azuread_conditional_access_policy - add client_applications.filter

sreallymatt · sreallymatt · commit 6b949795a896 · 2025-07-31T13:39:47.000-06:00
diff --git a/GNUmakefile b/GNUmakefile
@@ -91,7 +91,7 @@ testacc: fmtcheck
 	TF_ACC=1 go test $(TEST) -v $(TESTARGS) -timeout 180m -ldflags="-X=github.com/hashicorp/terraform-provider-azuread/version.ProviderVersion=acc"
 
 acctests: fmtcheck
-	TF_ACC=1 go test -v ./internal/services/$(SERVICE)/tests/ $(TESTARGS) -timeout $(TESTTIMEOUT) -ldflags="-X=github.com/hashicorp/terraform-provider-azuread/version.ProviderVersion=acc"
+	TF_ACC=1 go test -v ./internal/services/$(SERVICE)/ $(TESTARGS) -timeout $(TESTTIMEOUT) -ldflags="-X=github.com/hashicorp/terraform-provider-azuread/version.ProviderVersion=acc"
 
 debugacc: fmtcheck
 	TF_ACC=1 dlv test $(TEST) --headless --listen=:2345 --api-version=2 -- -test.v $(TESTARGS)
diff --git a/docs/resources/conditional_access_policy.md b/docs/resources/conditional_access_policy.md
@@ -185,6 +185,9 @@ The following arguments are supported:
 
 * `excluded_service_principals` - (Optional) A list of service principal IDs explicitly excluded in the policy.
 * `included_service_principals` - (Optional) A list of service principal IDs explicitly included in the policy. Can be set to `ServicePrincipalsInMyTenant` to include all service principals. This is mandatory value when at least one `excluded_service_principals` is set.
+* `filter` - (Optional) A `filter` block as described below.
+
+~> **Note:** Specifying `filter` requires the `Attribute Definition Reader` role, this is not included in the `Global Administrator` or other administrator roles and must be separately assigned.
 
 ---
 
@@ -196,8 +199,12 @@ The following arguments are supported:
 
 `filter` block supports the following:
 
-* `mode` - (Required) Whether to include in, or exclude from, matching devices from the policy. Supported values are `include` or `exclude`.
-* `rule` - (Required) Condition filter to match devices. For more information, see [official documentation](https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-condition-filters-for-devices#supported-operators-and-device-properties-for-filters).
+* `mode` - (Required) Whether to include in, or exclude from, matching items from the policy. Supported values are `include` or `exclude`.
+* `rule` - (Required) Condition filter to match items. 
+
+-> **Note:** For more information on device filters, see the [official documentation](https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-condition-filters-for-devices#supported-operators-and-device-properties-for-filters).
+
+-> **Note:** For more information on application filters, see the [official documentation](https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-filter-for-applications).
 
