From b6263babe4957a75ce2037e00c06679f1b413ad5 Mon Sep 17 00:00:00 2001 From: Pulumi Bot <30351955+pulumi-bot@users.noreply.github.com> Date: Fri, 10 Jun 2022 06:38:16 -0500 Subject: [PATCH] Update terraform-provider-azuread to v2.23.0 (#279) --- .../cmd/pulumi-resource-azuread/schema.json | 40 ++++++++- provider/go.mod | 2 +- provider/go.sum | 4 +- provider/shim/go.mod | 2 +- provider/shim/go.sum | 4 +- sdk/dotnet/ClaimsMappingPolicy.cs | 2 +- sdk/dotnet/ConditionalAccessPolicy.cs | 33 ++----- sdk/dotnet/Config/Config.cs | 32 +++++++ sdk/dotnet/Provider.cs | 34 ++++++++ sdk/dotnet/go.mod | 3 + sdk/go/azuread/claimsMappingPolicy.go | 2 +- sdk/go/azuread/conditionalAccessPolicy.go | 26 ++---- sdk/go/azuread/config/config.go | 17 ++++ sdk/go/azuread/provider.go | 34 ++++++++ sdk/nodejs/claimsMappingPolicy.ts | 2 +- sdk/nodejs/conditionalAccessPolicy.ts | 18 ++-- sdk/nodejs/config/vars.ts | 35 ++++++++ sdk/nodejs/go.mod | 3 + sdk/nodejs/provider.ts | 27 ++++++ sdk/python/go.mod | 3 + .../pulumi_azuread/claims_mapping_policy.py | 4 +- .../conditional_access_policy.py | 36 +++----- sdk/python/pulumi_azuread/config/__init__.pyi | 17 ++++ sdk/python/pulumi_azuread/config/vars.py | 23 +++++ sdk/python/pulumi_azuread/provider.py | 86 ++++++++++++++++++- 25 files changed, 387 insertions(+), 102 deletions(-) create mode 100644 sdk/dotnet/go.mod create mode 100644 sdk/nodejs/go.mod create mode 100644 sdk/python/go.mod diff --git a/provider/cmd/pulumi-resource-azuread/schema.json b/provider/cmd/pulumi-resource-azuread/schema.json index 30cad3255..326bf9785 100644 --- a/provider/cmd/pulumi-resource-azuread/schema.json +++ b/provider/cmd/pulumi-resource-azuread/schema.json @@ -57,6 +57,14 @@ ] } }, + "oidcRequestToken": { + "type": "string", + "description": "The bearer token for the request to the OIDC provider. For use when authenticating as a Service Principal using OpenID\nConnect.\n" + }, + "oidcRequestUrl": { + "type": "string", + "description": "The URL for the OIDC provider from which to request an ID token. For use when authenticating as a Service Principal\nusing OpenID Connect.\n" + }, "partnerId": { "type": "string", "description": "A GUID/UUID that is registered with Microsoft to facilitate partner resource usage attribution\n" @@ -78,6 +86,10 @@ "ARM_USE_MSI" ] } + }, + "useOidc": { + "type": "boolean", + "description": "Allow OpenID Connect to be used for authentication\n" } }, "defaults": [ @@ -2845,6 +2857,14 @@ "type": "string", "description": "The path to a custom endpoint for Managed Identity - in most circumstances this should be detected automatically\n" }, + "oidcRequestToken": { + "type": "string", + "description": "The bearer token for the request to the OIDC provider. For use when authenticating as a Service Principal using OpenID\nConnect.\n" + }, + "oidcRequestUrl": { + "type": "string", + "description": "The URL for the OIDC provider from which to request an ID token. For use when authenticating as a Service Principal\nusing OpenID Connect.\n" + }, "partnerId": { "type": "string", "description": "A GUID/UUID that is registered with Microsoft to facilitate partner resource usage attribution\n" @@ -2860,6 +2880,10 @@ "useMsi": { "type": "boolean", "description": "Allow Managed Identity to be used for Authentication\n" + }, + "useOidc": { + "type": "boolean", + "description": "Allow OpenID Connect to be used for authentication\n" } }, "inputProperties": { @@ -2906,6 +2930,14 @@ ] } }, + "oidcRequestToken": { + "type": "string", + "description": "The bearer token for the request to the OIDC provider. For use when authenticating as a Service Principal using OpenID\nConnect.