Skip to content

Commit

Permalink
handle "enumerated" members differently
Browse files Browse the repository at this point in the history
 - fixes schema validation error from Graph API
 - resulting object has the "@odata.type" field with
   "#microsoft.graph.conditionalAccessEnumeratedExternalTenants"

add test condition for list size
  • Loading branch information
sdx-jkataja committed Dec 19, 2024
1 parent 448781a commit 10999ba
Show file tree
Hide file tree
Showing 2 changed files with 63 additions and 6 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -332,6 +332,25 @@ func TestAccConditionalAccessPolicy_guestsOrExternalUsers(t *testing.T) {
})
}

func TestAccConditionalAccessPolicy_guestsOrExternalUsersServiceProviderExternalTenantExcluded(t *testing.T) {
data := acceptance.BuildTestData(t, "azuread_conditional_access_policy", "test")
r := ConditionalAccessPolicyResource{}

data.ResourceTest(t, r, []acceptance.TestStep{
{
Config: r.guestsOrExternalUsersServiceProviderExternalTenantExcluded(data),
Check: acceptance.ComposeTestCheckFunc(
check.That(data.ResourceName).ExistsInAzure(r),
check.That(data.ResourceName).Key("id").Exists(),
check.That(data.ResourceName).Key("display_name").HasValue(fmt.Sprintf("acctest-CONPOLICY-%d", data.RandomInteger)),
check.That(data.ResourceName).Key("conditions.0.users.0.excluded_guests_or_external_users.0.external_tenants.0.membership_kind").HasValue("enumerated"),
check.That(data.ResourceName).Key("conditions.0.users.0.excluded_guests_or_external_users.0.external_tenants.0.members.#").HasValue("1"),
),
},
data.ImportStep(),
})
}

func (r ConditionalAccessPolicyResource) Exists(ctx context.Context, clients *clients.Client, state *pluginsdk.InstanceState) (*bool, error) {
id, err := stable.ParseIdentityConditionalAccessPolicyID(state.ID)
if err != nil {
Expand Down Expand Up @@ -851,3 +870,38 @@ resource "azuread_conditional_access_policy" "test" {
}
`, data.RandomInteger)
}

func (ConditionalAccessPolicyResource) guestsOrExternalUsersServiceProviderExternalTenantExcluded(data acceptance.TestData) string {
return fmt.Sprintf(`
resource "azuread_conditional_access_policy" "test" {
display_name = "acctest-CONPOLICY-%[1]d"
state = "disabled"
conditions {
client_app_types = ["browser"]
applications {
included_applications = ["None"]
}
users {
included_users = ["None"]
excluded_guests_or_external_users {
guest_or_external_user_types = ["serviceProvider"]
external_tenants {
membership_kind = "enumerated"
members = [
"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
]
}
}
}
}
grant_controls {
operator = "OR"
built_in_controls = ["block"]
}
}
`, data.RandomInteger)
}
15 changes: 9 additions & 6 deletions internal/services/conditionalaccess/conditionalaccess.go
Original file line number Diff line number Diff line change
Expand Up @@ -629,19 +629,22 @@ func expandExternalTenants(in []interface{}) stable.ConditionalAccessExternalTen
return nil
}

result := stable.BaseConditionalAccessExternalTenantsImpl{}

config := in[0].(map[string]interface{})

members := config["members"].([]interface{})
membershipKind := config["membership_kind"].(string)

result.MembershipKind = pointer.To(stable.ConditionalAccessExternalTenantsMembershipKind(config["membership_kind"].(string)))

// only membership_kind enumerated is allowed to have members field set, so we omit setting an empty array when no members configured
if len(members) > 0 {
// only membership_kind enumerated is allowed to have members field set
if membershipKind == "enumerated" {
result := stable.ConditionalAccessEnumeratedExternalTenants{}
result.MembershipKind = pointer.To(stable.ConditionalAccessExternalTenantsMembershipKind(membershipKind))
result.Members = tf.ExpandStringSlicePtr(members)
return &result
}

result := stable.BaseConditionalAccessExternalTenantsImpl{}
result.MembershipKind = pointer.To(stable.ConditionalAccessExternalTenantsMembershipKind(membershipKind))

return &result
}

Expand Down

0 comments on commit 10999ba

Please sign in to comment.