Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Conditional Access improvements, support for device conditions #673

Merged
merged 7 commits into from
Nov 25, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ website/node_modules
.*.swp
.idea
*.iml
*.log
*.test

website/vendor
Expand Down
21 changes: 21 additions & 0 deletions docs/resources/conditional_access_policy.md
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,13 @@ resource "azuread_conditional_access_policy" "example" {
excluded_applications = ["00000004-0000-0ff1-ce00-000000000000"]
}

devices {
filter {
mode = "exclude"
rule = "device.operatingSystem eq \"Doors\""
}
}

locations {
included_locations = ["All"]
excluded_locations = ["AllTrusted"]
Expand Down Expand Up @@ -87,6 +94,7 @@ The following arguments are supported:

* `applications` - (Required) An `applications` block as documented below, which specifies applications and user actions included in and excluded from the policy.
* `client_app_types` - (Required) A list of client application types included in the policy. Possible values are: `all`, `browser`, `mobileAppsAndDesktopClients`, `exchangeActiveSync`, `easSupported` and `other`.
* `devices` - (Optional) A `devices` block as documented below, which describes devices to be included in and excluded from the policy. A `devices` block can be added to an existing policy, but removing the `devices` block forces a new resource to be created.
* `locations` - (Required) A `locations` block as documented below, which specifies locations included in and excluded from the policy.
* `platforms` - (Required) A `platforms` block as documented below, which specifies platforms included in and excluded from the policy.
* `sign_in_risk_levels` - (Optional) A list of sign-in risk levels included in the policy. Possible values are: `low`, `medium`, `high`, `hidden`, `none`, `unknownFutureValue`.
Expand All @@ -103,6 +111,19 @@ The following arguments are supported:

---

`devices` block supports the following:

* `filter` - (Optional) A `filter` block as described below. A `filter` block can be added to an existing policy, but removing the `filter` block forces a new resource to be created.

---

`filter` block supports the following:

* `mode` - (Required) Whether to include in, or exclude from, matching devices from the policy. Supported values are `include` or `exclude`.
* `rule` - (Required) Condition filter to match devices. For more information, see [official documentation](https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-condition-filters-for-devices#supported-operators-and-device-properties-for-filters).

---

`users` block supports the following:

* `excluded_groups` - (Optional) A list of group IDs excluded from scope of policy.
Expand Down
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ require (
github.com/hashicorp/terraform-plugin-sdk/v2 v2.8.0
github.com/hashicorp/yamux v0.0.0-20210316155119-a95892c5f864 // indirect
github.com/klauspost/compress v1.12.2 // indirect
github.com/manicminer/hamilton v0.36.0
github.com/manicminer/hamilton v0.36.1
github.com/mitchellh/go-testing-interface v1.14.1 // indirect
github.com/mitchellh/go-wordwrap v1.0.1 // indirect
github.com/mitchellh/mapstructure v1.4.1 // indirect
Expand Down
4 changes: 2 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -299,8 +299,8 @@ github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348/go.mod h1:B69LEHPfb2qLo0BaaOLcbitczOKLWTsrBG9LczfCD4k=
github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
github.com/manicminer/hamilton v0.36.0 h1:HBH1yJB2nA0d4ZebF9R8LSZMwkyujNUQr4mnIthUKE4=
github.com/manicminer/hamilton v0.36.0/go.mod h1:IOYn2Dc9SUiZ7Ryw6c8Ay795vPPMnrCZe3MktS447dc=
github.com/manicminer/hamilton v0.36.1 h1:rIHUAYP54u70yGcl1HZjo3/DXx7B6npzVFnDSVduttQ=
github.com/manicminer/hamilton v0.36.1/go.mod h1:IOYn2Dc9SUiZ7Ryw6c8Ay795vPPMnrCZe3MktS447dc=
github.com/matryer/is v1.2.0/go.mod h1:2fLPjFQM9rhQ15aVEtbuwhJinnOqrmgXPNdZsdwlWXA=
github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -177,16 +177,49 @@ func conditionalAccessPolicyResource() *schema.Resource {
Elem: &schema.Schema{
Type: schema.TypeString,
ValidateFunc: validation.StringInSlice([]string{
"all",
"browser",
"mobileAppsAndDesktopClients",
"exchangeActiveSync",
"easSupported",
"other",
msgraph.ConditionalAccessClientAppTypeAll,
msgraph.ConditionalAccessClientAppTypeBrowser,
msgraph.ConditionalAccessClientAppTypeEasSupported,
msgraph.ConditionalAccessClientAppTypeExchangeActiveSync,
msgraph.ConditionalAccessClientAppTypeMobileAppsAndDesktopClients,
msgraph.ConditionalAccessClientAppTypeOther,
}, false),
},
},

