Skip to content

Commit

Permalink
application: app_role and oauth2_permissions as lists - ordering broken
Browse files Browse the repository at this point in the history
  • Loading branch information
manicminer committed Aug 8, 2020
1 parent dd7909a commit 51b5b78
Show file tree
Hide file tree
Showing 4 changed files with 118 additions and 34 deletions.
24 changes: 12 additions & 12 deletions azuread/helpers/graph/application.go
Original file line number Diff line number Diff line change
Expand Up @@ -157,23 +157,23 @@ func FlattenAppRoles(in *[]graphrbac.AppRole) []interface{} {
appRoles := make([]interface{}, 0)
for _, role := range *in {
appRole := make(map[string]interface{})
if role.ID != nil {
appRole["id"] = *role.ID
if v := role.ID; v != nil {
appRole["id"] = *v
}
if role.AllowedMemberTypes != nil {
appRole["allowed_member_types"] = *role.AllowedMemberTypes
if v := role.AllowedMemberTypes; v != nil {
appRole["allowed_member_types"] = *v
}
if role.Description != nil {
appRole["description"] = *role.Description
if v := role.Description; v != nil {
appRole["description"] = *v
}
if role.DisplayName != nil {
appRole["display_name"] = *role.DisplayName
if v := role.DisplayName; v != nil {
appRole["display_name"] = *v
}
if role.IsEnabled != nil {
appRole["is_enabled"] = *role.IsEnabled
if v := role.IsEnabled; v != nil {
appRole["is_enabled"] = *v
}
if role.Value != nil {
appRole["value"] = *role.Value
if v := role.Value; v != nil {
appRole["value"] = *v
}
appRoles = append(appRoles, appRole)
}
Expand Down
21 changes: 13 additions & 8 deletions azuread/internal/services/aadgraph/application_resource.go
Original file line number Diff line number Diff line change
Expand Up @@ -107,13 +107,15 @@ func ResourceApplication() *schema.Resource {
},

"app_role": {
Type: schema.TypeSet,
Type: schema.TypeList,
Optional: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"id": {
Type: schema.TypeString,
Computed: true,
Type: schema.TypeString,
Optional: true,
Computed: true,
ValidateFunc: validate.UUID,
},

"allowed_member_types": {
Expand Down Expand Up @@ -150,6 +152,7 @@ func ResourceApplication() *schema.Resource {
"value": {
Type: schema.TypeString,
Optional: true,
Computed: true,
},
},
},
Expand Down Expand Up @@ -227,7 +230,7 @@ func ResourceApplication() *schema.Resource {
},

"oauth2_permissions": {
Type: schema.TypeSet,
Type: schema.TypeList,
Optional: true,
Computed: true,
ConfigMode: schema.SchemaConfigModeAttr,
Expand All @@ -249,6 +252,7 @@ func ResourceApplication() *schema.Resource {

"id": {
Type: schema.TypeString,
Optional: true,
Computed: true,
},

Expand Down Expand Up @@ -286,6 +290,7 @@ func ResourceApplication() *schema.Resource {
},
},
},

"prevent_duplicate_names": {
Type: schema.TypeBool,
Optional: true,
Expand Down Expand Up @@ -833,7 +838,7 @@ func flattenADApplicationOptionalClaimsList(in *[]graphrbac.OptionalClaim) []int
}

func expandADApplicationAppRoles(i interface{}) *[]graphrbac.AppRole {
input := i.(*schema.Set).List()
input := i.([]interface{})
if len(input) == 0 {
return nil
}
Expand Down Expand Up @@ -877,7 +882,7 @@ func expandADApplicationAppRoles(i interface{}) *[]graphrbac.AppRole {
}

func expandADApplicationOAuth2Permissions(i interface{}) *[]graphrbac.OAuth2Permission {
input := i.(*schema.Set).List()
input := i.([]interface{})
result := make([]graphrbac.OAuth2Permission, 0)

for _, raw := range input {
Expand Down Expand Up @@ -942,7 +947,7 @@ func adApplicationValidateRolesScopes(appRoles, oauth2Permissions interface{}) e
var values []string

