Merge pull request #673 from hashicorp/feature/conditional-access-dev…

…ice-conditions

Conditional Access improvements, support for device conditions

.gitignore

@@ -21,6 +21,7 @@ website/node_modules
 .*.swp
 .idea
 *.iml
+*.log
 *.test
 
 website/vendor

docs/resources/conditional_access_policy.md

@@ -31,6 +31,13 @@ resource "azuread_conditional_access_policy" "example" {
       excluded_applications = ["00000004-0000-0ff1-ce00-000000000000"]
     }
 
+    devices {
+      filter {
+        mode = "exclude"
+        rule = "device.operatingSystem eq \"Doors\""
+      }
+    }
+
     locations {
       included_locations = ["All"]
       excluded_locations = ["AllTrusted"]
@@ -87,6 +94,7 @@ The following arguments are supported:
 
 * `applications` - (Required) An `applications` block as documented below, which specifies applications and user actions included in and excluded from the policy.
 * `client_app_types` - (Required) A list of client application types included in the policy. Possible values are: `all`, `browser`, `mobileAppsAndDesktopClients`, `exchangeActiveSync`, `easSupported` and `other`.
+* `devices` - (Optional) A `devices` block as documented below, which describes devices to be included in and excluded from the policy. A `devices` block can be added to an existing policy, but removing the `devices` block forces a new resource to be created.
 * `locations` - (Required) A `locations` block as documented below, which specifies locations included in and excluded from the policy.
 * `platforms` - (Required) A `platforms` block as documented below, which specifies platforms included in and excluded from the policy.
 * `sign_in_risk_levels` - (Optional) A list of sign-in risk levels included in the policy. Possible values are: `low`, `medium`, `high`, `hidden`, `none`, `unknownFutureValue`.
@@ -103,6 +111,19 @@ The following arguments are supported:
 
 ---
 
+`devices` block supports the following:
+
+* `filter` - (Optional) A `filter` block as described below. A `filter` block can be added to an existing policy, but removing the `filter` block forces a new resource to be created.
+
+---
+
+`filter` block supports the following:
+
+* `mode` - (Required) Whether to include in, or exclude from, matching devices from the policy. Supported values are `include` or `exclude`.
+* `rule` - (Required) Condition filter to match devices. For more information, see [official documentation](https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-condition-filters-for-devices#supported-operators-and-device-properties-for-filters).
+
+---
+
 `users` block supports the following:
 
 * `excluded_groups` - (Optional) A list of group IDs excluded from scope of policy.

go.mod

@@ -17,7 +17,7 @@ require (
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.8.0
 	github.com/hashicorp/yamux v0.0.0-20210316155119-a95892c5f864 // indirect
 	github.com/klauspost/compress v1.12.2 // indirect
-	github.com/manicminer/hamilton v0.36.0
+	github.com/manicminer/hamilton v0.36.1
 	github.com/mitchellh/go-testing-interface v1.14.1 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
 	github.com/mitchellh/mapstructure v1.4.1 // indirect

go.sum

@@ -299,8 +299,8 @@ github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348/go.mod h1:B69LEHPfb2qLo0BaaOLcbitczOKLWTsrBG9LczfCD4k=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
-github.com/manicminer/hamilton v0.36.0 h1:HBH1yJB2nA0d4ZebF9R8LSZMwkyujNUQr4mnIthUKE4=
-github.com/manicminer/hamilton v0.36.0/go.mod h1:IOYn2Dc9SUiZ7Ryw6c8Ay795vPPMnrCZe3MktS447dc=
+github.com/manicminer/hamilton v0.36.1 h1:rIHUAYP54u70yGcl1HZjo3/DXx7B6npzVFnDSVduttQ=
+github.com/manicminer/hamilton v0.36.1/go.mod h1:IOYn2Dc9SUiZ7Ryw6c8Ay795vPPMnrCZe3MktS447dc=
 github.com/matryer/is v1.2.0/go.mod h1:2fLPjFQM9rhQ15aVEtbuwhJinnOqrmgXPNdZsdwlWXA=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
 github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=

internal/services/conditionalaccess/conditional_access_policy_resource.go

@@ -177,16 +177,49 @@ func conditionalAccessPolicyResource() *schema.Resource {
 							Elem: &schema.Schema{
 								Type: schema.TypeString,
 								ValidateFunc: validation.StringInSlice([]string{
-									"all",
-									"browser",
-									"mobileAppsAndDesktopClients",
-									"exchangeActiveSync",
-									"easSupported",
-									"other",
+									msgraph.ConditionalAccessClientAppTypeAll,
+									msgraph.ConditionalAccessClientAppTypeBrowser,
+									msgraph.ConditionalAccessClientAppTypeEasSupported,
+									msgraph.ConditionalAccessClientAppTypeExchangeActiveSync,
+									msgraph.ConditionalAccessClientAppTypeMobileAppsAndDesktopClients,
+									msgraph.ConditionalAccessClientAppTypeOther,
 								}, false),
 							},
 						},
 
