Fix panic in PimRoleEligibilitySchedule with NoExpiration type#4402
Merged
Conversation
EronWright
commented
Nov 8, 2025
Comment on lines
+43
to
+45
| permissions: | ||
| id-token: write | ||
| contents: read |
Contributor
Author
There was a problem hiding this comment.
An extra fix riding in this PR, this fix was applied directly to the v3.10.1 branch, will be needed going forward.
Contributor
Does the PR have any schema changes?Looking good! No breaking changes found. |
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR fixes a bug in PIM eligibility schedule expiration handling and adds necessary OIDC permissions to the release workflow.
- Fixed optional field handling for
durationandendDateTimein schedule expiration configuration - Added test coverage for
NoExpirationandAfterDateTimeexpiration types - Added OIDC permissions to the docs build dispatch job
Reviewed Changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| provider/pkg/resources/customresources/custom_pim_eligibility.go | Fixed bug where duration field was accessed unconditionally; now properly handles optional duration and endDateTime fields based on expiration type |
| provider/pkg/resources/customresources/custom_pim_eligibility_test.go | Added comprehensive test coverage for NoExpiration and AfterDateTime expiration types |
| .github/workflows/release.yml | Added required id-token: write and contents: read permissions for OIDC authentication in the docs build job |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #4402 +/- ##
=======================================
Coverage 59.37% 59.37%
=======================================
Files 91 91
Lines 11444 11450 +6
=======================================
+ Hits 6795 6799 +4
- Misses 4014 4015 +1
- Partials 635 636 +1 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
guineveresaenger
approved these changes
Nov 8, 2025
Add id-token: write permission to dispatch_docs_build job to enable OIDC token minting for Pulumi ESC authentication. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
This commit fixes a panic that occurred when creating a PimRoleEligibilitySchedule resource with NoExpiration type without providing a duration field. The bug was in the inputsToSdk function at line 460, where the code unconditionally accessed exp["duration"].StringValue() even when the duration field was nil/not provided. According to Azure's PIM API schema, the expiration object supports three types: - AfterDuration: requires duration field (ISO 8601 duration) - AfterDateTime: requires endDateTime field - NoExpiration: should NOT have either field The fix adds proper checks for optional fields before accessing them, following the same pattern used elsewhere in the codebase for optional nested fields (see ticketInfo handling). Also added comprehensive test coverage for all three expiration types to prevent regression. Fixes #4351 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
EronWright
force-pushed
the
fix/pim-noexpiration-panic-4351
branch
from
c4d1964 to
d087bfd
Compare
Contributor
|
This PR has been shipped in release v3.11.0. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #4351 - a panic that occurred when creating a
PimRoleEligibilityScheduleresource withNoExpirationtype without providing adurationfield.Root Cause
The bug was in the
inputsToSdkfunction atcustom_pim_eligibility.go:460, where the code unconditionally accessedexp["duration"].StringValue()even when the duration field was nil/not provided.According to Azure's PIM API schema, the expiration object supports three types:
durationfield (ISO 8601 duration like "P365D")endDateTimefieldChanges
Fixed the bug in
custom_pim_eligibility.go:durationandendDateTimefields before accessing themticketInfohandling)Added comprehensive test coverage in
custom_pim_eligibility_test.go:NoExpirationtype (previously missing)AfterDateTimetype (previously missing)AfterDurationtype continues to passTesting
make test_provider PROVIDER_TEST_TAGS=unit)Notes
This is a P1 panic bug that affects users trying to create permanent PIM role eligibility assignments (which use
NoExpirationtype).🤖 Generated with Claude Code