Conditional access policy - support persistent browser session control #677
Conversation
stawik-mesa
changed the title
There was a problem hiding this comment.
Hi @stawik-mesa, thanks so much for this contribution! It looks like we missed persistent browser session controls when adding this resource, and it'd be great to add this.
This mostly LGTM, I have a few comments below mainly on style/ordering, and a typo in the test config. Could you also look at adding this property in the sessionControls / sessionControlsDisabled test configs? We have to test these separately at the moment to ensure we have test coverage for an API bug workaround.
If you can take a look at these, and the tests pass, then this should be good to merge. Thanks!
|
|
||
| "persistent_browser_mode": { | ||
| Type: schema.TypeString, | ||
| Optional: true, | ||
| ValidateFunc: validation.StringInSlice([]string{"always", "never"}, false), | ||
| }, |
There was a problem hiding this comment.
This should go inside the session_controls block, e.g. alongside cloud_app_security_policy
internal/services/conditionalaccess/conditional_access_policy_resource_test.go
Outdated
Show resolved
Hide resolved
| return []interface{}{ | ||
| map[string]interface{}{ | ||
| "application_enforced_restrictions_enabled": applicationEnforceRestrictions, | ||
| "cloud_app_security_policy": cloudAppSecurity, | ||
| "sign_in_frequency": signInFrequency, | ||
| "sign_in_frequency_period": signInFrequencyPeriod, | ||
| "persistent_browser_mode": persistentBrowserMode, |
There was a problem hiding this comment.
Could these be alphabetically ordered?
| result.PersistentBrowser = &msgraph.PersistentBrowserSessionControl{ | ||
| IsEnabled: utils.Bool(false), | ||
| } |
There was a problem hiding this comment.
As above, could these be ordered?
| @@ -148,6 +148,7 @@ The following arguments are supported: | |||
| * `cloud_app_security_policy` - (Optional) Enables cloud app security and specifies the cloud app security policy to use. Possible values are: `blockDownloads`, `mcasConfigured`, `monitorOnly` or `unknownFutureValue`. | |||
| * `sign_in_frequency` - (Optional) Number of days or hours to enforce sign-in frequency. Required when `sign_in_frequency_period` is specified. Due to an API issue, removing this property forces a new resource to be created. | |||
| * `sign_in_frequency_period` - (Optional) The time period to enforce sign-in frequency. Possible values are: `hours` or `days`. Required when `sign_in_frequency_period` is specified. Due to an API issue, removing this property forces a new resource to be created. | |||
| * `persistent_browser_mode` - (Optional) Session control to define whether to persist cookies or not. Possible values are: `always` or `never`. | |||
There was a problem hiding this comment.
These will need to be ordered to pass documentation checks :)
Co-authored-by: Tom Bamford <tom@bamford.io>
Hi @manicminer, Thanks for the quick response on my PR. How should I integrate the test? |
|
@stawik-mesa You can run the tests by running When I try to run this and enable persistent browser mode, I'm getting a 400 error from the API: {
"error": {
"code": "BadRequest",
"message": "1032: ConditionalActionPolicy validation failed due to InvalidConditionsForPersistentBrowserSessionMode.",
"innerError": {
"date": "2021-11-25T11:59:20",
"request-id": "551250b2-b961-44fd-ad83-f6b1cf6b32dc",
"client-request-id": "551250b2-b961-44fd-ad83-f6b1cf6b32dc"
}
}
}I looked back at earlier PRs when we added Conditional Access support, and I see that persistent browser mode was initially added but removed before the resource was merged. Whilst this wasn't discussed in the original PR, it might be that the API doesn't work for this property. Since we unfortunately can't merge until setting this property works, I'll dig into it a little further and reach out to the service team to find out why we're getting this error. |
|
@manicminer Locally all tests passed |
|
@manicminer I hopefully fixed the format error on the test source code |
…for `session_controls`
|
@stawik-mesa Thanks for resolving the merge! When running the tests I noticed that changes to I also merged your additional tests in with the tests for the I'll open this up for review from another contributor and we should be able to get this merged for this week's release. Thanks again! |
|
Test results
|
| "persistent_browser_mode": { | ||
| Type: schema.TypeString, | ||
| Optional: true, | ||
| ValidateFunc: validation.StringInSlice([]string{ | ||
| msgraph.PersistentBrowserSessionModeAlways, | ||
| msgraph.PersistentBrowserSessionModeNever, | ||
| }, false), | ||
| }, |
There was a problem hiding this comment.
this seems to be a boolean so could become a bool? maybe
| "persistent_browser_mode": { | |
| Type: schema.TypeString, | |
| Optional: true, | |
| ValidateFunc: validation.StringInSlice([]string{ | |
| msgraph.PersistentBrowserSessionModeAlways, | |
| msgraph.PersistentBrowserSessionModeNever, | |
| }, false), | |
| }, | |
| "persistent_browser_cookies_enabled": { | |
| Type: schema.TypeString, | |
| Optional: true, | |
| ValidateFunc: validation.StringInSlice([]string{ | |
| msgraph.PersistentBrowserSessionModeAlways, | |
| msgraph.PersistentBrowserSessionModeNever, | |
| }, false), | |
| }, |
There was a problem hiding this comment.
It's more of a triple-value setting (there's an underlying bool which we infer the value of) so we'll probably have to stick with enum-like strings
|
This functionality has been released in v2.12.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you! |
|
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions. |
Improvements for azuread_conditional_access: