Skip to content

feat: add --initialPermissions flag to reduce execution time #212

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
maniSbindra merged 1 commit into from
Jan 27, 2026
Merged

feat: add --initialPermissions flag to reduce execution time #212

maniSbindra merged 1 commit into from
Jan 27, 2026

Conversation

@maniSbindra
Copy link
Contributor

@maniSbindra maniSbindra commented Jan 26, 2026

Summary

This PR implements the --initialPermissions flag (closes #91) which allows users to specify permissions upfront to reduce MPF execution time. This also provides a workaround for the Terraform remote backend issue (#172).

Changes

New Feature: --initialPermissions flag

  • Added as a global flag available to all commands (arm, bicep, terraform)
  • Supports two formats:
    • Comma-separated list: --initialPermissions "perm1,perm2,perm3"
    • JSON file reference: --initialPermissions @path/to/file.json

Implementation

  • parseInitialPermissions() - Parses comma-separated or @file.json format
  • appendUserInitialPermissions() - Helper to reduce code duplication across commands
  • IterationCount field added to MPFResult to track discovery iterations

Testing

  • Added TestParseInitialPermissions unit tests for parsing logic
  • Added TestTerraformACIWithInitialPermissions e2e test that verifies 0 iterations when all permissions are provided upfront

Documentation

Use Cases

  1. Reduce execution time - Seed known permissions to skip discovery iterations
  2. Terraform remote backend - Provide storage account permissions before MPF runs
  3. CI/CD pipelines - Use cached permission files from previous runs

Example Usage

# Comma-separated
azmpf terraform --initialPermissions "Microsoft.Storage/storageAccounts/read,Microsoft.Storage/storageAccounts/listKeys/action" ...

# From file
azmpf terraform --initialPermissions @backend-permissions.json ...

Related Issues

@maniSbindra
feat: add --initialPermissions flag to reduce execution time (#91)
613b78f 
- Add global --initialPermissions flag to specify permissions upfront
- Support comma-separated list or @file.json for loading from file
- Add parseInitialPermissions() and appendUserInitialPermissions() helpers
- Add IterationCount field to MPFResult for tracking discovery iterations
- Add e2e test TestTerraformACIWithInitialPermissions to verify 0 iterations
- Update documentation with usage examples and remote backend workaround
- Update known-issues-and-workarounds.MD with Remote Backend Access Denied section

This feature helps reduce MPF execution time by seeding known permissions
and provides a workaround for Terraform remote backend issues (#172).
@maniSbindra maniSbindra requested a review from a team as a code owner January 26, 2026 17:49
@maniSbindra maniSbindra added this pull request to the merge queue Jan 27, 2026
Merged via the queue into main with commit 2c089ee Jan 27, 2026
17 checks passed
@maniSbindra maniSbindra deleted the feature/91-initial-permissions-flag branch January 27, 2026 03:44
This was referenced Jan 27, 2026
Open
Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DariuszPorowski DariuszPorowski Awaiting requested review from DariuszPorowski

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Provide option/flag to specify initial minimum permissions that the mpf utility should initialize with

2 participants

@maniSbindra