\n" + }, + "oidcRequestUrl": { + "type": "string", + "description": "The URL for the OIDC provider from which to request an ID token. For use when authenticating as a Service Principal\nusing OpenID Connect.\n" + }, "partnerId": { "type": "string", "description": "A GUID/UUID that is registered with Microsoft to facilitate partner resource usage attribution\n" @@ -2927,6 +2959,10 @@ "ARM_USE_MSI" ] } + }, + "useOidc": { + "type": "boolean", + "description": "Allow OpenID Connect to be used for authentication\n" } } }, @@ -4027,7 +4063,7 @@ } }, "azuread:index/claimsMappingPolicy:ClaimsMappingPolicy": { - "description": "Manages a Claims Mapping Policy within Azure Active Directory.\n\n## API Permissions\n\nThe following API permissions are required in order to use this resource.\n\nWhen authenticated with a service principal, this resource requires the following application roles: `Policy.ReadWrite.ApplicationConfiguration` \n\nWhen authenticated with a user principal, this resource requires one of the following directory roles: `Application Administrator` or `Global Administrator`\n\n{{% examples %}}\n## Example Usage\n{{% example %}}\n\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as azuread from \"@pulumi/azuread\";\n\nconst myPolicy = new azuread.ClaimsMappingPolicy(\"myPolicy\", {\n definitions: [JSON.stringify({\n ClaimsMappingPolicy: {\n ClaimsSchema: [\n {\n ID: \"employeeid\",\n JwtClaimType: \"name\",\n SamlClaimType: \"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\",\n Source: \"user\",\n },\n {\n ID: \"tenantcountry\",\n JwtClaimType: \"country\",\n SamlClaimType: \"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country\",\n Source: \"company\",\n },\n ],\n IncludeBasicClaimSet: \"true\",\n Version: 1,\n },\n })],\n displayName: \"My Policy\",\n});\n```\n```python\nimport pulumi\nimport json\nimport pulumi_azuread as azuread\n\nmy_policy = azuread.ClaimsMappingPolicy(\"myPolicy\",\n definitions=[json.dumps({\n \"ClaimsMappingPolicy\": {\n \"ClaimsSchema\": [\n {\n \"ID\": \"employeeid\",\n \"JwtClaimType\": \"name\",\n \"SamlClaimType\": \"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\",\n \"Source\": \"user\",\n },\n {\n \"ID\": \"tenantcountry\",\n \"JwtClaimType\": \"country\",\n \"SamlClaimType\": \"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country\",\n \"Source\": \"company\",\n },\n ],\n \"IncludeBasicClaimSet\": \"true\",\n \"Version\": 1,\n },\n })],\n display_name=\"My Policy\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Text.Json;\nusing Pulumi;\nusing AzureAD = Pulumi.AzureAD;\n\nclass MyStack : Stack\n{\n public MyStack()\n {\n var myPolicy = new AzureAD.ClaimsMappingPolicy(\"myPolicy\", new AzureAD.ClaimsMappingPolicyArgs\n {\n Definitions = \n {\n JsonSerializer.Serialize(new Dictionary\u003cstring, object?\u003e\n {\n { \"ClaimsMappingPolicy\", new Dictionary\u003cstring, object?\u003e\n {\n { \"ClaimsSchema\", new[]\n {\n new Dictionary\u003cstring, object?\u003e\n {\n { \"ID\", \"employeeid\" },\n { \"JwtClaimType\", \"name\" },\n { \"SamlClaimType\", \"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\" },\n { \"Source\", \"user\" },\n },\n new Dictionary\u003cstring, object?