 ---
 
diff --git a/go.mod b/go.mod
@@ -3,8 +3,8 @@ module github.com/hashicorp/terraform-provider-azuread
 require (
 	github.com/google/go-cmp v0.7.0
 	github.com/hashicorp/go-azure-helpers v0.73.0
-	github.com/hashicorp/go-azure-sdk/microsoft-graph v0.20250618.1093309
-	github.com/hashicorp/go-azure-sdk/sdk v0.20250618.1093309
+	github.com/hashicorp/go-azure-sdk/microsoft-graph v0.20250731.1192335
+	github.com/hashicorp/go-azure-sdk/sdk v0.20250731.1192335
 	github.com/hashicorp/go-cty v1.5.0
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/hashicorp/go-uuid v1.0.3
diff --git a/go.sum b/go.sum
@@ -55,10 +55,10 @@ github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY
 github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-azure-helpers v0.73.0 h1:J++NBrLzwv6U/hSXeC29pWOr+5S+xnoQWVT2r1XAexw=
 github.com/hashicorp/go-azure-helpers v0.73.0/go.mod h1:tAUWC+kwZQsuNAHEIlnbojMMcC6SWQb6W1HfIeluv1E=
-github.com/hashicorp/go-azure-sdk/microsoft-graph v0.20250618.1093309 h1:giIJVkamQZN/28JQdCpJCsnYmNp1I+vN8zlmRTXuUmc=
-github.com/hashicorp/go-azure-sdk/microsoft-graph v0.20250618.1093309/go.mod h1:ty40K81T+JuCzG/9hOfB0rqCg/1iXSY3OudKwcZKgf8=
-github.com/hashicorp/go-azure-sdk/sdk v0.20250618.1093309 h1:EZLtbwBWk3/WYGQAvae5rHezjVlIPoUwoRk9lVTMc68=
-github.com/hashicorp/go-azure-sdk/sdk v0.20250618.1093309/go.mod h1:eyNClZwQsa4Go51ScU9OYCE2EQvbNt8EjZ4eMxpQ1H8=
+github.com/hashicorp/go-azure-sdk/microsoft-graph v0.20250731.1192335 h1:3RKmlQ8jRTepZSXOiCXzzldkn5zztZaNTysv9KzDfd0=
+github.com/hashicorp/go-azure-sdk/microsoft-graph v0.20250731.1192335/go.mod h1:1BFZ7+9v9RCXbk9F923R/4QRK+D2dXE9PhVjy9Mo940=
+github.com/hashicorp/go-azure-sdk/sdk v0.20250731.1192335 h1:Mbwo0DISwRI0N8Yrb1w/F4Ub1ot71NM1w8DeozbnpKs=
+github.com/hashicorp/go-azure-sdk/sdk v0.20250731.1192335/go.mod h1:eyNClZwQsa4Go51ScU9OYCE2EQvbNt8EjZ4eMxpQ1H8=
 github.com/hashicorp/go-checkpoint v0.5.0 h1:MFYpPZCnQqQTE18jFwSII6eUQrD/oxMFp3mlgcqk5mU=
 github.com/hashicorp/go-checkpoint v0.5.0/go.mod h1:7nfLNL10NsxqO4iWuW6tWW0HjZuDrwkBuEQsVcpCOgg=
 github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
diff --git a/internal/services/conditionalaccess/conditional_access_policy_resource.go b/internal/services/conditionalaccess/conditional_access_policy_resource.go
@@ -138,6 +138,8 @@ func conditionalAccessPolicyResource() *pluginsdk.Resource {
 											ValidateFunc: validation.StringIsNotEmpty,
 										},
 									},
+
+									"filter": schemaConditionalAccessFilter(),
 								},
 							},
 						},
@@ -304,26 +306,7 @@ func conditionalAccessPolicyResource() *pluginsdk.Resource {
 							MaxItems: 1,
 							Elem: &pluginsdk.Resource{
 								Schema: map[string]*pluginsdk.Schema{
-									"filter": {
-										Type:     pluginsdk.TypeList,
-										Optional: true,
-										MaxItems: 1,
-										Elem: &pluginsdk.Resource{
-											Schema: map[string]*pluginsdk.Schema{
-												"mode": {
-													Type:         pluginsdk.TypeString,
-													Required:     true,
-													ValidateFunc: validation.StringInSlice(stable.PossibleValuesForFilterMode(), false),
-												},
-
-												"rule": {
-													Type:         pluginsdk.TypeString,
-													Required:     true,
-													ValidateFunc: validation.StringIsNotEmpty,
-												},
-											},
-										},
-									},
+									"filter": schemaConditionalAccessFilter(),
 								},
 							},
 						},
diff --git a/internal/services/conditionalaccess/conditional_access_policy_resource_test.go b/internal/services/conditionalaccess/conditional_access_policy_resource_test.go
@@ -317,6 +317,13 @@ func TestAccConditionalAccessPolicy_clientApplications(t *testing.T) {
 			),
 		},
 		data.ImportStep(),
+		{
+			Config: r.clientApplicationsFilter(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
 		{
 			Config: r.clientApplicationsIncluded(data),
 			Check: acceptance.ComposeTestCheckFunc(
@@ -862,6 +869,49 @@ resource "azuread_conditional_access_policy" "test" {
 `, data.RandomInteger)
 }
 