"devices": {
Type: schema.TypeList,
Optional: true,
MaxItems: 1,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"filter": {
Type: schema.TypeList,
Optional: true,
MaxItems: 1,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"mode": {
Type: schema.TypeString,
Required: true,
ValidateFunc: validation.StringInSlice([]string{
msgraph.ConditionalAccessFilterModeExclude,
msgraph.ConditionalAccessFilterModeInclude,
}, false),
},

"rule": {
Type: schema.TypeString,
Required: true,
ValidateDiagFunc: validate.NoEmptyStrings,
},
},
},
},
},
},
},

"locations": {
Type: schema.TypeList,
Required: true,
Expand Down Expand Up @@ -226,13 +259,13 @@ func conditionalAccessPolicyResource() *schema.Resource {
Elem: &schema.Schema{
Type: schema.TypeString,
ValidateFunc: validation.StringInSlice([]string{
"all",
"android",
"iOS",
"macOS",
"unknownFutureValue",
"windows",
"windowsPhone",
msgraph.ConditionalAccessDevicePlatformAll,
msgraph.ConditionalAccessDevicePlatformAndroid,
msgraph.ConditionalAccessDevicePlatformIos,
msgraph.ConditionalAccessDevicePlatformMacOs,
msgraph.ConditionalAccessDevicePlatformUnknownFutureValue,
msgraph.ConditionalAccessDevicePlatformWindows,
msgraph.ConditionalAccessDevicePlatformWindowsPhone,
}, false),
},
},
Expand All @@ -243,13 +276,13 @@ func conditionalAccessPolicyResource() *schema.Resource {
Elem: &schema.Schema{
Type: schema.TypeString,
ValidateFunc: validation.StringInSlice([]string{
"all",
"android",
"iOS",
"macOS",
"unknownFutureValue",
"windows",
"windowsPhone",
msgraph.ConditionalAccessDevicePlatformAll,
msgraph.ConditionalAccessDevicePlatformAndroid,
msgraph.ConditionalAccessDevicePlatformIos,
msgraph.ConditionalAccessDevicePlatformMacOs,
msgraph.ConditionalAccessDevicePlatformUnknownFutureValue,
msgraph.ConditionalAccessDevicePlatformWindows,
msgraph.ConditionalAccessDevicePlatformWindowsPhone,
}, false),
},
},
Expand All @@ -263,12 +296,12 @@ func conditionalAccessPolicyResource() *schema.Resource {
Elem: &schema.Schema{
Type: schema.TypeString,
ValidateFunc: validation.StringInSlice([]string{
"hidden",
"high",
"low",
"medium",
"none",
"unknownFutureValue",
msgraph.ConditionalAccessRiskLevelHidden,
msgraph.ConditionalAccessRiskLevelHigh,
msgraph.ConditionalAccessRiskLevelLow,
msgraph.ConditionalAccessRiskLevelMedium,
msgraph.ConditionalAccessRiskLevelNone,
msgraph.ConditionalAccessRiskLevelUnknownFutureValue,
}, false),
},
},
Expand All @@ -279,12 +312,12 @@ func conditionalAccessPolicyResource() *schema.Resource {
Elem: &schema.Schema{
Type: schema.TypeString,
ValidateFunc: validation.StringInSlice([]string{
"hidden",
"high",
"low",
"medium",
"none",
"unknownFutureValue",
msgraph.ConditionalAccessRiskLevelHidden,
msgraph.ConditionalAccessRiskLevelHigh,
msgraph.ConditionalAccessRiskLevelLow,
msgraph.ConditionalAccessRiskLevelMedium,
msgraph.ConditionalAccessRiskLevelNone,
msgraph.ConditionalAccessRiskLevelUnknownFutureValue,
}, false),
},
},
Expand All @@ -309,14 +342,14 @@ func conditionalAccessPolicyResource() *schema.Resource {
Elem: &schema.Schema{
Type: schema.TypeString,
ValidateFunc: validation.StringInSlice([]string{
"approvedApplication",
"block",
"compliantApplication",
"compliantDevice",
"domainJoinedDevice",
"mfa",
"passwordChange",
"unknownFutureValue",
msgraph.ConditionalAccessGrantControlApprovedApplication,
msgraph.ConditionalAccessGrantControlBlock,
msgraph.ConditionalAccessGrantControlCompliantApplication,
msgraph.ConditionalAccessGrantControlCompliantDevice,
msgraph.ConditionalAccessGrantControlDomainJoinedDevice,
msgraph.ConditionalAccessGrantControlMfa,
msgraph.ConditionalAccessGrantControlPasswordChange,
msgraph.ConditionalAccessGrantControlUnknownFutureValue,
}, false),
},
},
Expand Down Expand Up @@ -357,10 +390,10 @@ func conditionalAccessPolicyResource() *schema.Resource {
Type: schema.TypeString,
Optional: true,
ValidateFunc: validation.StringInSlice([]string{
"blockDownloads",
"mcasConfigured",
"monitorOnly",
"unknownFutureValue",
msgraph.ConditionalAccessCloudAppSecuritySessionControlTypeBlockDownloads,
msgraph.ConditionalAccessCloudAppSecuritySessionControlTypeMcasConfigured,
msgraph.ConditionalAccessCloudAppSecuritySessionControlTypeMonitorOnly,
msgraph.ConditionalAccessCloudAppSecuritySessionControlTypeUnknownFutureValue,
}, false),
},

