Add more doc + fix tests

hashicorp · Mar 23, 2023 · b5f1fc7 · b5f1fc7
1 parent 0e4c5e4
commit b5f1fc7
Show file tree

Hide file tree

Showing 3 changed files with 81 additions and 25 deletions.
diff --git a/docs/resources/conditional_access_policy.md b/docs/resources/conditional_access_policy.md
@@ -18,6 +18,8 @@ When authenticated with a user principal, this resource requires one of the foll
 
 ## Example Usage
 
+### All users except guests or external users
+
 ```terraform
 resource "azuread_conditional_access_policy" "example" {
   display_name = "example policy"
@@ -33,11 +35,6 @@ resource "azuread_conditional_access_policy" "example" {
       excluded_applications = []
     }
 
-    client_applications {
-      included_service_principals = ["None"]
-      excluded_service_principals = []
-    }
-
     devices {
       filter {
         mode = "exclude"
@@ -75,6 +72,73 @@ resource "azuread_conditional_access_policy" "example" {
 }
 ```
 
+### Included client applications / service principals
+
+```terraform
+
+data "azuread_client_config" "current" {}
+
+resource "azuread_conditional_access_policy" "example" {
+  display_name = "example policy"
+  state        = "disabled"
+
+  conditions {
+    client_app_types    = ["all"]
+
+    applications {
+      included_applications = ["All"]
+    }
+
+    client_applications {
+      included_service_principals = [data.azuread_client_config.current.object_id]
+      excluded_service_principals = []
+    }
+
+    users {
+      included_users = ["None"]
+    }
+  }
+
+  grant_controls {
+    operator          = "OR"
+    built_in_controls = ["block"]
+  }
+}
+```
+
+### Excluded client applications / service principals
+
+```terraform
+
+data "azuread_client_config" "current" {}
+
+resource "azuread_conditional_access_policy" "example" {
+  display_name = "example policy"
+  state        = "disabled"
+
+  conditions {
+    client_app_types    = ["all"]
+
+    applications {
+      included_applications = ["All"]
+    }
+
+    client_applications {
+      included_service_principals = ["ServicePrincipalsInMyTenant"]
+      excluded_service_principals = [data.azuread_client_config.current.object_id]
+    }
+
+    users {
+      included_users = ["None"]
+    }
+  }
+
+  grant_controls {
+    operator          = "OR"
+    built_in_controls = ["block"]
+  }
+}
+```
 ## Argument Reference
 
 The following arguments are supported:
@@ -109,6 +173,13 @@ The following arguments are supported:
 
 ---
 
+`client_applications` block supports the following:
+
+* `excluded_service_principals` - (Optional) A list of service principal IDs explicitly excluded in the policy.
+* `included_service_principals` - (Optional) A list of service principal IDs explicitly included in the policy. Can be set to `ServicePrincipalsInMyTenant` to include all service principals. This is mandatory value when at least one `excluded_service_principals` is set.
+
+---
+
 `devices` block supports the following:
 
 * `filter` - (Optional) A `filter` block as described below. A `filter` block can be added to an existing policy, but removing the `filter` block forces a new resource to be created.
@@ -171,13 +242,6 @@ The following arguments are supported:
 
 ---
 
-`client_applications` block supports the following:
-
-* `excluded_service_principals` - (Optional) A list of service principal IDs explicitly excluded in the policy.
-* `included_service_principals` - (Optional) A list of service principal IDs explicitly included in the policy. Can be set to `ServicePrincipalsInMyTenant` to include all service principals. This is mandatory value when at least one `excluded_service_principals` is set.
-
----
-
 ## Attributes Reference
 
 In addition to all arguments above, the following attributes are exported:

diff --git a/internal/services/conditionalaccess/conditional_access_policy_resource.go b/internal/services/conditionalaccess/conditional_access_policy_resource.go
@@ -135,7 +135,7 @@ func conditionalAccessPolicyResource() *schema.Resource {
 
 						"users": {
 							Type:     schema.TypeList,
-							Optional: true,
+							Required: true,
 							MaxItems: 1,
 							Elem: &schema.Resource{
 								Schema: map[string]*schema.Schema{
@@ -480,7 +480,6 @@ func conditionalAccessPolicyCustomizeDiff(ctx context.Context, diff *schema.Reso
 
 func conditionalAccessPolicyDiffSuppress(k, old, new string, d *schema.ResourceData) bool {
 	suppress := false
-	//tflog.Info(context.Background(), fmt.Sprintf("kkkk: %s", k))
 
 	switch {
 	case k == "session_controls.#" && old == "0" && new == "1":

diff --git a/internal/services/conditionalaccess/conditional_access_policy_resource_test.go b/internal/services/conditionalaccess/conditional_access_policy_resource_test.go
@@ -292,14 +292,7 @@ func TestAccConditionalAccessPolicy_clientApplications(t *testing.T) {
 		},
 		data.ImportStep(),
 		{
-			Config: r.complete(data),
-			Check: resource.ComposeTestCheckFunc(
-				check.That(data.ResourceName).ExistsInAzure(r),
-			),
-		},
-		data.ImportStep(),
-		{
-			Config: r.clientApplicationsIncluded(data),
+			Config: r.clientApplicationsExcluded(data),
 			Check: resource.ComposeTestCheckFunc(
 				check.That(data.ResourceName).ExistsInAzure(r),
 				check.That(data.ResourceName).Key("id").Exists(),
@@ -309,7 +302,7 @@ func TestAccConditionalAccessPolicy_clientApplications(t *testing.T) {
 		},
 		data.ImportStep(),
 		{
-			Config: r.clientApplicationsExcluded(data),
+			Config: r.clientApplicationsIncluded(data),
 			Check: resource.ComposeTestCheckFunc(
 				check.That(data.ResourceName).ExistsInAzure(r),
 				check.That(data.ResourceName).Key("id").Exists(),
@@ -669,7 +662,7 @@ resource "azuread_conditional_access_policy" "test" {
     }
 
     users {
-      included_users = ["All"]
+      included_users = ["None"]
     }
   }
 
@@ -704,7 +697,7 @@ resource "azuread_conditional_access_policy" "test" {
     }
 
     users {
-      included_users = ["All"]
+      included_users = ["None"]
     }
   }