+func (ConditionalAccessPolicyResource) clientApplicationsFilter(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+provider "azuread" {}
+
+data "azuread_service_principal" "test" {
+  display_name = "Terraform Acceptance Tests (Single Tenant)"
+}
+
+resource "azuread_conditional_access_policy" "test" {
+  display_name = "acctest-CONPOLICY-%[1]d"
+  state        = "disabled"
+
+  conditions {
+    client_app_types = ["all"]
+
+    applications {
+      included_applications = ["All"]
+    }
+
+    client_applications {
+      included_service_principals = ["ServicePrincipalsInMyTenant"]
+
+      filter {
+        mode = "exclude"
+        rule = "CustomSecurityAttribute.AzureADProviderTesting_Usage -contains \"Acceptance Tests\""
+      }
+    }
+
+    service_principal_risk_levels = ["medium"]
+
+    users {
+      included_users = ["None"]
+    }
+  }
+
+  grant_controls {
+    operator          = "OR"
+    built_in_controls = ["block"]
+  }
+}
+`, data.RandomInteger)
+}
+
 func (ConditionalAccessPolicyResource) authenticationStrengthPolicy(data acceptance.TestData) string {
 	return fmt.Sprintf(`
 provider "azuread" {}
diff --git a/internal/services/conditionalaccess/conditionalaccess.go b/internal/services/conditionalaccess/conditionalaccess.go
@@ -9,9 +9,34 @@ import (
 	"github.com/hashicorp/go-azure-helpers/lang/pointer"
 	"github.com/hashicorp/go-azure-sdk/microsoft-graph/common-types/stable"
 	"github.com/hashicorp/go-azure-sdk/sdk/nullable"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
 	"github.com/hashicorp/terraform-provider-azuread/internal/helpers/tf"
+	"github.com/hashicorp/terraform-provider-azuread/internal/helpers/tf/pluginsdk"
 )
 
+func schemaConditionalAccessFilter() *pluginsdk.Schema {
+	return &pluginsdk.Schema{
+		Type:     pluginsdk.TypeList,
+		Optional: true,
+		MaxItems: 1,
+		Elem: &pluginsdk.Resource{
+			Schema: map[string]*pluginsdk.Schema{
+				"mode": {
+					Type:         pluginsdk.TypeString,
+					Required:     true,
+					ValidateFunc: validation.StringInSlice(stable.PossibleValuesForFilterMode(), false),
+				},
+
+				"rule": {
+					Type:         pluginsdk.TypeString,
+					Required:     true,
+					ValidateFunc: validation.StringIsNotEmpty,
+				},
+			},
+		},
+	}
+}
+
 func flattenConditionalAccessConditionSet(in *stable.ConditionalAccessConditionSet) []interface{} {
 	if in == nil {
 		return []interface{}{}
@@ -78,6 +103,7 @@ func flattenConditionalAccessClientApplications(in *stable.ConditionalAccessClie
 		map[string]interface{}{
 			"included_service_principals": tf.FlattenStringSlicePtr(in.IncludeServicePrincipals),
 			"excluded_service_principals": tf.FlattenStringSlicePtr(in.ExcludeServicePrincipals),
+			"filter":                      flattenConditionalAccessFilter(in.ServicePrincipalFilter),
 		},
 	}
 }
@@ -108,7 +134,7 @@ func flattenConditionalAccessDevices(in *stable.ConditionalAccessDevices) []inte
 
 	return []interface{}{
 		map[string]interface{}{
-			"filter": flattenConditionalAccessDeviceFilter(in.DeviceFilter),
+			"filter": flattenConditionalAccessFilter(in.DeviceFilter),
 		},
 	}
 }
@@ -228,7 +254,7 @@ func flattenConditionalAccessSessionControls(in *stable.ConditionalAccessSession
 	}
 }
 
