From f98de9290fb7b8e8884a79684c1204011370cef0 Mon Sep 17 00:00:00 2001 From: Janne Kataja Date: Thu, 19 Dec 2024 18:11:43 +0100 Subject: [PATCH] improve hardcoded authentication_strength_policy --- docs/resources/conditional_access_policy.md | 2 +- ...conditional_access_policy_resource_test.go | 48 +++++++++++++++++++ 2 files changed, 49 insertions(+), 1 deletion(-) diff --git a/docs/resources/conditional_access_policy.md b/docs/resources/conditional_access_policy.md index 1e3dba260..a5263464e 100644 --- a/docs/resources/conditional_access_policy.md +++ b/docs/resources/conditional_access_policy.md @@ -245,7 +245,7 @@ The following arguments are supported: `grant_controls` block supports the following: -* `authentication_strength_policy_id` - (Optional) ID of an Authentication Strength Policy to use in this policy. +* `authentication_strength_policy_id` - (Optional) ID of an Authentication Strength Policy to use in this policy. When using a hard-coded ID, the UUID value should be prefixed with: `/policies/authenticationStrengthPolicies/`. * `built_in_controls` - (Optional) List of built-in controls required by the policy. Possible values are: `block`, `mfa`, `approvedApplication`, `compliantApplication`, `compliantDevice`, `domainJoinedDevice`, `passwordChange` or `unknownFutureValue`. * `custom_authentication_factors` - (Optional) List of custom controls IDs required by the policy. * `operator` - (Required) Defines the relationship of the grant controls. Possible values are: `AND`, `OR`. diff --git a/internal/services/conditionalaccess/conditional_access_policy_resource_test.go b/internal/services/conditionalaccess/conditional_access_policy_resource_test.go index ebdb41770..9c70089cf 100644 --- a/internal/services/conditionalaccess/conditional_access_policy_resource_test.go +++ b/internal/services/conditionalaccess/conditional_access_policy_resource_test.go @@ -297,6 +297,24 @@ func TestAccConditionalAccessPolicy_authenticationStrength(t *testing.T) { }) } +func TestAccConditionalAccessPolicy_authenticationStrengthHardcoded(t *testing.T) { + data := acceptance.BuildTestData(t, "azuread_conditional_access_policy", "test") + r := ConditionalAccessPolicyResource{} + + data.ResourceTest(t, r, []acceptance.TestStep{ + { + Config: r.authenticationStrengthPolicyHardcoded(data), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + check.That(data.ResourceName).Key("id").Exists(), + check.That(data.ResourceName).Key("display_name").HasValue(fmt.Sprintf("acctest-CONPOLICY-%d", data.RandomInteger)), + check.That(data.ResourceName).Key("grant_controls.0.authentication_strength_policy_id").HasValue("/policies/authenticationStrengthPolicies/00000000-0000-0000-0000-000000000004"), + ), + }, + data.ImportStep(), + }) +} + func TestAccConditionalAccessPolicy_guestsOrExternalUsers(t *testing.T) { data := acceptance.BuildTestData(t, "azuread_conditional_access_policy", "test") r := ConditionalAccessPolicyResource{} @@ -789,6 +807,36 @@ resource "azuread_conditional_access_policy" "test" { `, data.RandomInteger) } +func (ConditionalAccessPolicyResource) authenticationStrengthPolicyHardcoded(data acceptance.TestData) string { + return fmt.Sprintf(` +provider "azuread" {} + +resource "azuread_conditional_access_policy" "test" { + display_name = "acctest-CONPOLICY-%[1]d" + state = "disabled" + + conditions { + client_app_types = ["browser"] + + applications { + included_applications = ["None"] + } + + users { + included_users = ["All"] + excluded_users = ["GuestsOrExternalUsers"] + } + } + + # Hard-code the Phishing resistant MFA policy + grant_controls { + operator = "OR" + authentication_strength_policy_id = "/policies/authenticationStrengthPolicies/00000000-0000-0000-0000-000000000004" + } +} +`, data.RandomInteger) +} + func (ConditionalAccessPolicyResource) guestsOrExternalUsersAllServiceProvidersIncluded(data acceptance.TestData) string { return fmt.Sprintf(` resource "azuread_conditional_access_policy" "test" {