add support for insider_risk_levels

docs/resources/conditional_access_policy.md

@@ -169,6 +169,7 @@ The following arguments are supported:
 * `sign_in_risk_levels` - (Optional) A list of user sign-in risk levels included in the policy. Possible values are: `low`, `medium`, `high`, `hidden`, `none`, `unknownFutureValue`.
 * `user_risk_levels` - (Optional) A list of user risk levels included in the policy. Possible values are: `low`, `medium`, `high`, `hidden`, `none`, `unknownFutureValue`.
 * `users` - (Required) A `users` block as documented below, which specifies users, groups, and roles included in and excluded from the policy.
+* `insider_risk_levels` - (Optional) The insider risk level in the policy. Possible values are: `minor`, `moderate`, `elevated`, `unknownFutureValue`.
 
 ---
 

internal/services/conditionalaccess/conditional_access_policy_resource.go

@@ -408,6 +408,13 @@ func conditionalAccessPolicyResource() *pluginsdk.Resource {
 								ValidateFunc: validation.StringInSlice(stable.PossibleValuesForRiskLevel(), false),
 							},
 						},
+
+						"insider_risk_levels": {
+							Type:         pluginsdk.TypeString,
+							Optional:     true,
+							Computed:     true,
+							ValidateFunc: validation.StringInSlice(stable.PossibleValuesForConditionalAccessInsiderRiskLevels(), false),
+						},
 					},
 				},
 			},

internal/services/conditionalaccess/conditional_access_policy_resource_test.go

@@ -332,6 +332,25 @@ func TestAccConditionalAccessPolicy_guestsOrExternalUsers(t *testing.T) {
 	})
 }
 
+func TestAccConditionalAccessPolicy_insiderRisk(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azuread_conditional_access_policy", "test")
+	r := ConditionalAccessPolicyResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.insiderRisk(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+				check.That(data.ResourceName).Key("id").Exists(),
+				check.That(data.ResourceName).Key("display_name").HasValue(fmt.Sprintf("acctest-CONPOLICY-%d", data.RandomInteger)),
+				check.That(data.ResourceName).Key("state").HasValue("disabled"),
+				check.That(data.ResourceName).Key("conditions.0.insider_risk_levels").HasValue("moderate"),
+			),
+		},
+		data.ImportStep(),
+	})
+}
+
 func (r ConditionalAccessPolicyResource) Exists(ctx context.Context, clients *clients.Client, state *pluginsdk.InstanceState) (*bool, error) {
 	id, err := stable.ParseIdentityConditionalAccessPolicyID(state.ID)
 	if err != nil {
@@ -390,6 +409,7 @@ resource "azuread_conditional_access_policy" "test" {
     client_app_types    = ["all"]
     sign_in_risk_levels = ["medium"]
     user_risk_levels    = ["medium"]
+    insider_risk_levels = "elevated"
 
     applications {
       included_applications = ["All"]
@@ -851,3 +871,33 @@ resource "azuread_conditional_access_policy" "test" {
 }
 `, data.RandomInteger)
 }
+
+func (ConditionalAccessPolicyResource) insiderRisk(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+provider "azuread" {}
+
+resource "azuread_conditional_access_policy" "test" {
+  display_name = "acctest-CONPOLICY-%[1]d"
+  state        = "disabled"
+
+  conditions {
+    client_app_types    = ["browser"]
+    insider_risk_levels = "moderate"
+
+    applications {
+      included_applications = ["None"]
+    }
+
+    users {
+      included_users = ["All"]
+      excluded_users = ["GuestsOrExternalUsers"]
+    }
+  }
+
+  grant_controls {
+    operator          = "OR"
+    built_in_controls = ["block"]
+  }
+}
+`, data.RandomInteger)
+}

internal/services/conditionalaccess/conditionalaccess.go

@@ -37,6 +37,11 @@ func flattenConditionalAccessConditionSet(in *stable.ConditionalAccessConditionS
 		userRiskLevels = append(userRiskLevels, string(v))
 	}
 
+	insiderRiskLevels := ""
+	if in.InsiderRiskLevels != nil {
+		insiderRiskLevels = string(pointer.From(in.InsiderRiskLevels))
+	}
+
 	return []interface{}{
 		map[string]interface{}{
 			"applications":                  flattenConditionalAccessApplications(in.Applications),
@@ -49,6 +54,7 @@ func flattenConditionalAccessConditionSet(in *stable.ConditionalAccessConditionS
 			"service_principal_risk_levels": servicePrincipalRiskLevels,
 			"sign_in_risk_levels":           signInRiskLevels,
 			"user_risk_levels":              userRiskLevels,
+			"insider_risk_levels":           insiderRiskLevels,
 		},
 	}
 }
@@ -361,6 +367,10 @@ func expandConditionalAccessConditionSet(in []interface{}) *stable.ConditionalAc
 		userRiskLevels = append(userRiskLevels, stable.RiskLevel(elem.(string)))
 	}
 
+	if insiderRiskLevel, ok := config["insider_risk_levels"]; ok && insiderRiskLevel.(string) != "" {
+		result.InsiderRiskLevels = pointer.To(stable.ConditionalAccessInsiderRiskLevels(insiderRiskLevel.(string)))
+	}
+
 	result.Applications = expandConditionalAccessApplications(applications)
 	result.ClientAppTypes = clientAppTypes
 	result.ClientApplications = expandConditionalAccessClientApplications(clientApplications)

internal/services/conditionalaccess/migrations/conditional_access_policy_resource.go

@@ -330,6 +330,11 @@ func ResourceConditionalAccessPolicyInstanceResourceV0() *pluginsdk.Resource {
 								Type: pluginsdk.TypeString,
 							},
 						},
+
+						"insider_risk_levels": {
+							Type:     pluginsdk.TypeString,
+							Optional: true,
+						},
 					},
 				},
 			},