Feature: add application filter to azuread_conditional_access_policy

[BrendanThompson]

Description

This PR adds the ability to have an application filter on azuread_conditional_access_policy.

resource "azuread_conditional_access_policy" "this" {
  display_name = "access-policy"
  state        = "disabled"

  conditions {
    client_app_types    = ["other"]

    applications {
      filter {
        mode = "include"
        rule = "CustomSecurityAttribute.AttributeName -eq \"AttributeValue\""
      }
    }

    users {
      included_roles = ["Contributor"]
    }
  }
}

Change Log

• azuread_conditional_access_policy – add the filter attribute to the applications block allowing for applications to be filtered [Feature: add application filter to azuread_conditional_access_policy #1357]

Related Issue(s)

Fixes #1318

[BrendanThompson]

@tombuildsstuff — don't suppose you've time to give some feedback on this PR as well?

[manicminer]

Thanks @TomasKunka for this addition.

This is looking great - if you could add an acceptance test case that uses a filter for an application condition then this should be good to merge. Conditional Access Policies have shown to yield odd payload parsing bugs further down the line so having coverage is necessary to give us a good shot at spotting regressions.

Thanks!

[BrendanThompson]

@manicminer thanks for reviewing this, I will try and get an acceptance test in today 😃

[manicminer]

@BrendanThompson Great thanks, and sorry for the mis-tag! 😊

[BrendanThompson]

@manicminer — sorry it's taken me a few days to get back to you. I started writing the tests then I realised that we will actually require some attributes to be set on wherever the Acceptance Tests are run, otherwise the tests will fail. There is currently also no mechanism to deploy said attributes with Terraform ☹️.

https://learn.microsoft.com/en-us/entra/fundamentals/custom-security-attributes-overview

The above link are the attributes we need in-place. How would you like to proceed on this, if possible were you able to add an attribute and I can test with that. Then perhaps the next thing is to work on integrating the attribute creation into the provider? (Happy to work in this)

[manicminer]

@BrendanThompson All good, appreciate you looking at this. Unfortunately these are not currently supported by the provider. I don't believe they are supported by the current SDK either so this would have to be added throughout in order to integrate custom security attributes. Is it not maybe possible to build a rule for testing without using custom attributes? Even if it's essentially a no-op that would be fine.

[BrendanThompson]

I cannot think of any way to test it properly without the custom attributes being there to be honest. And testing it without an attribute would yield odd results due to the API. We could add a notice on the resource itself, like a warning around it. Buyer beware until the security attributes are available. What are your thoughts?

[manicminer]

I would also love to ship this but unless we are able to demonstrate some level of testing, we unfortunately won't be able to add a property or block to a resource without it, which I guess means this will have to wait until we have a resource to support custom security attributes.

[BrendanThompson]

Hey @manicminer,

I have opened a PR in Hamilton (manicminer/hamilton#281) to add support for both attribute sets and custom security attribute definitions once that has gone through I will add support for them in the provider and update the tests here 😃

[manicminer]

@BrendanThompson The hamilton version has been updated in the provider, hopefully this unblocks your work on this 🙂

[jwelker9]

I'm really hoping to use I have nothing valuable to add... but I just wanted to cheer you guys on as I'm hoping to leverage this appFilter as well lol thanks for your work on it!