Merge pull request #1597 from sdx-jkataja/insider-risk-levels

azuread_conditional_access_policy: Implement support for the `insider_risk_levels` parameter

docs/resources/conditional_access_policy.md

@@ -163,6 +163,7 @@ The following arguments are supported:
 * `client_app_types` - (Required) A list of client application types included in the policy. Possible values are: `all`, `browser`, `mobileAppsAndDesktopClients`, `exchangeActiveSync`, `easSupported` and `other`.
 * `client_applications` - (Optional) An `client_applications` block as documented below, which specifies service principals included in and excluded from the policy.
 * `devices` - (Optional) A `devices` block as documented below, which describes devices to be included in and excluded from the policy. A `devices` block can be added to an existing policy, but removing the `devices` block forces a new resource to be created.
+* `insider_risk_levels` - (Optional) The insider risk level in the policy. Possible values are: `minor`, `moderate`, `elevated`, `unknownFutureValue`.
 * `locations` - (Optional) A `locations` block as documented below, which specifies locations included in and excluded from the policy.
 * `platforms` - (Optional) A `platforms` block as documented below, which specifies platforms included in and excluded from the policy.
 * `service_principal_risk_levels` - (Optional) A list of service principal sign-in risk levels included in the policy. Possible values are: `low`, `medium`, `high`, `none`, `unknownFutureValue`.

docs/resources/named_location.md

@@ -57,8 +57,8 @@ The following arguments are supported:
 `country` block supports the following:
 
 * `countries_and_regions` - (Required) List of countries and/or regions in two-letter format specified by ISO 3166-2. 
-* `include_unknown_countries_and_regions` - (Optional) Whether IP addresses that don't map to a country or region should be included in the named location. Defaults to `false`.
 * `country_lookup_method` - (Optional) Method of detecting country the user is located in. Possible values are `clientIpAddress` for IP-based location and `authenticatorAppGps` for Authenticator app GPS-based location.  Defaults to `clientIpAddress`.
+* `include_unknown_countries_and_regions` - (Optional) Whether IP addresses that don't map to a country or region should be included in the named location. Defaults to `false`.
 
 ---
 

internal/services/conditionalaccess/conditional_access_policy_resource.go

@@ -408,6 +408,13 @@ func conditionalAccessPolicyResource() *pluginsdk.Resource {
 								ValidateFunc: validation.StringInSlice(stable.PossibleValuesForRiskLevel(), false),
 							},
 						},
+
+						"insider_risk_levels": {
+							Type:         pluginsdk.TypeString,
+							Optional:     true,
+							Computed:     true,
+							ValidateFunc: validation.StringInSlice(stable.PossibleValuesForConditionalAccessInsiderRiskLevels(), false),
+						},
 					},
 				},
 			},

internal/services/conditionalaccess/conditional_access_policy_resource_test.go

@@ -350,6 +350,25 @@ func TestAccConditionalAccessPolicy_guestsOrExternalUsers(t *testing.T) {
 	})
 }
 
+func TestAccConditionalAccessPolicy_insiderRisk(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azuread_conditional_access_policy", "test")
+	r := ConditionalAccessPolicyResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.insiderRisk(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+				check.That(data.ResourceName).Key("id").Exists(),
+				check.That(data.ResourceName).Key("display_name").HasValue(fmt.Sprintf("acctest-CONPOLICY-%d", data.RandomInteger)),
+				check.That(data.ResourceName).Key("state").HasValue("disabled"),
+				check.That(data.ResourceName).Key("conditions.0.insider_risk_levels").HasValue("moderate"),
+			),
+		},
+		data.ImportStep(),
+	})
+}
+
 func (r ConditionalAccessPolicyResource) Exists(ctx context.Context, clients *clients.Client, state *pluginsdk.InstanceState) (*bool, error) {
 	id, err := stable.ParseIdentityConditionalAccessPolicyID(state.ID)
 	if err != nil {
@@ -408,6 +427,7 @@ resource "azuread_conditional_access_policy" "test" {
     client_app_types    = ["all"]
     sign_in_risk_levels = ["medium"]
     user_risk_levels    = ["medium"]
+    insider_risk_levels = "elevated"
 
