							roleAssignmentLogger.Error(err.Error())
 
 							j.Prometheus.MetricErrors.With(prometheus.Labels{
-								"subscriptionID": stringPtrToStringLower(subscription.SubscriptionID),
-								"resourceType":   stringToStringLower(resourceType),
+								"subscriptionID": to.StringLower(subscription.SubscriptionID),
+								"resourceType":   strings.ToLower(resourceType),
 							}).Inc()
 						}
 					} else {
@@ -120,3 +121,19 @@ func (j *Janitor) runRoleAssignments(ctx context.Context, logger *zap.SugaredLog
 		resourceTtl.GaugeSet(j.Prometheus.MetricTtlRoleAssignments)
 	}
 }
+
+func (j *Janitor) isRoleAssignmentCleanupAllowed(roleAssignment *armauthorization.RoleAssignment) bool {
+	roleDefinitionID := to.StringLower(roleAssignment.Properties.RoleDefinitionID)
+	for _, check := range j.Conf.Janitor.RoleAssignments.RoleDefintionIds {
+		// sanity check, do not allow empty IDs
+		if len(check) == 0 {
+			continue
+		}
+		check = strings.ToLower(check)
+		if strings.EqualFold(roleDefinitionID, check) || strings.HasSuffix(roleDefinitionID, check) {
+			return true
+		}
+	}
+
+	return false
+}

janitor/roleassignments.go

@@ -105,7 +105,7 @@ func initArgparser() {
 
 	if Opts.Janitor.RoleAssignments.Enable {
 		if len(Opts.Janitor.RoleAssignments.RoleDefintionIds) == 0 {
-			logger.Panic("roleAssignment janitor active but no roleDefinitionIds defined")
+			logger.Fatal("roleAssignment janitor active but no roleDefinitionIds defined")
 		}
 	}
 
@@ -115,13 +115,20 @@ func initArgparser() {
 	}
 
 	if !Opts.Janitor.ResourceGroups.Enable && !Opts.Janitor.Resources.Enable && !Opts.Janitor.Deployments.Enable && !Opts.Janitor.RoleAssignments.Enable {
-		logger.Fatal("no janitor task (resources, resourcegroups, deployments, roleassignments) enabled, not starting")
+		logger.Fatal(`no janitor task (resources, resourcegroups, deployments, roleassignments) enabled, not starting`)
 	}
 
 	if Opts.Janitor.RoleAssignments.DescriptionTtl != nil {
 		Opts.Janitor.RoleAssignments.DescriptionTtlRegExp = regexp.MustCompile(*Opts.Janitor.RoleAssignments.DescriptionTtl)
 	}
 
+	for _, val := range Opts.Janitor.RoleAssignments.RoleDefintionIds {
+		val = strings.ToLower(val)
+		if !strings.Contains(val, "/providers/microsoft.authorization/roledefinitions/") {
+			logger.Fatal(`roleAssignment roleDefinition IDs MUST contain "/providers/Microsoft.Authorization/" for security reasons`)
+		}
+	}
+
 	checkForDeprecations()
 }