+						"devices": {
+							Type:     schema.TypeList,
+							Optional: true,
+							MaxItems: 1,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"filter": {
+										Type:     schema.TypeList,
+										Optional: true,
+										MaxItems: 1,
+										Elem: &schema.Resource{
+											Schema: map[string]*schema.Schema{
+												"mode": {
+													Type:     schema.TypeString,
+													Required: true,
+													ValidateFunc: validation.StringInSlice([]string{
+														msgraph.ConditionalAccessFilterModeExclude,
+														msgraph.ConditionalAccessFilterModeInclude,
+													}, false),
+												},
+
+												"rule": {
+													Type:             schema.TypeString,
+													Required:         true,
+													ValidateDiagFunc: validate.NoEmptyStrings,
+												},
+											},
+										},
+									},
+								},
+							},
+						},
+
 						"locations": {
 							Type:     schema.TypeList,
 							Required: true,
@@ -226,13 +259,13 @@ func conditionalAccessPolicyResource() *schema.Resource {
 										Elem: &schema.Schema{
 											Type: schema.TypeString,
 											ValidateFunc: validation.StringInSlice([]string{
-												"all",
-												"android",
-												"iOS",
-												"macOS",
-												"unknownFutureValue",
-												"windows",
-												"windowsPhone",
+												msgraph.ConditionalAccessDevicePlatformAll,
+												msgraph.ConditionalAccessDevicePlatformAndroid,
+												msgraph.ConditionalAccessDevicePlatformIos,
+												msgraph.ConditionalAccessDevicePlatformMacOs,
+												msgraph.ConditionalAccessDevicePlatformUnknownFutureValue,
+												msgraph.ConditionalAccessDevicePlatformWindows,
+												msgraph.ConditionalAccessDevicePlatformWindowsPhone,
 											}, false),
 										},
 									},
@@ -243,13 +276,13 @@ func conditionalAccessPolicyResource() *schema.Resource {
 										Elem: &schema.Schema{
 											Type: schema.TypeString,
 											ValidateFunc: validation.StringInSlice([]string{
-												"all",
-												"android",
-												"iOS",
-												"macOS",
-												"unknownFutureValue",
-												"windows",
-												"windowsPhone",
+												msgraph.ConditionalAccessDevicePlatformAll,
+												msgraph.ConditionalAccessDevicePlatformAndroid,
+												msgraph.ConditionalAccessDevicePlatformIos,
+												msgraph.ConditionalAccessDevicePlatformMacOs,
+												msgraph.ConditionalAccessDevicePlatformUnknownFutureValue,
+												msgraph.ConditionalAccessDevicePlatformWindows,
+												msgraph.ConditionalAccessDevicePlatformWindowsPhone,
 											}, false),
 										},
 									},
@@ -263,12 +296,12 @@ func conditionalAccessPolicyResource() *schema.Resource {
 							Elem: &schema.Schema{
 								Type: schema.TypeString,
 								ValidateFunc: validation.StringInSlice([]string{
-									"hidden",
-									"high",
-									"low",
-									"medium",
-									"none",
-									"unknownFutureValue",
+									msgraph.ConditionalAccessRiskLevelHidden,
+									msgraph.ConditionalAccessRiskLevelHigh,
+									msgraph.ConditionalAccessRiskLevelLow,
+									msgraph.ConditionalAccessRiskLevelMedium,
+									msgraph.ConditionalAccessRiskLevelNone,
+									msgraph.ConditionalAccessRiskLevelUnknownFutureValue,
 								}, false),
 							},
 						},
@@ -279,12 +312,12 @@ func conditionalAccessPolicyResource() *schema.Resource {
 							Elem: &schema.Schema{
 								Type: schema.TypeString,
 								ValidateFunc: validation.StringInSlice([]string{
-									"hidden",
-									"high",
-									"low",
-									"medium",
-									"none",
-									"unknownFutureValue",
+									msgraph.ConditionalAccessRiskLevelHidden,
+									msgraph.ConditionalAccessRiskLevelHigh,
+									msgraph.ConditionalAccessRiskLevelLow,
+									msgraph.ConditionalAccessRiskLevelMedium,
+									msgraph.ConditionalAccessRiskLevelNone,
+									msgraph.ConditionalAccessRiskLevelUnknownFutureValue,
 								}, false),
 							},
 						},
@@ -309,14 +342,14 @@ func conditionalAccessPolicyResource() *schema.Resource {
 							Elem: &schema.Schema{
 								Type: schema.TypeString,
 								ValidateFunc: validation.StringInSlice([]string{
-									"approvedApplication",
-									"block",
-									"compliantApplication",
-									"compliantDevice",
-									"domainJoinedDevice",
-									"mfa",
-									"passwordChange",
-									"unknownFutureValue",
+									msgraph.ConditionalAccessGrantControlApprovedApplication,
+									msgraph.ConditionalAccessGrantControlBlock,
+									msgraph.ConditionalAccessGrantControlCompliantApplication,
+									msgraph.ConditionalAccessGrantControlCompliantDevice,
+									msgraph.ConditionalAccessGrantControlDomainJoinedDevice,
+									msgraph.ConditionalAccessGrantControlMfa,
+									msgraph.ConditionalAccessGrantControlPasswordChange,
+									msgraph.ConditionalAccessGrantControlUnknownFutureValue,
 								}, false),
 							},
 						},
@@ -357,10 +390,10 @@ func conditionalAccessPolicyResource() *schema.Resource {
 							Type:     schema.TypeString,
 							Optional: true,
 							ValidateFunc: validation.StringInSlice([]string{
-								"blockDownloads",
-								"mcasConfigured",
-								"monitorOnly",
-								"unknownFutureValue",
+								msgraph.ConditionalAccessCloudAppSecuritySessionControlTypeBlockDownloads,
+								msgraph.ConditionalAccessCloudAppSecuritySessionControlTypeMcasConfigured,
+								msgraph.ConditionalAccessCloudAppSecuritySessionControlTypeMonitorOnly,
+								msgraph.ConditionalAccessCloudAppSecuritySessionControlTypeUnknownFutureValue,
 							}, false),
 						},
 