\u003e\n {\n { \"ID\", \"tenantcountry\" },\n { \"JwtClaimType\", \"country\" },\n { \"SamlClaimType\", \"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country\" },\n { \"Source\", \"company\" },\n },\n }\n },\n { \"IncludeBasicClaimSet\", \"true\" },\n { \"Version\", 1 },\n } },\n }),\n },\n DisplayName = \"My Policy\",\n });\n }\n\n}\n```\n```go\npackage main\n\nimport (\n\t\"encoding/json\"\n\n\t\"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\ttmpJSON0, err := json.Marshal(map[string]interface{}{\n\t\t\t\"ClaimsMappingPolicy\": map[string]interface{}{\n\t\t\t\t\"ClaimsSchema\": []map[string]interface{}{\n\t\t\t\t\tmap[string]interface{}{\n\t\t\t\t\t\t\"ID\": \"employeeid\",\n\t\t\t\t\t\t\"JwtClaimType\": \"name\",\n\t\t\t\t\t\t\"SamlClaimType\": \"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\",\n\t\t\t\t\t\t\"Source\": \"user\",\n\t\t\t\t\t},\n\t\t\t\t\tmap[string]interface{}{\n\t\t\t\t\t\t\"ID\": \"tenantcountry\",\n\t\t\t\t\t\t\"JwtClaimType\": \"country\",\n\t\t\t\t\t\t\"SamlClaimType\": \"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country\",\n\t\t\t\t\t\t\"Source\": \"company\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t\"IncludeBasicClaimSet\": \"true\",\n\t\t\t\t\"Version\": 1,\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tjson0 := string(tmpJSON0)\n\t\t_, err := azuread.NewClaimsMappingPolicy(ctx, \"myPolicy\", \u0026azuread.ClaimsMappingPolicyArgs{\n\t\t\tDefinitions: pulumi.StringArray{\n\t\t\t\tpulumi.String(json0),\n\t\t\t},\n\t\t\tDisplayName: pulumi.String(\"My Policy\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport java.util.*;\nimport java.io.*;\nimport java.nio.*;\nimport com.pulumi.*;\nimport static com.pulumi.codegen.internal.Serialization.*;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var myPolicy = new ClaimsMappingPolicy(\"myPolicy\", ClaimsMappingPolicyArgs.builder() \n .definitions(serializeJson(\n jsonObject(\n jsonProperty(\"ClaimsMappingPolicy\", jsonObject(\n jsonProperty(\"ClaimsSchema\", jsonArray(\n jsonObject(\n jsonProperty(\"ID\", \"employeeid\"),\n jsonProperty(\"JwtClaimType\", \"name\"),\n jsonProperty(\"SamlClaimType\", \"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\"),\n jsonProperty(\"Source\", \"user\")\n ), \n jsonObject(\n jsonProperty(\"ID\", \"tenantcountry\"),\n jsonProperty(\"JwtClaimType\", \"country\"),\n jsonProperty(\"SamlClaimType\", \"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country\"),\n jsonProperty(\"Source\", \"company\")\n )\n )),\n jsonProperty(\"IncludeBasicClaimSet\", \"true\"),\n jsonProperty(\"Version\", 1)\n ))\n )))\n .displayName(\"My Policy\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n myPolicy:\n type: azuread:ClaimsMappingPolicy\n properties:\n definitions:\n - Fn::ToJSON:\n ClaimsMappingPolicy:\n ClaimsSchema:\n - ID: employeeid\n JwtClaimType: name\n SamlClaimType: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\n Source: user\n - ID: tenantcountry\n JwtClaimType: country\n SamlClaimType: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country\n Source: company\n IncludeBasicClaimSet: true\n Version: 1\n displayName: My Policy\n```\n{{% /example %}}\n{{% /examples %}}\n\n## Import\n\nClaims Mapping Policy can be imported using the `id`, e.g.