Feature: add application filter to azuread_conditional_access_policy

internal/services/conditionalaccess/conditional_access_policy_resource.go

@@ -77,7 +77,7 @@ func conditionalAccessPolicyResource() *pluginsdk.Resource {
 									"included_applications": {
 										Type:         pluginsdk.TypeList,
 										Optional:     true,
-										ExactlyOneOf: []string{"conditions.0.applications.0.included_applications", "conditions.0.applications.0.included_user_actions"},
+										ExactlyOneOf: []string{"conditions.0.applications.0.included_applications", "conditions.0.applications.0.included_user_actions", "conditions.0.applications.0.filter"},
 										Elem: &pluginsdk.Schema{
 											Type:             pluginsdk.TypeString,
 											ValidateDiagFunc: validation.ValidateDiag(validation.StringIsNotEmpty),
@@ -96,12 +96,37 @@ func conditionalAccessPolicyResource() *pluginsdk.Resource {
 									"included_user_actions": {
 										Type:         pluginsdk.TypeList,
 										Optional:     true,
-										ExactlyOneOf: []string{"conditions.0.applications.0.included_applications", "conditions.0.applications.0.included_user_actions"},
+										ExactlyOneOf: []string{"conditions.0.applications.0.included_applications", "conditions.0.applications.0.included_user_actions", "conditions.0.applications.0.filter"},
 										Elem: &pluginsdk.Schema{
 											Type:             pluginsdk.TypeString,
 											ValidateDiagFunc: validation.ValidateDiag(validation.StringIsNotEmpty),
 										},
 									},
+
+									"filter": {
+										Type:         pluginsdk.TypeList,
+										Optional:     true,
+										ExactlyOneOf: []string{"conditions.0.applications.0.included_applications", "conditions.0.applications.0.included_user_actions", "conditions.0.applications.0.filter"},
+										MaxItems:     1,
+										Elem: &pluginsdk.Resource{
+											Schema: map[string]*pluginsdk.Schema{
+												"mode": {
+													Type:     pluginsdk.TypeString,
+													Required: true,
+													ValidateFunc: validation.StringInSlice([]string{
+														msgraph.ConditionalAccessFilterModeExclude,
+														msgraph.ConditionalAccessFilterModeInclude,
+													}, false),
+												},
+
+												"rule": {
+													Type:             pluginsdk.TypeString,
+													Required:         true,
+													ValidateDiagFunc: validation.ValidateDiag(validation.StringIsNotEmpty),
+												},
+											},
+										},
+									},
 								},
 							},
 						},

internal/services/conditionalaccess/conditionalaccess.go

@@ -4,6 +4,8 @@
 package conditionalaccess
 
 import (
+	"log"
+
 	"github.com/hashicorp/go-azure-helpers/lang/pointer"
 	"github.com/hashicorp/terraform-provider-azuread/internal/tf"
 	"github.com/manicminer/hamilton/msgraph"
@@ -40,6 +42,7 @@ func flattenConditionalAccessApplications(in *msgraph.ConditionalAccessApplicati
 			"included_applications": tf.FlattenStringSlicePtr(in.IncludeApplications),
 			"excluded_applications": tf.FlattenStringSlicePtr(in.ExcludeApplications),
 			"included_user_actions": tf.FlattenStringSlicePtr(in.IncludeUserActions),
+			"filter":                flattenConditionalAccessFilter(in.ApplicationFilter),
 		},
 	}
 }
@@ -83,7 +86,7 @@ func flattenConditionalAccessDevices(in *msgraph.ConditionalAccessDevices) []int
 
 	return []interface{}{
 		map[string]interface{}{
-			"filter": flattenConditionalAccessDeviceFilter(in.DeviceFilter),
+			"filter": flattenConditionalAccessFilter(in.DeviceFilter),
 		},
 	}
 }
@@ -188,11 +191,14 @@ func flattenConditionalAccessSessionControls(in *msgraph.ConditionalAccessSessio
 	}
 }
 
-func flattenConditionalAccessDeviceFilter(in *msgraph.ConditionalAccessFilter) []interface{} {
+func flattenConditionalAccessFilter(in *msgraph.ConditionalAccessFilter) []interface{} {
 	if in == nil {
+		log.Print("=== no access filters to flatten")
 		return []interface{}{}
 	}
 
+	log.Printf("=== access filters are being flattened: %s", *in.Rule)
+
 	return []interface{}{
 		map[string]interface{}{
 			"mode": in.Mode,
@@ -339,10 +345,17 @@ func expandConditionalAccessApplications(in []interface{}) *msgraph.ConditionalA
 	includeApplications := config["included_applications"].([]interface{})
 	excludeApplications := config["excluded_applications"].([]interface{})
 	includeUserActions := config["included_user_actions"].([]interface{})
+	filter := config["filter"].([]interface{})
 
 	result.IncludeApplications = tf.ExpandStringSlicePtr(includeApplications)
 	result.ExcludeApplications = tf.ExpandStringSlicePtr(excludeApplications)
 	result.IncludeUserActions = tf.ExpandStringSlicePtr(includeUserActions)
+	if len(filter) > 0 {
+		log.Printf("=== appliction filter being expanded %+v \n", filter...)
+		result.ApplicationFilter = expandConditionalAccessFilter(filter)
+	} else {
+		log.Println("=== no application filter to expand")
+	}
 
 	return &result
 }