if appRoles != nil {
for _, roleRaw := range appRoles.(*schema.Set).List() {
for _, roleRaw := range appRoles.([]interface{}) {
role := roleRaw.(map[string]interface{})
if val := role["value"].(string); val != "" {
values = append(values, val)
Expand All @@ -951,7 +956,7 @@ func adApplicationValidateRolesScopes(appRoles, oauth2Permissions interface{}) e
}

if oauth2Permissions != nil {
for _, scopeRaw := range oauth2Permissions.(*schema.Set).List() {
for _, scopeRaw := range oauth2Permissions.([]interface{}) {
scope := scopeRaw.(map[string]interface{})
if val := scope["value"].(string); val != "" {
values = append(values, val)
Expand Down
105 changes: 92 additions & 13 deletions azuread/internal/services/aadgraph/tests/application_resource_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -142,6 +142,7 @@ func TestAccAzureADApplication_update(t *testing.T) {
resource.TestCheckResourceAttr(resourceName, "identifier_uris.#", "0"),
resource.TestCheckResourceAttr(resourceName, "reply_urls.#", "0"),
resource.TestCheckResourceAttr(resourceName, "optional_claims.#", "0"),
resource.TestCheckResourceAttr(resourceName, "oauth2_permissions.#", "0"),
),
},
{
Expand Down Expand Up @@ -248,13 +249,6 @@ func TestAccAzureADApplication_appRoles(t *testing.T) {
Check: resource.ComposeTestCheckFunc(
testCheckADApplicationExists(resourceName),
resource.TestCheckResourceAttr(resourceName, "app_role.#", "1"),
resource.TestCheckResourceAttr(resourceName, "app_role.3282540397.allowed_member_types.#", "2"),
resource.TestCheckResourceAttr(resourceName, "app_role.3282540397.allowed_member_types.2550101162", "Application"),
resource.TestCheckResourceAttr(resourceName, "app_role.3282540397.allowed_member_types.2906997583", "User"),
resource.TestCheckResourceAttr(resourceName, "app_role.3282540397.description", "Admins can manage roles and perform all task actions"),
resource.TestCheckResourceAttr(resourceName, "app_role.3282540397.display_name", "Admin"),
resource.TestCheckResourceAttr(resourceName, "app_role.3282540397.is_enabled", "true"),
resource.TestCheckResourceAttr(resourceName, "app_role.3282540397.value", "Admin"),
),
},
{
Expand All @@ -266,6 +260,31 @@ func TestAccAzureADApplication_appRoles(t *testing.T) {
})
}

func TestAccAzureADApplication_appRolesManualID(t *testing.T) {
rn := "azuread_application.test"
ri := tf.AccRandTimeInt()

resource.ParallelTest(t, resource.TestCase{
PreCheck: func() { acceptance.PreCheck(t) },
Providers: acceptance.SupportedProviders,
CheckDestroy: testCheckADApplicationDestroy,
Steps: []resource.TestStep{
{
Config: testAccADApplication_appRolesManualID(ri),
Check: resource.ComposeTestCheckFunc(
testCheckADApplicationExists(rn),
resource.TestCheckResourceAttr(rn, "app_role.#", "1"),
),
},
{
ResourceName: rn,
ImportState: true,
ImportStateVerify: true,
},
},
})
}

func TestAccAzureADApplication_appRolesNoValue(t *testing.T) {
rn := "azuread_application.tests"
ri := tf.AccRandTimeInt()
Expand Down Expand Up @@ -586,6 +605,32 @@ func TestAccAzureADApplication_oauth2PermissionsUpdate(t *testing.T) {
})
}

func TestAccAzureADApplication_oauth2PermissionsManualID(t *testing.T) {
resourceName := "azuread_application.tests"
ri := tf.AccRandTimeInt()

