Validate minimum required permissions by content instead of count in TestARMTemplatMultiResourceTemplateFullDeployment**

[maniSbindra]

Description

The test TestARMTemplatMultiResourceTemplateFullDeployment in e2eTests/e2eArm_test.go currently asserts that the number of required permissions equals a specific count. In the case of this specific test, this approach is fragile and results in flaky test behavior because:

1. Subscription policies vary: Different Azure subscriptions may have policies that require additional permissions (such as private endpoint approvals)
2. The count may vary by subscription: The assertion was changed from 57 to 69 in PR #179 when the subscription used for e2e tests changed. While the count of 57 had remained consistent across various other subscriptions, asserting on count alone doesn't validate the actual permissions

Current Behavior

The test currently uses:

assert.Equal(t, 69, len(mpfResult.RequiredPermissions[mpfConfig.SubscriptionID]))

This assertion fails when run against subscriptions with different policies, even though the core 57 permissions are correctly identified.

Expected Behavior

The test should validate that the specific 57 minimum permissions (listed in the test comments) are contained within the result set, rather than asserting an exact count. This allows for:

• Additional permissions to be returned based on subscription/management group policies
• Consistent test results across different subscription configurations

Proposed Solution

Modify the test to:

1. Define the expected 57 baseline permissions as a slice/set
2. Assert that all 57 baseline permissions are present in the result
3. Optionally log any additional permissions found (for debugging/awareness)

Baseline Permissions (57)

These are the minimum permissions that should always be present:

Microsoft.Authorization/roleAssignments/read
Microsoft.Authorization/roleAssignments/write
Microsoft.Compute/virtualMachines/extensions/read
Microsoft.Compute/virtualMachines/extensions/write
Microsoft.Compute/virtualMachines/read
Microsoft.Compute/virtualMachines/write
Microsoft.ContainerRegistry/registries/read
Microsoft.ContainerRegistry/registries/write
Microsoft.ContainerService/managedClusters/read
Microsoft.ContainerService/managedClusters/write
Microsoft.Insights/actionGroups/read
Microsoft.Insights/actionGroups/write
Microsoft.Insights/activityLogAlerts/read
Microsoft.Insights/activityLogAlerts/write
Microsoft.Insights/diagnosticSettings/read
Microsoft.Insights/diagnosticSettings/write
Microsoft.KeyVault/vaults/read
Microsoft.KeyVault/vaults/write
Microsoft.ManagedIdentity/userAssignedIdentities/read
Microsoft.ManagedIdentity/userAssignedIdentities/write
Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/read
Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/write
Microsoft.Network/applicationGateways/read
Microsoft.Network/applicationGateways/write
Microsoft.Network/bastionHosts/read
Microsoft.Network/bastionHosts/write
Microsoft.Network/natGateways/read
Microsoft.Network/natGateways/write
Microsoft.Network/networkInterfaces/read
Microsoft.Network/networkInterfaces/write
Microsoft.Network/networkSecurityGroups/read
Microsoft.Network/networkSecurityGroups/write
Microsoft.Network/privateDnsZones/read
Microsoft.Network/privateDnsZones/virtualNetworkLinks/read
Microsoft.Network/privateDnsZones/virtualNetworkLinks/write
Microsoft.Network/privateDnsZones/write
Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read
Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write
Microsoft.Network/privateEndpoints/read
Microsoft.Network/privateEndpoints/write
Microsoft.Network/publicIPAddresses/read
Microsoft.Network/publicIPAddresses/write
Microsoft.Network/publicIPPrefixes/read
Microsoft.Network/publicIPPrefixes/write
Microsoft.Network/virtualNetworks/read
Microsoft.Network/virtualNetworks/write
Microsoft.OperationalInsights/workspaces/listKeys/action
Microsoft.OperationalInsights/workspaces/read
Microsoft.OperationalInsights/workspaces/sharedKeys/action
Microsoft.OperationalInsights/workspaces/write
Microsoft.OperationsManagement/solutions/read
Microsoft.OperationsManagement/solutions/write
Microsoft.Resources/deployments/read
Microsoft.Resources/deployments/write
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Storage/storageAccounts/read
Microsoft.Storage/storageAccounts/write

Additional Permissions (Subscription-Dependent)

Some subscriptions may require additional permissions due to policies. For example, subscriptions with private endpoint policies may need:

Microsoft.ContainerRegistry/registries/PrivateEndpointConnectionsApproval/action
Microsoft.KeyVault/vaults/PrivateEndpointConnectionsApproval/action
Microsoft.ManagedIdentity/userAssignedIdentities/assign/action
Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/join/action
Microsoft.Network/networkInterfaces/join/action
Microsoft.Network/networkSecurityGroups/join/action
Microsoft.Network/publicIPAddresses/join/action
Microsoft.Network/virtualNetworks/join/action
Microsoft.Network/virtualNetworks/subnets/join/action
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/operationresults/read
Microsoft.Storage/storageAccounts/PrivateEndpointConnectionsApproval/action

Implementation Example

// Define baseline permissions that must always be present
baselinePermissions := []string{
    "Microsoft.Authorization/roleAssignments/read",
    "Microsoft.Authorization/roleAssignments/write",
    // ... all 57 permissions
}

// Assert all baseline permissions are present in the result
actualPermissions := mpfResult.RequiredPermissions[mpfConfig.SubscriptionID]
for _, expectedPerm := range baselinePermissions {
    assert.Contains(t, actualPermissions, expectedPerm, 
        "Missing expected permission: %s", expectedPerm)
}

// Optionally: Assert minimum count
assert.GreaterOrEqual(t, len(actualPermissions), len(baselinePermissions),
    "Expected at least %d permissions, got %d", len(baselinePermissions), len(actualPermissions))

Related

• PR fix: improve role detachment logic in DetachRolesFromSP method #179: fix: improve role detachment logic in DetachRolesFromSP method
• Review comment from @maniSbindra: "can we assert for the values of the 57 permissions (commented in the test). We now understand that in some cases based on subscription/management group policies it may be possible that some additional private endpoints may be created requiring additional permissions..."