Expand Down Expand Up @@ -393,6 +426,13 @@ func conditionalAccessPolicyCustomizeDiff(ctx context.Context, diff *schema.Reso
diff.ForceNew("session_controls.0.sign_in_frequency")
}

if old, new := diff.GetChange("conditions.0.devices.#"); old.(int) > 0 && new.(int) == 0 {
diff.ForceNew("conditions.0.devices")
}
if old, new := diff.GetChange("conditions.0.devices.0.filter.#"); old.(int) > 0 && new.(int) == 0 {
diff.ForceNew("conditions.0.devices.0.filter")
}

return nil
}

Expand Down Expand Up @@ -421,7 +461,7 @@ func conditionalAccessPolicyResourceCreate(ctx context.Context, d *schema.Resour
State: utils.String(d.Get("state").(string)),
Conditions: expandConditionalAccessConditionSet(d.Get("conditions").([]interface{})),
GrantControls: expandConditionalAccessGrantControls(d.Get("grant_controls").([]interface{})),
SessionControls: expandConditionalAccessSessionControls(d.Get("session_controls").([]interface{}), true),
SessionControls: expandConditionalAccessSessionControls(d.Get("session_controls").([]interface{})),
}

policy, _, err := client.Create(ctx, properties)
Expand All @@ -447,7 +487,7 @@ func conditionalAccessPolicyResourceUpdate(ctx context.Context, d *schema.Resour
State: utils.String(d.Get("state").(string)),
Conditions: expandConditionalAccessConditionSet(d.Get("conditions").([]interface{})),
GrantControls: expandConditionalAccessGrantControls(d.Get("grant_controls").([]interface{})),
SessionControls: expandConditionalAccessSessionControls(d.Get("session_controls").([]interface{}), false),
SessionControls: expandConditionalAccessSessionControls(d.Get("session_controls").([]interface{})),
}

if _, err := client.Update(ctx, properties); err != nil {
Expand Down
Loading