Merge pull request #1417 from hashicorp/bugfix/conditional-access-ses…

…sion-controls-sign-in-frequency-interval bugfix: ensure `sessionControls.isEnabled: true` when specifying `sign_in_frequency_interval = "everyTime"`
hashicorp · Aug 19, 2024 · 2cebdb1 · 2cebdb1
2 parents 412898f + b0bc1c9
commit 2cebdb1
Show file tree

Hide file tree

Showing 2 changed files with 54 additions and 3 deletions.
diff --git a/internal/services/conditionalaccess/conditional_access_policy_resource_test.go b/internal/services/conditionalaccess/conditional_access_policy_resource_test.go
@@ -219,6 +219,16 @@ func TestAccConditionalAccessPolicy_sessionControls(t *testing.T) {
 			),
 		},
 		data.ImportStep(),
+		{
+			Config: r.sessionControlsSignInFrequencyAlways(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+				check.That(data.ResourceName).Key("id").Exists(),
+				check.That(data.ResourceName).Key("display_name").HasValue(fmt.Sprintf("acctest-CONPOLICY-%d", data.RandomInteger)),
+				check.That(data.ResourceName).Key("state").HasValue("disabled"),
+			),
+		},
+		data.ImportStep(),
 		{
 			Config: r.sessionControlsDisabled(data),
 			Check: acceptance.ComposeTestCheckFunc(
@@ -681,6 +691,42 @@ resource "azuread_conditional_access_policy" "test" {
 `, data.RandomInteger)
 }
 
+func (ConditionalAccessPolicyResource) sessionControlsSignInFrequencyAlways(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+provider "azuread" {}
+
+resource "azuread_conditional_access_policy" "test" {
+  display_name = "acctest-CONPOLICY-%[1]d"
+  state        = "disabled"
+
+  conditions {
+    client_app_types = ["browser"]
+
+    applications {
+      included_applications = ["All"]
+    }
+
+    locations {
+      included_locations = ["All"]
+    }
+
+    platforms {
+      included_platforms = ["all"]
+    }
+
+    users {
+      included_users = ["All"]
+      excluded_users = ["GuestsOrExternalUsers"]
+    }
+  }
+
+  session_controls {
+    sign_in_frequency_interval = "everyTime"
+  }
+}
+`, data.RandomInteger)
+}
+
 func (ConditionalAccessPolicyResource) clientApplicationsIncluded(data acceptance.TestData) string {
 	return fmt.Sprintf(`
 provider "azuread" {}

diff --git a/internal/services/conditionalaccess/conditionalaccess.go b/internal/services/conditionalaccess/conditionalaccess.go
@@ -489,8 +489,13 @@ func expandConditionalAccessSessionControls(in []interface{}) *msgraph.Condition
 	}
 
 	signInFrequency := msgraph.SignInFrequencySessionControl{}
-	if frequencyValue := config["sign_in_frequency"].(int); frequencyValue > 0 {
+	frequencyValue := config["sign_in_frequency"].(int)
+	frequencyInterval := config["sign_in_frequency_interval"].(string)
+	if frequencyValue > 0 || frequencyInterval == msgraph.ConditionalAccessFrequencyIntervalEveryTime {
 		signInFrequency.IsEnabled = pointer.To(true)
+	}
+
+	if frequencyValue > 0 {
 		signInFrequency.Type = pointer.To(config["sign_in_frequency_period"].(string))
 		signInFrequency.Value = pointer.To(int32(frequencyValue))
 
@@ -503,8 +508,8 @@ func expandConditionalAccessSessionControls(in []interface{}) *msgraph.Condition
 		signInFrequency.AuthenticationType = pointer.To(authenticationType.(string))
 	}
 
-	if interval, ok := config["sign_in_frequency_interval"]; ok && interval.(string) != "" {
-		signInFrequency.FrequencyInterval = pointer.To(interval.(string))
+	if frequencyInterval != "" {
+		signInFrequency.FrequencyInterval = pointer.To(frequencyInterval)
 	}
 
 	// API returns 400 error if signInFrequency is set with all default/zero values