azuread_conditional_access_policy - populate members only when membership_kind is set to enumerated (#1601)

- fixes schema validation error from Graph API
 - resulting object has the "@odata.type" field with
   "#microsoft.graph.conditionalAccessEnumeratedExternalTenants"

add test condition for list size

Author: sdx-jkataja

internal/services/conditionalaccess/conditional_access_policy_resource_test.go

@@ -369,6 +369,25 @@ func TestAccConditionalAccessPolicy_insiderRisk(t *testing.T) {
 	})
 }
 
+func TestAccConditionalAccessPolicy_guestsOrExternalUsersServiceProviderExternalTenantExcluded(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azuread_conditional_access_policy", "test")
+	r := ConditionalAccessPolicyResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.guestsOrExternalUsersServiceProviderExternalTenantExcluded(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+				check.That(data.ResourceName).Key("id").Exists(),
+				check.That(data.ResourceName).Key("display_name").HasValue(fmt.Sprintf("acctest-CONPOLICY-%d", data.RandomInteger)),
+				check.That(data.ResourceName).Key("conditions.0.users.0.excluded_guests_or_external_users.0.external_tenants.0.membership_kind").HasValue("enumerated"),
+				check.That(data.ResourceName).Key("conditions.0.users.0.excluded_guests_or_external_users.0.external_tenants.0.members.#").HasValue("1"),
+			),
+		},
+		data.ImportStep(),
+	})
+}
+
 func (r ConditionalAccessPolicyResource) Exists(ctx context.Context, clients *clients.Client, state *pluginsdk.InstanceState) (*bool, error) {
 	id, err := stable.ParseIdentityConditionalAccessPolicyID(state.ID)
 	if err != nil {
@@ -949,3 +968,38 @@ resource "azuread_conditional_access_policy" "test" {
 }
 `, data.RandomInteger)
 }
+
+func (ConditionalAccessPolicyResource) guestsOrExternalUsersServiceProviderExternalTenantExcluded(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+resource "azuread_conditional_access_policy" "test" {
+  display_name = "acctest-CONPOLICY-%[1]d"
+  state        = "disabled"
+
+  conditions {
+    client_app_types = ["browser"]
+
+    applications {
+      included_applications = ["None"]
+    }
+
+    users {
+      included_users = ["None"]
+      excluded_guests_or_external_users {
+        guest_or_external_user_types = ["serviceProvider"]
+        external_tenants {
+          membership_kind = "enumerated"
+          members = [
+            "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
+          ]
+        }
+      }
+    }
+  }
+
+  grant_controls {
+    operator          = "OR"
+    built_in_controls = ["block"]
+  }
+}
+`, data.RandomInteger)
+}

internal/services/conditionalaccess/conditionalaccess.go

@@ -649,19 +649,24 @@ func expandExternalTenants(in []interface{}) stable.ConditionalAccessExternalTen
 		return nil
 	}
 
-	result := stable.BaseConditionalAccessExternalTenantsImpl{}
-
 	config := in[0].(map[string]interface{})
 
 	members := config["members"].([]interface{})
+	membershipKind := stable.ConditionalAccessExternalTenantsMembershipKind(config["membership_kind"].(string))
 
-	result.MembershipKind = pointer.To(stable.ConditionalAccessExternalTenantsMembershipKind(config["membership_kind"].(string)))
+	// only membership_kind enumerated is allowed to have members field set
+	if membershipKind == stable.ConditionalAccessExternalTenantsMembershipKind_Enumerated {
+		result := stable.ConditionalAccessEnumeratedExternalTenants{}
 
-	// only membership_kind enumerated is allowed to have members field set, so we omit setting an empty array when no members configured
-	if len(members) > 0 {
+		result.MembershipKind = pointer.To(membershipKind)
 		result.Members = tf.ExpandStringSlicePtr(members)
+
+		return &result
 	}
 
+	result := stable.BaseConditionalAccessExternalTenantsImpl{}
+	result.MembershipKind = pointer.To(membershipKind)
+
 	return &result
 }