Skip to content

Implementation Summary: Azure Custom Role Designer

🎯 Overview

A complete, production-ready CLI tool for platform engineers to create, update, and manage Azure custom roles with granular permission control.

✨ What Was Created

Core Tool Components

  1. custom_role_designer.py (Main CLI Tool)
  2. 400+ lines of Click-based CLI interface
  3. Interactive and command-line modes
  4. Beautiful console output with Rich library

  5. 10+ commands for role management

  6. role_manager.py (Role Management)

  7. Pydantic data models for Azure roles
  8. Load/save JSON role definitions
  9. Merge multple roles with deduplication
  10. Remove permissions with filtering

  11. Local file management

  12. permission_filter.py (Filtering Engine)

  13. String pattern filtering (wildcards and regex)
  14. Permission type classification (control/data plane)
  15. Advanced filtering combinations

  16. Permission extraction and merging

  17. azure_client.py (Azure Integration)

  18. Azure SDK integration via Azure Identity
  19. Create custom roles in Azure
  20. Update existing roles
  21. List roles from subscription
  22. Delete roles
  23. Support for Azure CLI, Service Principal, and Managed Identity

Documentation

  1. README.md - Quick start guide with installation and usage
  2. PLATFORM_ENGINEER_GUIDE.md - Comprehensive guide for platform engineers with:
  3. Detailed installation instructions
  4. Authentication methods
  5. Basic and advanced usage
  6. Workflow scenarios
  7. Best practices
  8. Troubleshooting
  9. FEATURE_REFERENCE.md - Complete feature reference with:
  10. All commands documented
  11. Usage patterns
  12. Data model documentation
  13. Filtering syntax
  14. Integration examples

Configuration & Setup

  1. .env.example - Environment variable template for Azure auth
  2. setup.sh - Automated setup script
  3. .gitignore - Git configuration
  4. requirements.txt - Python dependencies

Examples & Testing

  1. examples/ directory with sample roles:
  2. junior-developer.json - Restrictive permissions
  3. senior-developer.json - Full permissions

  4. devops-developer.json - DevOps-focused permissions

  5. tests.py - Comprehensive unit tests for:

  6. Permission filtering
  7. Role management
  8. Merging operations
  9. Permission removal

📋 All Requirements Covered

✅ Start a role from scratch

azure-custom-role-tool create --name "MyRole" --description "Description"

✅ Cherry pick from other roles

azure-custom-role-tool merge --roles "source-role" --filter "Microsoft.Storage*"

✅ Merge one or more permissions from existing roles

azure-custom-role-tool merge --roles "role1,role2,role3"

✅ Filter by string in permission

azure-custom-role-tool merge --roles "source" --filter "*blobs*"

✅ Filter by control/data permissions

azure-custom-role-tool merge --roles "source" --filter-type data

✅ Remove permissions based on existing role

azure-custom-role-tool remove --filter "*delete*"

✅ Remove permissions with same filters

azure-custom-role-tool remove --filter "*delete*" --filter-type control

📁 Complete File Structure

azure-custom-role-tool/
├── README.md                        # Quick start guide
├── PLATFORM_ENGINEER_GUIDE.md       # Comprehensive usage guide  
├── FEATURE_REFERENCE.md             # Complete feature documentation
├── requirements.txt                 # Python dependencies
├── .env.example                     # Environment template
├── .gitignore                       # Git configuration
├── setup.sh                         # Automated setup script
├── custom_role_designer.py          # Main CLI tool (400+ lines)
├── role_manager.py                  # Role management (350+ lines)
├── permission_filter.py             # Filtering engine (250+ lines)
├── azure_client.py                  # Azure integration (200+ lines)
├── tests.py                         # Unit tests (300+ lines)
├── examples/
│   ├── junior-developer.json        # Example role
│   ├── senior-developer.json        # Example role
│   └── devops-developer.json        # Example role
└── roles/                           # Local role storage

🚀 Quick Start

1. Installation

cd azure-custom-role-tool
bash setup.sh

Or manually:

python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt
az login

2. Create a Custom Role

azure-custom-role-tool create --name "MyRole" --description "My custom role"
azure-custom-role-tool merge --roles "senior-developer" --filter "Storage*"
azure-custom-role-tool remove --filter "*delete*"
azure-custom-role-tool save --name "my-role"
azure-custom-role-tool publish --name "my-role"

3. Interactive Mode

azure-custom-role-tool

🎨 Key Features

Powerful Filtering

  • String patterns with wildcards: Microsoft.Storage*, *read, *blobs*
  • Permission type filtering: control or data plane
  • Combinable filters for precision

