Skip to content

mpf-design.md

Latest commit

 

History

History
27 lines (16 loc) · 2.75 KB

mpf-design.md

File metadata and controls

27 lines (16 loc) · 2.75 KB

Minimum Permissions Finder (MPF) Design

The High Level MPF flow describes the overall flow of the Minimum Permissions Finder (MPF) system. This document provides a detailed design of the MPF system, including the key components and abstractions.

Key Packages and Abstractions

Key Interfaces and Packages

For each deployment type (ARM, Terraform) an implementation of the DeploymentAuthorizationCheckerCleaner interface is provided. The two key methods which need to be implemented for each deployment type implementation are GetDeploymentAuthorizationErrors() and CleanUpResources().

  • The deployment type commands i.e. armCmd, bicepCmd, and terraformCmd are responsible for initializing the required dependencies including the MPFService to find the minimum permissions required for the deployment. This is illustrated in the sequence diagram below.
  • pkg/usecase/mpfService.go: Orchestrates the whole process of finding the minimum permissions required for any deployment type (ARM/Bicep/Terraform). It uses the DeploymentAuthorizationCheckerCleaner abstraction for any deployment type, be it ARM, Bicep, or Terraform. On receiving deployment authorization errors, it uses the AuthorizationErrorParser to parse the authorization errors and get the missing permissions and scopes. After adding the missing permissions to the custom role, it retries the deployment until it succeeds. It also cleans up all resources created during the process.
  • pkg/infrastructure/authorizationCheckers/ARMTemplateWhatIf/armTemplateWhatIfAuthorizationChecker.go: Contains the DeploymentAuthorizationCheckerCleaner implementation for ARM (and Bicep) deployments.
  • pkg/infrastructure/authorizationCheckers/terraform/terraformAuthorizationChecker.go: Contains the DeploymentAuthorizationCheckerCleaner implementation for Terraform deployments.
  • pkg/domain/authorizationErrorParser.go: Contains the core logic for the MPF, which is to parse the different kinds of authorization errors and figure out the required permissions and scopes from those errors.

ARM and Terraform Sequence Diagrams

ARM Sequence Diagram

For Bicep, the only difference with the ARM template flow is that as a first step the bicepCmd converts the Bicep file to an ARM template file.

ARM Sequence Diagram

Terraform Sequence Diagram

Terraform Sequence Diagram