From 52b599af87f4e85f9da65e6e9ca6e89d6609f811 Mon Sep 17 00:00:00 2001 From: Janne Kataja Date: Wed, 18 Dec 2024 16:48:42 +0100 Subject: [PATCH] handle "enumerated" members differently - fixes schema validation error from Graph API - resulting object has the "@odata.type" field with "#microsoft.graph.conditionalAccessEnumeratedExternalTenants" add test condition for list size --- ...conditional_access_policy_resource_test.go | 54 +++++++++++++++++++ .../conditionalaccess/conditionalaccess.go | 15 ++++-- 2 files changed, 64 insertions(+), 5 deletions(-) diff --git a/internal/services/conditionalaccess/conditional_access_policy_resource_test.go b/internal/services/conditionalaccess/conditional_access_policy_resource_test.go index ebdb41770..3ab648e43 100644 --- a/internal/services/conditionalaccess/conditional_access_policy_resource_test.go +++ b/internal/services/conditionalaccess/conditional_access_policy_resource_test.go @@ -332,6 +332,25 @@ func TestAccConditionalAccessPolicy_guestsOrExternalUsers(t *testing.T) { }) } +func TestAccConditionalAccessPolicy_guestsOrExternalUsersServiceProviderExternalTenantExcluded(t *testing.T) { + data := acceptance.BuildTestData(t, "azuread_conditional_access_policy", "test") + r := ConditionalAccessPolicyResource{} + + data.ResourceTest(t, r, []acceptance.TestStep{ + { + Config: r.guestsOrExternalUsersServiceProviderExternalTenantExcluded(data), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + check.That(data.ResourceName).Key("id").Exists(), + check.That(data.ResourceName).Key("display_name").HasValue(fmt.Sprintf("acctest-CONPOLICY-%d", data.RandomInteger)), + check.That(data.ResourceName).Key("conditions.0.users.0.excluded_guests_or_external_users.0.external_tenants.0.membership_kind").HasValue("enumerated"), + check.That(data.ResourceName).Key("conditions.0.users.0.excluded_guests_or_external_users.0.external_tenants.0.members.#").HasValue("1"), + ), + }, + data.ImportStep(), + }) +} + func (r ConditionalAccessPolicyResource) Exists(ctx context.Context, clients *clients.Client, state *pluginsdk.InstanceState) (*bool, error) { id, err := stable.ParseIdentityConditionalAccessPolicyID(state.ID) if err != nil { @@ -851,3 +870,38 @@ resource "azuread_conditional_access_policy" "test" { } `, data.RandomInteger) } + +func (ConditionalAccessPolicyResource) guestsOrExternalUsersServiceProviderExternalTenantExcluded(data acceptance.TestData) string { + return fmt.Sprintf(` +resource "azuread_conditional_access_policy" "test" { + display_name = "acctest-CONPOLICY-%[1]d" + state = "disabled" + + conditions { + client_app_types = ["browser"] + + applications { + included_applications = ["None"] + } + + users { + included_users = ["None"] + excluded_guests_or_external_users { + guest_or_external_user_types = ["serviceProvider"] + external_tenants { + membership_kind = "enumerated" + members = [ + "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" + ] + } + } + } + } + + grant_controls { + operator = "OR" + built_in_controls = ["block"] + } +} +`, data.RandomInteger) +} diff --git a/internal/services/conditionalaccess/conditionalaccess.go b/internal/services/conditionalaccess/conditionalaccess.go index 704a2c9f4..548374329 100644 --- a/internal/services/conditionalaccess/conditionalaccess.go +++ b/internal/services/conditionalaccess/conditionalaccess.go @@ -629,19 +629,24 @@ func expandExternalTenants(in []interface{}) stable.ConditionalAccessExternalTen return nil } - result := stable.BaseConditionalAccessExternalTenantsImpl{} - config := in[0].(map[string]interface{}) members := config["members"].([]interface{}) + membershipKind := stable.ConditionalAccessExternalTenantsMembershipKind(config["membership_kind"].(string)) - result.MembershipKind = pointer.To(stable.ConditionalAccessExternalTenantsMembershipKind(config["membership_kind"].(string))) + // only membership_kind enumerated is allowed to have members field set + if membershipKind == stable.ConditionalAccessExternalTenantsMembershipKind_Enumerated { + result := stable.ConditionalAccessEnumeratedExternalTenants{} - // only membership_kind enumerated is allowed to have members field set, so we omit setting an empty array when no members configured - if len(members) > 0 { + result.MembershipKind = pointer.To(membershipKind) result.Members = tf.ExpandStringSlicePtr(members) + + return &result } + result := stable.BaseConditionalAccessExternalTenantsImpl{} + result.MembershipKind = pointer.To(membershipKind) + return &result }