From 46694a69c69a454c55243629a1a1652dc6545d81 Mon Sep 17 00:00:00 2001 From: Tom Bamford Date: Tue, 14 Sep 2021 12:54:47 +0100 Subject: [PATCH] azuread_application: support for the `logo` property for uploading a logo image --- docs/resources/application.md | 4 +- .../applications/application_resource.go | 54 +++++++++++++++++++ .../applications/application_resource_test.go | 40 ++++++++++++++ .../services/applications/applications.go | 14 +++++ 4 files changed, 111 insertions(+), 1 deletion(-) diff --git a/docs/resources/application.md b/docs/resources/application.md index 1b9c96980..ca47d7192 100644 --- a/docs/resources/application.md +++ b/docs/resources/application.md @@ -26,6 +26,7 @@ data "azuread_client_config" "current" {} resource "azuread_application" "example" { display_name = "example" identifier_uris = ["api://example-app"] + logo_image = filebase64("/path/to/logo.png") owners = [data.azuread_client_config.current.object_id] sign_in_audience = "AzureADMultipleOrgs" @@ -163,6 +164,7 @@ The following arguments are supported: * `fallback_public_client_enabled` - (Optional) Specifies whether the application is a public client. Appropriate for apps using token grant flows that don't use a redirect URI. Defaults to `false`. * `group_membership_claims` - (Optional) Configures the `groups` claim issued in a user or OAuth 2.0 access token that the app expects. Possible values are `None`, `SecurityGroup`, `DirectoryRole`, `ApplicationGroup` or `All`. * `identifier_uris` - (Optional) A set of user-defined URI(s) that uniquely identify an application within its Azure AD tenant, or within a verified custom domain if the application is multi-tenant. +* `logo_image` - (Optional) A logo image to upload for the application, as a raw base64-encoded string. The image should be in gif, jpeg or png format. Note that once an image has been uploaded, it is not possible to remove it without replacing it with another image. * `marketing_url` - (Optional) URL of the application's marketing page. * `oauth2_post_response_required` - (Optional) Specifies whether, as part of OAuth 2.0 token requests, Azure AD allows POST requests, as opposed to GET requests. Defaults to `false`, which specifies that only GET requests are allowed. * `optional_claims` - (Optional) An `optional_claims` block as documented below. @@ -299,7 +301,7 @@ In addition to all arguments above, the following attributes are exported: * `app_role_ids` - A mapping of app role values to app role IDs, intended to be useful when referencing app roles in other resources in your configuration. * `application_id` - The Application ID (also called Client ID). * `disabled_by_microsoft` - Whether Microsoft has disabled the registered application. If the application is disabled, this will be a string indicating the status/reason, e.g. `DisabledDueToViolationOfServicesAgreement` -* `logo_url` - CDN URL to the application's logo. +* `logo_url` - CDN URL to the application's logo, as uploaded with the `logo_image` property. * `oauth2_permission_scope_ids` - A mapping of OAuth2.0 permission scope values to scope IDs, intended to be useful when referencing permission scopes in other resources in your configuration. * `object_id` - The application's object ID. * `publisher_domain` - The verified publisher domain for the application. diff --git a/internal/services/applications/application_resource.go b/internal/services/applications/application_resource.go index 88c02eed2..2bab45c98 100644 --- a/internal/services/applications/application_resource.go +++ b/internal/services/applications/application_resource.go @@ -295,6 +295,13 @@ func applicationResource() *schema.Resource { }, }, + "logo_image": { + Description: "Base64 encoded logo image in gif, png or jpeg format", + Type: schema.TypeString, + Optional: true, + ValidateFunc: validation.StringIsBase64, + }, + "marketing_url": { Description: "URL of the application's marketing page", Type: schema.TypeString, @@ -600,6 +607,11 @@ func applicationResourceCustomizeDiff(ctx context.Context, diff *schema.Resource diff.SetNewComputed("oauth2_permission_scope_ids") } + // If the logo image changes, the CDN URL will change + if diff.HasChange("logo_image") { + diff.SetNewComputed("logo_url") + } + // The following validation is taken from https://docs.microsoft.com/en-gb/azure/active-directory/develop/supported-accounts-validation // These apply only when personal account sign-ins are enabled for an application, and are enforced at plan time to avoid breaking existing // applications that change from AAD (corporate) account sign-ins to personal account sign-ins @@ -838,6 +850,16 @@ func applicationResourceCreate(ctx context.Context, d *schema.ResourceData, meta } } + var imageContentType string + var imageData []byte + if v, ok := d.GetOk("logo_image"); ok && v != "" { + var err error + imageContentType, imageData, err = applicationParseLogoImage(v.(string)) + if err != nil { + return tf.ErrorDiagPathF(err, "image", "Could not decode image data") + } + } + if templateId != "" { // Instantiate application from template gallery and return via the update function properties := msgraph.ApplicationTemplate{ @@ -958,6 +980,14 @@ func applicationResourceCreate(ctx context.Context, d *schema.ResourceData, meta } } + // Upload the application image + if imageContentType != "" && len(imageData) > 0 { + _, err := client.UploadLogo(ctx, d.Id(), imageContentType, imageData) + if err != nil { + return tf.ErrorDiagF(err, "Could not upload logo image for application with object ID: %q", d.Id()) + } + } + return applicationResourceRead(ctx, d, meta) } @@ -986,6 +1016,16 @@ func applicationResourceUpdate(ctx context.Context, d *schema.ResourceData, meta } } + var imageContentType string + var imageData []byte + if v, ok := d.GetOk("logo_image"); ok && v != "" && d.HasChange("logo_image") { + var err error + imageContentType, imageData, err = applicationParseLogoImage(v.(string)) + if err != nil { + return tf.ErrorDiagPathF(err, "image", "Could not decode image data") + } + } + properties := msgraph.Application{ DirectoryObject: msgraph.DirectoryObject{ ID: utils.String(applicationId), @@ -1061,6 +1101,14 @@ func applicationResourceUpdate(ctx context.Context, d *schema.ResourceData, meta } } + // Upload the application image + if imageContentType != "" && len(imageData) > 0 { + _, err := client.UploadLogo(ctx, d.Id(), imageContentType, imageData) + if err != nil { + return tf.ErrorDiagF(err, "Could not upload logo image for application with object ID: %q", d.Id()) + } + } + return applicationResourceRead(ctx, d, meta) } @@ -1111,6 +1159,12 @@ func applicationResourceRead(ctx context.Context, d *schema.ResourceData, meta i tf.Set(d, "terms_of_service_url", app.Info.TermsOfServiceUrl) } + logoImage := "" + if v := d.Get("logo_image").(string); v != "" { + logoImage = v + } + tf.Set(d, "logo_image", logoImage) + preventDuplicates := false if v := d.Get("prevent_duplicate_names").(bool); v { preventDuplicates = v diff --git a/internal/services/applications/application_resource_test.go b/internal/services/applications/application_resource_test.go index 89d8610b3..4cc85a508 100644 --- a/internal/services/applications/application_resource_test.go +++ b/internal/services/applications/application_resource_test.go @@ -441,6 +441,35 @@ func TestAccApplication_related(t *testing.T) { }) } +func TestAccApplication_logo(t *testing.T) { + data := acceptance.BuildTestData(t, "azuread_application", "test") + r := ApplicationResource{} + + data.ResourceTest(t, r, []resource.TestStep{ + { + Config: r.logo(data), + Check: resource.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep("logo"), + { + Config: r.basic(data), + Check: resource.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep(), + { + Config: r.logo(data), + Check: resource.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep("logo"), + }) +} + func (r ApplicationResource) Exists(ctx context.Context, clients *clients.Client, state *terraform.InstanceState) (*bool, error) { client := clients.Applications.ApplicationsClient client.BaseClient.DisableRetries = true @@ -1270,3 +1299,14 @@ resource "azuread_application" "test" { } `, data.RandomInteger) } + +func (r ApplicationResource) logo(data acceptance.TestData) string { + return fmt.Sprintf(` +provider "azuread" {} + +resource "azuread_application" "test" { + display_name = "acctest-APP-%[1]d" + logo_image = "" // thisisfine +} +`, data.RandomInteger) +} diff --git a/internal/services/applications/applications.go b/internal/services/applications/applications.go index 792f02428..7408f191b 100644 --- a/internal/services/applications/applications.go +++ b/internal/services/applications/applications.go @@ -2,9 +2,11 @@ package applications import ( "context" + "encoding/base64" "fmt" "net/http" "reflect" + "strings" "time" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" @@ -295,6 +297,18 @@ func applicationFindByName(ctx context.Context, client *msgraph.ApplicationsClie return &result, nil } +func applicationParseLogoImage(encodedImage string) (string, []byte, error) { + imageData, err := base64.StdEncoding.DecodeString(strings.TrimSpace(encodedImage)) + if err != nil { + return "", nil, err + } + contentType := http.DetectContentType(imageData) + if !strings.HasPrefix(contentType, "image/") { + return "", nil, fmt.Errorf("unrecognised MIME type detected: %q", contentType) + } + return contentType, imageData, nil +} + func applicationValidateRolesScopes(appRoles, oauth2Permissions []interface{}) error { var ids, values []string