Multiple Usage Modes

  • Interactive mode: Menu-driven interface
  • Command-line mode: Scripting and CI/CD
  • Batch operations: Process multiple roles

Azure Integration

  • Direct deployment to Azure
  • Support for multiple authentication methods
  • List and manage roles in subscription

Safe Operations

  • Overwrite protection on saves
  • Deduplication of permissions
  • Preview before publishing

Well-Documented

  • Inline code documentation
  • Comprehensive user guides
  • Example roles
  • Unit tests

🔧 Technology Stack

  • Language: Python 3.8+
  • CLI Framework: Click
  • UI Library: Rich
  • Azure SDK: azure-identity, azure-mgmt-authorization
  • Data Validation: Pydantic
  • Testing: pytest

📊 Code Statistics

  • Total Lines of Code: ~2,000+
  • Core Modules: 4 (designer, manager, filter, azure_client)
  • CLI Commands: 10+ main commands
  • Test Coverage: Comprehensive unit tests
  • Documentation: 3 major guides + inline docs

🎓 Usage Examples

Example 1: Create Developer Role

azure-custom-role-tool create --name "AppDeveloper" --description "App development"
azure-custom-role-tool merge --roles "junior-developer,reader"
azure-custom-role-tool merge --roles "senior-developer" --filter "Microsoft.Web*"
azure-custom-role-tool remove --filter "*delete*"
azure-custom-role-tool save --name "app-developer"

Example 2: Environment-Specific Roles

# Dev - permissive
azure-custom-role-tool create --name "DataEng-Dev"
azure-custom-role-tool merge --roles "senior-developer"

# Prod - restrictive  
azure-custom-role-tool create --name "DataEng-Prod"
azure-custom-role-tool merge --roles "data-reader"
azure-custom-role-tool merge --roles "pipeline-operator"
azure-custom-role-tool remove --filter "*delete*"

Example 3: Team Permissions

azure-custom-role-tool create --name "CloudOpsTeam"
azure-custom-role-tool merge --roles "devops-developer,infrastructure-admin,monitoring-reader"
azure-custom-role-tool remove --filter "*delete*"
azure-custom-role-tool remove --filter "*deallocate*"
azure-custom-role-tool publish

🔐 Security Features

  • Azure CLI authentication (no secrets in code)
  • Service Principal support for CI/CD
  • Managed Identity support
  • Environmental variable configuration
  • Role name validation
  • Permission review before publishing

📚 Documentation Included

  1. README.md - Get started in 5 minutes
  2. PLATFORM_ENGINEER_GUIDE.md - Complete platform engineer guide with:
  3. Installation & setup
  4. Authentication methods
  5. Basic & advanced usage
  6. Workflow scenarios
  7. Best practices
  8. Troubleshooting
  9. FEATURE_REFERENCE.md - Exhaustive feature documentation
  10. Inline code comments - Throughout all modules
  11. Example roles - In examples/ directory

✅ Testing

Run the unit tests:

python -m pytest tests.py -v

Tests cover: - Permission filtering (data/control plane detection) - String pattern matching - Role creation and loading - Merging operations - Permission removal - Save/load functionality

🎯 Next Steps

  1. Installation: Follow README.md setup instructions
  2. Learning: Read PLATFORM_ENGINEER_GUIDE.md
  3. Reference: Check FEATURE_REFERENCE.md for all commands
  4. Examples: Review example roles in examples/ directory
  5. Integration: Integrate into CI/CD pipelines

💡 Use Cases

  • ✅ Create least-privilege roles
  • ✅ Manage role versions across environments
  • ✅ Team permission management
  • ✅ Automated role provisioning in CI/CD
  • ✅ Role review and auditing
  • ✅ Permission consolidation from multiple roles

🔄 Integration Points

  • Git: Save roles in version control
  • CI/CD: Publish roles via pipelines
  • Azure: Direct subscription integration
  • Scripts: Command-line automation
  • Teams: Interactive mode for humans

📝 Notes

  • All commands are stateful (current role tracking)
  • Permissions are automatically deduplicated
  • Role IDs are auto-generated but can be overridden
  • Timestamps are automatically maintained
  • Local roles can be easily committed to Git

Support

For issues or questions: 1. Check PLATFORM_ENGINEER_GUIDE.md troubleshooting section 2. Review example roles for patterns 3. Check inline code documentation 4. Contact platform engineering team

Status: ✅ Complete and Ready for Use
Version: 1.0
Date Created: January 2024