Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

azuread_conditional_access_policy is not idempotent when session control cloud_app_security_policy = "mcasConfigured" is set #1347

Closed
bubbletroubles opened this issue Apr 2, 2024 · 0 comments · Fixed by #1382
Closed

azuread_conditional_access_policy is not idempotent when session control cloud_app_security_policy = "mcasConfigured" is set #1347

bubbletroubles opened this issue Apr 2, 2024 · 0 comments · Fixed by #1382
Labels
bug feature/conditional-access
Milestone
v2.50.0

Comments

@bubbletroubles
Copy link
Contributor

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

  • Terraform v1.1.4
  • AzureAD Provider v2.47.0

Affected Resource(s)

  • azuread_conditional_access_policy

Terraform Configuration Files

resource "azuread_conditional_access_policy" "example" {
  display_name = "example policy"
  state        = "disabled"

  conditions {
    client_app_types    = ["browser"]

    applications {
      included_applications = ["All"]
      excluded_applications = []
    }

    devices {
      filter {
        mode = "exclude"
        rule = "device.isCompliant -eq True -or device.trustType -eq \"ServerAD\""
      }
    }

    locations {
      included_locations = ["All"]
      excluded_locations = []
    }

    platforms {
      included_platforms = ["all"]
      excluded_platforms = []
    }

    users {
      included_users = ["All"]
      excluded_users = ["GuestsOrExternalUsers"]
    }
  }

  grant_controls {
    operator          = "OR"
    built_in_controls = ["mfa"]
  }

  session_controls {
    cloud_app_security_policy                 = "mcasConfigured"
  }
}

Debug Output

Panic Output

Expected Behavior

The Conditional Access policy should be created.
The next time Terraform applies, there should be no changes detected.

Actual Behavior

Each subsequent Terraform Plan, the following changes are detected

 # azuread_conditional_access_policy.example will be updated in-place
  ~ resource "azuread_conditional_access_policy" "example policy" {
        id           = "<guid>"
        # (2 unchanged attributes hidden)



      ~ session_controls {
          + sign_in_frequency_authentication_type     = "primaryAndSecondaryAuthentication"
          + sign_in_frequency_interval                = "timeBased"
            # (4 unchanged attributes hidden)
        }
        # (2 unchanged blocks hidden)
    }

Steps to Reproduce

  1. Deploy a policy like the example above
  2. Ensure the session control cloud_app_security_policy = "mcasConfigured"
  3. Run Terraform Apply
  4. Run Terraform Plan - changes will be detected

Important Factoids

References

  • #0000
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug feature/conditional-access
Projects
None yet
Milestone
v2.50.0
2 participants
@manicminer @bubbletroubles