Feature: add application filter to azuread_conditional_access_policy
#1357
Conversation
|
@tombuildsstuff — don't suppose you've time to give some feedback on this PR as well? |
Signed-off-by: Brendan Thompson <github@blt.is>
Signed-off-by: Brendan Thompson <github@blt.is>
Signed-off-by: Brendan Thompson <github@blt.is>
Signed-off-by: Brendan Thompson <github@blt.is>
manicminer
force-pushed
the
feature/application-conditional-filter
branch
from
84c762d
to
2b43824
Compare
There was a problem hiding this comment.
Thanks @TomasKunka for this addition.
This is looking great - if you could add an acceptance test case that uses a filter for an application condition then this should be good to merge. Conditional Access Policies have shown to yield odd payload parsing bugs further down the line so having coverage is necessary to give us a good shot at spotting regressions.
Thanks!
|
@manicminer thanks for reviewing this, I will try and get an acceptance test in today 😃 |
|
@BrendanThompson Great thanks, and sorry for the mis-tag! 😊 |
|
@manicminer — sorry it's taken me a few days to get back to you. I started writing the tests then I realised that we will actually require some attributes to be set on wherever the Acceptance Tests are run, otherwise the tests will fail. There is currently also no mechanism to deploy said attributes with Terraform https://learn.microsoft.com/en-us/entra/fundamentals/custom-security-attributes-overview The above link are the attributes we need in-place. How would you like to proceed on this, if possible were you able to add an attribute and I can test with that. Then perhaps the next thing is to work on integrating the attribute creation into the provider? (Happy to work in this) |
|
@BrendanThompson All good, appreciate you looking at this. Unfortunately these are not currently supported by the provider. I don't believe they are supported by the current SDK either so this would have to be added throughout in order to integrate custom security attributes. Is it not maybe possible to build a rule for testing without using custom attributes? Even if it's essentially a no-op that would be fine. |
|
I cannot think of any way to test it properly without the custom attributes being there to be honest. And testing it without an attribute would yield odd results due to the API. We could add a notice on the resource itself, like a warning around it. Buyer beware until the security attributes are available. What are your thoughts? |
|
I would also love to ship this but unless we are able to demonstrate some level of testing, we unfortunately won't be able to add a property or block to a resource without it, which I guess means this will have to wait until we have a resource to support custom security attributes. |
|
Hey @manicminer, I have opened a PR in |
Description
This PR adds the ability to have an application filter on
azuread_conditional_access_policy.Change Log
azuread_conditional_access_policy– add thefilterattribute to theapplicationsblock allowing for applications to be filtered [Feature: add application filter toazuread_conditional_access_policy#1357]Related Issue(s)
Fixes #1318