feat: flatten permissions #525
Conversation
There was a problem hiding this comment.
Pull request overview
This pull request represents a significant refactor of the ALZ PowerShell module focused on improving the cleanup experience and code organization. The main changes include replacing the Write-InformationColored function with a more robust Write-ToConsoleLog function, adding new removal functions for GitHub and Azure DevOps resources, and refactoring the tooling validation into a more flexible check-based system.
Changes:
- Replaced
Write-InformationColoredwith newWrite-ToConsoleLogfunction for standardized logging with timestamps and levels - Added
Remove-GitHubAcceleratorandRemove-AzureDevOpsAcceleratorfunctions for cleaning up VCS resources - Refactored
Test-Toolingto use a modular check-based approach with separate validation functions for each requirement - Enhanced
Read-MenuSelectionwith support for label/value pairs, manual entry, type validation, and sensitive input handling - Updated
Remove-PlatformLandingZoneto support regex pattern matching for management groups and added new parameters for flexible subscription placement - Refactored
Request-ALZConfigurationValueto use the enhanced menu selection with pre-fetched Azure context - Removed
grant_permissions_to_current_userparameter from schema (flattening permissions logic)
Reviewed changes
Copilot reviewed 41 out of 41 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| Write-ToConsoleLog.ps1 | New shared logging function with timestamp, log levels, color coding, and file output support |
| Write-InformationColored.ps1 | Deleted - replaced by Write-ToConsoleLog |
| Remove-GitHubAccelerator.ps1 | New function to remove GitHub repositories, teams, and runner groups created by accelerator |
| Remove-AzureDevOpsAccelerator.ps1 | New function to remove Azure DevOps projects and agent pools created by accelerator |
| Test-Tooling.ps1 | Refactored to use modular check system instead of inline validation logic |
| Test-*.ps1 (8 files) | New modular check functions for PowerShell, Git, Azure CLI, GitHub CLI, Azure DevOps CLI, etc. |
| Remove-PlatformLandingZone.ps1 | Updated to use Write-ToConsoleLog, added regex pattern matching for management groups, new placement parameters |
| Read-MenuSelection.ps1 | Significantly enhanced with label/value support, validation, sensitive input, and better UX |
| Request-ALZConfigurationValue.ps1 | Refactored to use enhanced Read-MenuSelection with pre-fetched Azure context |
| Get-AzureContext.ps1 | Updated to return label/value pairs for menu selection compatibility |
| AcceleratorInputSchema.json | Changed GUID fields from "string" with "format" to "guid" type, removed grant_permissions parameter |
| Deploy-Accelerator.ps1 | Updated to use new logging and check-based tooling validation |
| Various test and helper files | Updated to use Write-ToConsoleLog and new function signatures |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| Write-ToConsoleLog "Accelerator software requirements have no been met, please review and install the missing software." -IsError | ||
| Write-ToConsoleLog "Cannot continue with Deployment..." -IsError | ||
| throw "Accelerator software requirements have no been met, please review and install the missing software." |
There was a problem hiding this comment.
Typo in error message: "have no been met" should be "have not been met". This appears twice on lines 111 and 113. The message should read "Accelerator software requirements have not been met, please review and install the missing software."
| Write-ToConsoleLog "Accelerator software requirements have no been met, please review and install the missing software." -IsError | |
| Write-ToConsoleLog "Cannot continue with Deployment..." -IsError | |
| throw "Accelerator software requirements have no been met, please review and install the missing software." | |
| Write-ToConsoleLog "Accelerator software requirements have not been met, please review and install the missing software." -IsError | |
| Write-ToConsoleLog "Cannot continue with Deployment..." -IsError | |
| throw "Accelerator software requirements have not been met, please review and install the missing software." |
| if ($Overwrite) { | ||
| $prefix = "`r" | ||
| } else { | ||
| if ($AddNewLine -or ($defaultSettings -and $defaultSettings.NewLine)) { |
There was a problem hiding this comment.
Variable name mismatch: The function references $AddNewLine on line 196, but this parameter doesn't exist in the function definition. The parameter is named $NewLine (defined at line 65). This will cause the newline logic to never be triggered by the NewLine parameter.
| if ($AddNewLine -or ($defaultSettings -and $defaultSettings.NewLine)) { | |
| if ($NewLine -or ($defaultSettings -and $defaultSettings.NewLine)) { |
| if(-not $BypassConfirmation) { | ||
| Write-ToConsoleLog "The following Management Groups will be processed for removal:" | ||
| $managementGroupsFound | ForEach-Object { Write-ToConsoleLog "Management Group: $($_.Name) ($($_.DisplayName))" -NoNewLine } | ||
| $managementGroupsFound | ForEach-Object { Write-ToConsoleLog "Management Group: $($_.Name) ($($_.DisplayName))" } | ||
|
|
||
| if($PlanMode) { | ||
| Write-ToConsoleLog "Skipping confirmation for plan mode" |
There was a problem hiding this comment.
Typo in error message: "MANAGEMENTS" should be "MANAGEMENT". The message "ALL THE LISTED MANAGEMENTS GROUPS AND THEIR CHILDREN WILL BE PERMANENTLY DELETED" should read "ALL THE LISTED MANAGEMENT GROUPS AND THEIR CHILDREN WILL BE PERMANENTLY DELETED".
| Write-Verbose "powershell-yaml module is not installed, attempting installation" | ||
| $installResult = Install-PSResource powershell-yaml -TrustRepository -Scope $Scope 2>&1 | ||
| if($installResult -like "*Access to the path*") { | ||
| Write-Verbose "Failed to install powershell-yaml module due to permission issues at $Scope scope." | ||
| $results += @{ | ||
| message = "powershell-yaml module is not installed. Please install it using an admin terminal with 'Install-PSResource powershell-yaml -Scope $Scope'. Could not install due to permission issues." | ||
| result = "Failure" | ||
| } | ||
| $hasFailure = $true | ||
| } elseif ($null -ne $installResult) { | ||
| Write-Verbose "Failed to install powershell-yaml module: $installResult" | ||
| $results += @{ | ||
| message = "powershell-yaml module is not installed. Please install it using 'Install-PSResource powershell-yaml -Scope $Scope'. Attempted installation error: $installResult" | ||
| result = "Failure" | ||
| } | ||
| $hasFailure = $true | ||
| } else { | ||
| $installedVersion = (Get-InstalledPSResource -Name powershell-yaml -Scope $Scope).Version |
There was a problem hiding this comment.
The Test-YamlModule helper automatically installs the third-party powershell-yaml module at runtime via Install-PSResource without pinning a specific version or verifying integrity, which introduces a supply-chain risk. If the upstream package or repository is compromised, running this code in an environment with Azure/admin credentials would execute attacker-controlled PowerShell in the current session. Consider requiring operators to pre-install a vetted, pinned version of powershell-yaml (or at least checking for a specific version) instead of auto-installing the latest package at runtime.
Pull Request
Improve cleanup and flatten permissions