@@ -393,6 +426,13 @@ func conditionalAccessPolicyCustomizeDiff(ctx context.Context, diff *schema.Reso
 		diff.ForceNew("session_controls.0.sign_in_frequency")
 	}
 
+	if old, new := diff.GetChange("conditions.0.devices.#"); old.(int) > 0 && new.(int) == 0 {
+		diff.ForceNew("conditions.0.devices")
+	}
+	if old, new := diff.GetChange("conditions.0.devices.0.filter.#"); old.(int) > 0 && new.(int) == 0 {
+		diff.ForceNew("conditions.0.devices.0.filter")
+	}
+
 	return nil
 }
 
@@ -421,7 +461,7 @@ func conditionalAccessPolicyResourceCreate(ctx context.Context, d *schema.Resour
 		State:           utils.String(d.Get("state").(string)),
 		Conditions:      expandConditionalAccessConditionSet(d.Get("conditions").([]interface{})),
 		GrantControls:   expandConditionalAccessGrantControls(d.Get("grant_controls").([]interface{})),
-		SessionControls: expandConditionalAccessSessionControls(d.Get("session_controls").([]interface{}), true),
+		SessionControls: expandConditionalAccessSessionControls(d.Get("session_controls").([]interface{})),
 	}
 
 	policy, _, err := client.Create(ctx, properties)
@@ -447,7 +487,7 @@ func conditionalAccessPolicyResourceUpdate(ctx context.Context, d *schema.Resour
 		State:           utils.String(d.Get("state").(string)),
 		Conditions:      expandConditionalAccessConditionSet(d.Get("conditions").([]interface{})),
 		GrantControls:   expandConditionalAccessGrantControls(d.Get("grant_controls").([]interface{})),
-		SessionControls: expandConditionalAccessSessionControls(d.Get("session_controls").([]interface{}), false),
+		SessionControls: expandConditionalAccessSessionControls(d.Get("session_controls").([]interface{})),
 	}
 
 	if _, err := client.Update(ctx, properties); err != nil {