improve hardcoded authentication_strength_policy

hashicorp · Dec 19, 2024 · f98de92 · f98de92
1 parent 448781a
commit f98de92
Show file tree

Hide file tree

Showing 2 changed files with 49 additions and 1 deletion.
diff --git a/docs/resources/conditional_access_policy.md b/docs/resources/conditional_access_policy.md
@@ -245,7 +245,7 @@ The following arguments are supported:
 
 `grant_controls` block supports the following:
 
-* `authentication_strength_policy_id` - (Optional) ID of an Authentication Strength Policy to use in this policy.
+* `authentication_strength_policy_id` - (Optional) ID of an Authentication Strength Policy to use in this policy. When using a hard-coded ID, the UUID value should be prefixed with: `/policies/authenticationStrengthPolicies/`.
 * `built_in_controls` - (Optional) List of built-in controls required by the policy. Possible values are: `block`, `mfa`, `approvedApplication`, `compliantApplication`, `compliantDevice`, `domainJoinedDevice`, `passwordChange` or `unknownFutureValue`.
 * `custom_authentication_factors` - (Optional) List of custom controls IDs required by the policy.
 * `operator` - (Required) Defines the relationship of the grant controls. Possible values are: `AND`, `OR`.

diff --git a/internal/services/conditionalaccess/conditional_access_policy_resource_test.go b/internal/services/conditionalaccess/conditional_access_policy_resource_test.go
@@ -297,6 +297,24 @@ func TestAccConditionalAccessPolicy_authenticationStrength(t *testing.T) {
 	})
 }
 
+func TestAccConditionalAccessPolicy_authenticationStrengthHardcoded(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azuread_conditional_access_policy", "test")
+	r := ConditionalAccessPolicyResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.authenticationStrengthPolicyHardcoded(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+				check.That(data.ResourceName).Key("id").Exists(),
+				check.That(data.ResourceName).Key("display_name").HasValue(fmt.Sprintf("acctest-CONPOLICY-%d", data.RandomInteger)),
+				check.That(data.ResourceName).Key("grant_controls.0.authentication_strength_policy_id").HasValue("/policies/authenticationStrengthPolicies/00000000-0000-0000-0000-000000000004"),
+			),
+		},
+		data.ImportStep(),
+	})
+}
+
 func TestAccConditionalAccessPolicy_guestsOrExternalUsers(t *testing.T) {
 	data := acceptance.BuildTestData(t, "azuread_conditional_access_policy", "test")
 	r := ConditionalAccessPolicyResource{}
@@ -789,6 +807,36 @@ resource "azuread_conditional_access_policy" "test" {
 `, data.RandomInteger)
 }
 
+func (ConditionalAccessPolicyResource) authenticationStrengthPolicyHardcoded(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+provider "azuread" {}
+
+resource "azuread_conditional_access_policy" "test" {
+  display_name = "acctest-CONPOLICY-%[1]d"
+  state        = "disabled"
+
+  conditions {
+    client_app_types = ["browser"]
+
+    applications {
+      included_applications = ["None"]
+    }
+
+    users {
+      included_users = ["All"]
+      excluded_users = ["GuestsOrExternalUsers"]
+    }
+  }
+
+  # Hard-code the Phishing resistant MFA policy
+  grant_controls {
+    operator                          = "OR"
+    authentication_strength_policy_id = "/policies/authenticationStrengthPolicies/00000000-0000-0000-0000-000000000004"
+  }
+}
+`, data.RandomInteger)
+}
+
 func (ConditionalAccessPolicyResource) guestsOrExternalUsersAllServiceProvidersIncluded(data acceptance.TestData) string {
 	return fmt.Sprintf(`
 resource "azuread_conditional_access_policy" "test" {