     applications {
       included_applications = ["All"]
@@ -899,3 +919,33 @@ resource "azuread_conditional_access_policy" "test" {
 }
 `, data.RandomInteger)
 }
+
+func (ConditionalAccessPolicyResource) insiderRisk(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+provider "azuread" {}
+
+resource "azuread_conditional_access_policy" "test" {
+  display_name = "acctest-CONPOLICY-%[1]d"
+  state        = "disabled"
+
+  conditions {
+    client_app_types    = ["browser"]
+    insider_risk_levels = "moderate"
+
+    applications {
+      included_applications = ["None"]
+    }
+
+    users {
+      included_users = ["All"]
+      excluded_users = ["GuestsOrExternalUsers"]
+    }
+  }
+
+  grant_controls {
+    operator          = "OR"
+    built_in_controls = ["block"]
+  }
+}
+`, data.RandomInteger)
+}

internal/services/conditionalaccess/conditionalaccess.go

@@ -37,6 +37,11 @@ func flattenConditionalAccessConditionSet(in *stable.ConditionalAccessConditionS
 		userRiskLevels = append(userRiskLevels, string(v))
 	}
 
+	insiderRiskLevels := ""
+	if in.InsiderRiskLevels != nil {
+		insiderRiskLevels = string(pointer.From(in.InsiderRiskLevels))
+	}
+
 	return []interface{}{
 		map[string]interface{}{
 			"applications":                  flattenConditionalAccessApplications(in.Applications),
@@ -49,6 +54,7 @@ func flattenConditionalAccessConditionSet(in *stable.ConditionalAccessConditionS
 			"service_principal_risk_levels": servicePrincipalRiskLevels,
 			"sign_in_risk_levels":           signInRiskLevels,
 			"user_risk_levels":              userRiskLevels,
+			"insider_risk_levels":           insiderRiskLevels,
 		},
 	}
 }
@@ -367,6 +373,10 @@ func expandConditionalAccessConditionSet(in []interface{}) *stable.ConditionalAc
 		userRiskLevels = append(userRiskLevels, stable.RiskLevel(elem.(string)))
 	}
 
+	if insiderRiskLevel, ok := config["insider_risk_levels"]; ok && insiderRiskLevel.(string) != "" {
+		result.InsiderRiskLevels = pointer.To(stable.ConditionalAccessInsiderRiskLevels(insiderRiskLevel.(string)))
+	}
+
 	result.Applications = expandConditionalAccessApplications(applications)
 	result.ClientAppTypes = clientAppTypes
 	result.ClientApplications = expandConditionalAccessClientApplications(clientApplications)

internal/services/conditionalaccess/named_location_resource_test.go

@@ -251,13 +251,13 @@ func (NamedLocationResource) completeCountry(data acceptance.TestData) string {
 resource "azuread_named_location" "test" {
   display_name = "acctestNLC-%[1]d"
   country {
+    country_lookup_method = "clientIpAddress"
     countries_and_regions = [
       "GB",
       "US",
       "JP",
     ]
     include_unknown_countries_and_regions = true
-    country_lookup_method = "clientIpAddress"
   }
 }
 `, data.RandomInteger)
@@ -268,13 +268,13 @@ func (NamedLocationResource) completeCountryByGps(data acceptance.TestData) stri
 resource "azuread_named_location" "test" {
   display_name = "acctestNLC-%[1]d"
   country {
+    country_lookup_method = "authenticatorAppGps"
     countries_and_regions = [
       "GB",
       "US",
       "JP",
     ]
     include_unknown_countries_and_regions = true
-    country_lookup_method = "authenticatorAppGps"
   }
 }
 `, data.RandomInteger)