-func flattenConditionalAccessDeviceFilter(in *stable.ConditionalAccessFilter) []interface{} {
+func flattenConditionalAccessFilter(in *stable.ConditionalAccessFilter) []interface{} {
 	if in == nil {
 		return []interface{}{}
 	}
@@ -401,10 +427,15 @@ func expandConditionalAccessClientApplications(in []interface{}) *stable.Conditi
 
 	includeServicePrincipals := config["included_service_principals"].([]interface{})
 	excludeServicePrincipals := config["excluded_service_principals"].([]interface{})
+	servicePrincipalFilter := config["filter"].([]interface{})
 
 	result.IncludeServicePrincipals = tf.ExpandStringSlicePtr(includeServicePrincipals)
 	result.ExcludeServicePrincipals = tf.ExpandStringSlicePtr(excludeServicePrincipals)
 
+	if len(servicePrincipalFilter) > 0 {
+		result.ServicePrincipalFilter = expandConditionalAccessFilter(servicePrincipalFilter)
+	}
+
 	return &result
 }
 
diff --git a/vendor/github.com/hashicorp/go-azure-sdk/microsoft-graph/common-types/stable/model_conditionalaccessclientapplications.go b/vendor/github.com/hashicorp/go-azure-sdk/microsoft-graph/common-types/stable/model_conditionalaccessclientapplications.go
diff --git a/vendor/github.com/hashicorp/go-azure-sdk/sdk/client/client.go b/vendor/github.com/hashicorp/go-azure-sdk/sdk/client/client.go
diff --git a/vendor/github.com/hashicorp/go-azure-sdk/sdk/client/msgraph/client.go b/vendor/github.com/hashicorp/go-azure-sdk/sdk/client/msgraph/client.go
diff --git a/vendor/github.com/hashicorp/go-azure-sdk/sdk/internal/accept/accept.go b/vendor/github.com/hashicorp/go-azure-sdk/sdk/internal/accept/accept.go
diff --git a/vendor/modules.txt b/vendor/modules.txt
@@ -65,7 +65,7 @@ github.com/hashicorp/go-azure-helpers/lang/pointer
 github.com/hashicorp/go-azure-helpers/lang/response
 github.com/hashicorp/go-azure-helpers/resourcemanager/features
 github.com/hashicorp/go-azure-helpers/resourcemanager/resourceids
-# github.com/hashicorp/go-azure-sdk/microsoft-graph v0.20250618.1093309
+# github.com/hashicorp/go-azure-sdk/microsoft-graph v0.20250731.1192335
 ## explicit; go 1.24.1
 github.com/hashicorp/go-azure-sdk/microsoft-graph/administrativeunits/beta/administrativeunit
 github.com/hashicorp/go-azure-sdk/microsoft-graph/applications/beta/application
@@ -128,7 +128,7 @@ github.com/hashicorp/go-azure-sdk/microsoft-graph/serviceprincipals/stable/synch
 github.com/hashicorp/go-azure-sdk/microsoft-graph/users/beta/user
 github.com/hashicorp/go-azure-sdk/microsoft-graph/users/stable/manager
 github.com/hashicorp/go-azure-sdk/microsoft-graph/users/stable/user
-# github.com/hashicorp/go-azure-sdk/sdk v0.20250618.1093309
+# github.com/hashicorp/go-azure-sdk/sdk v0.20250731.1192335
 ## explicit; go 1.24.1
 github.com/hashicorp/go-azure-sdk/sdk/auth
 github.com/hashicorp/go-azure-sdk/sdk/claims