resource.ParallelTest(t, resource.TestCase{
PreCheck: func() { acceptance.PreCheck(t) },
Providers: acceptance.SupportedProviders,
CheckDestroy: testCheckADApplicationDestroy,
Steps: []resource.TestStep{
{
Config: testAccADApplication_oauth2PermissionsManualID(ri),
Check: resource.ComposeTestCheckFunc(
testCheckADApplicationExists(resourceName),
resource.TestCheckResourceAttr(resourceName, "name", fmt.Sprintf("acctest-APP-%[1]d", ri)),
resource.TestCheckResourceAttr(resourceName, "oauth2_permissions.#", "1"),
),
},
{
ResourceName: resourceName,
ImportState: true,
ImportStateVerify: true,
},
},
})
}

func TestAccAzureADApplication_preventDuplicateNames(t *testing.T) {
ri := tf.AccRandTimeInt()

Expand Down Expand Up @@ -677,6 +722,7 @@ func testAccADApplication_basicEmpty(ri int) string {
resource "azuread_application" "tests" {
name = "acctest-APP-%[1]d"
identifier_uris = []
oauth2_permissions = []
reply_urls = []
group_membership_claims = "None"
}
Expand Down Expand Up @@ -845,6 +891,22 @@ resource "azuread_application" "tests" {
`, ri)
}

func testAccADApplication_appRolesManualID(ri int) string {
return fmt.Sprintf(`
resource "azuread_application" "test" {
name = "acctest-APP-%[1]d"
app_role {
allowed_member_types = ["User"]
description = "Admins can manage roles and perform all task actions"
display_name = "Admin"
id = "10000000-2000-3000-4000-500000000000"
is_enabled = true
value = "Admin"
}
}
`, ri)
}

func testAccADApplication_appRolesNoValue(ri int) string {
return fmt.Sprintf(`
resource "azuread_application" "tests" {
Expand Down Expand Up @@ -889,22 +951,39 @@ func testAccADApplication_oauth2Permissions(ri int) string {
resource "azuread_application" "tests" {
name = "acctest-APP-%[1]d"
oauth2_permissions {
admin_consent_description = "Allow the application to access acctest-APP-%[1]d on behalf of the signed-in user."
admin_consent_display_name = "Access acctest-APP-%[1]d"
is_enabled = true
type = "User"
user_consent_description = "Allow the application to access acctest-APP-%[1]d on your behalf."
user_consent_display_name = "Access acctest-APP-%[1]d"
value = "user_impersonation"
}
oauth2_permissions {
admin_consent_description = "Administer the application"
admin_consent_display_name = "Administer"
is_enabled = true
type = "Admin"
value = "administer"
}
}
`, ri)
}

func testAccADApplication_oauth2PermissionsManualID(ri int) string {
return fmt.Sprintf(`
resource "azuread_application" "tests" {
name = "acctest-APP-%[1]d"
oauth2_permissions {
admin_consent_description = "Allow the application to access acctest-APP-%[1]d on behalf of the signed-in user."
admin_consent_display_name = "Access acctest-APP-%[1]d"
admin_consent_description = "Administer the application"
admin_consent_display_name = "Administer"
id = "10000000-2000-3000-4000-500000000000"
is_enabled = true
type = "User"
user_consent_description = "Allow the application to access acctest-APP-%[1]d on your behalf."
user_consent_display_name = "Access acctest-APP-%[1]d"
value = "user_impersonation"
type = "Admin"
value = "administer"
}
}
`, ri)
Expand Down
2 changes: 1 addition & 1 deletion website/docs/r/application.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -170,7 +170,7 @@ The following arguments are supported:

`app_role` supports the following:

* `id` - The unique identifier of the `app_role`.
* `id` - The unique identifier of the `app_role`. When not specified, a unique `id` will be generated by Azure and this is the recommended approach. You can also specify your own value for `id` and this should always be a valid UUID.

* `allowed_member_types` - (Required) Specifies whether this app role definition can be assigned to users and groups by setting to `User`, or to other applications (that are accessing this application in daemon service scenarios) by setting to `Application`, or to both.

Expand Down

0 comments on commit 51b5b78

Please sign in to comment.