\n\n```sh\n $ pulumi import azuread:index/claimsMappingPolicy:ClaimsMappingPolicy my_policy 00000000-0000-0000-0000-000000000000\n```\n\n ", + "description": "Manages a Claims Mapping Policy within Azure Active Directory.\n\n## API Permissions\n\nThe following API permissions are required in order to use this resource.\n\nWhen authenticated with a service principal, this resource requires the following application roles: `Policy.ReadWrite.ApplicationConfiguration` and `Policy.Read.All`\n\nWhen authenticated with a user principal, this resource requires one of the following directory roles: `Application Administrator` or `Global Administrator`\n\n{{% examples %}}\n## Example Usage\n{{% example %}}\n\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as azuread from \"@pulumi/azuread\";\n\nconst myPolicy = new azuread.ClaimsMappingPolicy(\"myPolicy\", {\n definitions: [JSON.stringify({\n ClaimsMappingPolicy: {\n ClaimsSchema: [\n {\n ID: \"employeeid\",\n JwtClaimType: \"name\",\n SamlClaimType: \"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\",\n Source: \"user\",\n },\n {\n ID: \"tenantcountry\",\n JwtClaimType: \"country\",\n SamlClaimType: \"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country\",\n Source: \"company\",\n },\n ],\n IncludeBasicClaimSet: \"true\",\n Version: 1,\n },\n })],\n displayName: \"My Policy\",\n});\n```\n```python\nimport pulumi\nimport json\nimport pulumi_azuread as azuread\n\nmy_policy = azuread.ClaimsMappingPolicy(\"myPolicy\",\n definitions=[json.dumps({\n \"ClaimsMappingPolicy\": {\n \"ClaimsSchema\": [\n {\n \"ID\": \"employeeid\",\n \"JwtClaimType\": \"name\",\n \"SamlClaimType\": \"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\",\n \"Source\": \"user\",\n },\n {\n \"ID\": \"tenantcountry\",\n \"JwtClaimType\": \"country\",\n \"SamlClaimType\": \"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country\",\n \"Source\": \"company\",\n },\n ],\n \"IncludeBasicClaimSet\": \"true\",\n \"Version\": 1,\n },\n })],\n display_name=\"My Policy\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Text.Json;\nusing Pulumi;\nusing AzureAD = Pulumi.AzureAD;\n\nclass MyStack : Stack\n{\n public MyStack()\n {\n var myPolicy = new AzureAD.ClaimsMappingPolicy(\"myPolicy\", new AzureAD.ClaimsMappingPolicyArgs\n {\n Definitions = \n {\n JsonSerializer.Serialize(new Dictionary\u003cstring, object?\u003e\n {\n { \"ClaimsMappingPolicy\", new Dictionary\u003cstring, object?\u003e\n {\n { \"ClaimsSchema\", new[]\n {\n new Dictionary\u003cstring, object?\u003e\n {\n { \"ID\", \"employeeid\" },\n { \"JwtClaimType\", \"name\" },\n { \"SamlClaimType\", \"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\" },\n { \"Source\", \"user\" },\n },\n new Dictionary\u003cstring, object?\u003e\n {\n { \"ID\", \"tenantcountry\" },\n { \"JwtClaimType\", \"country\" },\n { \"SamlClaimType\", \"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country\" },\n { \"Source\", \"company\" },\n },\n }\n },\n { \"IncludeBasicClaimSet\", \"true\" },\n { \"Version\", 1 },\n } },\n }),\n },\n DisplayName = \"My Policy\",\n });\n }\n\n}\n```\n```go\npackage main\n\nimport (\n\t\"encoding/json\"\n\n\t\"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\ttmpJSON0, err := json.Marshal(map[string]interface{}{\n\t\t\t\"ClaimsMappingPolicy\": map[string]interface{}{\n\t\t\t\t\"ClaimsSchema\": []map[string]interface{}{\n\t\t\t\t\tmap[string]interface{}{\n\t\t\t\t\t\t\"ID\": \"employeeid\",\n\t\t\t\t\t\t\"JwtClaimType\": \"name\",\n\t\t\t\t\t\t\"SamlClaimType\": \"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\",\n\t\t\t\t\t\t\"Source\": \"user\",\n\t\t\t\t\t},\n\t\t\t\t\tmap[string]interface{}{\n\t\t\t\t\t\t\"ID\": \"tenantcountry\",\n\t\t\t\t\t\t\"JwtClaimType\": \"country\",\n\t\t\t\t\t\t\"SamlClaimType\": \"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country\",\n\t\t\t\t\t\t\"Source\": \"company\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t\"IncludeBasicClaimSet\": \"true\",\n\t\t\t\t\"Version\": 1,\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tjson0 := string(tmpJSON0)\n\t\t_, err := azuread.NewClaimsMappingPolicy(ctx, \"myPolicy\", \u0026azuread.ClaimsMappingPolicyArgs{\n\t\t\tDefinitions: pulumi.StringArray{\n\t\t\t\tpulumi.String(json0),\n\t\t\t},\n\t\t\tDisplayName: pulumi.String(\"My Policy\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport java.util.*;\nimport java.io.*;\nimport java.nio.*;\nimport com.pulumi.*;\nimport static com.pulumi.codegen.internal.Serialization.*;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var myPolicy = new ClaimsMappingPolicy(\"myPolicy\", ClaimsMappingPolicyArgs.builder() \n .definitions(serializeJson(\n jsonObject(\n jsonProperty(\"ClaimsMappingPolicy\", jsonObject(\n jsonProperty(\"ClaimsSchema\", jsonArray(\n jsonObject(\n jsonProperty(\"ID\", \"employeeid\"),\n jsonProperty(\"JwtClaimType\", \"name\"),\n jsonProperty(\"SamlClaimType\", \"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\"),\n jsonProperty(\"Source\", \"user\")\n ), \n jsonObject(\n jsonProperty(\"ID\", \"tenantcountry\"),\n jsonProperty(\"JwtClaimType\", \"country\"),\n jsonProperty(\"SamlClaimType\", \"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country\"),\n jsonProperty(\"Source\", \"company\")\n )\n )),\n jsonProperty(\"IncludeBasicClaimSet\", \"true\"),\n jsonProperty(\"Version\", 1)\n ))\n )))\n .displayName(\"My Policy\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n myPolicy:\n type: azuread:ClaimsMappingPolicy\n properties:\n definitions:\n - Fn::ToJSON:\n ClaimsMappingPolicy:\n ClaimsSchema:\n - ID: employeeid\n JwtClaimType: name\n SamlClaimType: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\n Source: user\n - ID: tenantcountry\n JwtClaimType: country\n SamlClaimType: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country\n Source: company\n IncludeBasicClaimSet: true\n Version: 1\n displayName: My Policy\n```\n{{% /example %}}\n{{% /examples %}}\n\n## Import\n\nClaims Mapping Policy can be imported using the `id`, e.g.\n\n```sh\n $ pulumi import azuread:index/claimsMappingPolicy:ClaimsMappingPolicy my_policy 00000000-0000-0000-0000-000000000000\n```\n\n ", "properties": { "definitions": { "type": "array", @@ -4081,7 +4117,7 @@ } }, "azuread:index/conditionalAccessPolicy:ConditionalAccessPolicy": { - "description": "Manages a Conditional Access Policy within Azure Active Directory.\n\n## API Permissions\n\nThe following API permissions are required in order to use this resource.\n\nWhen authenticated with a service principal, this resource requires the following application roles: `Policy.ReadWrite.ConditionalAccess` and `Policy.Read.All`\n\nWhen authenticated with a user principal, this resource requires one of the following directory roles: `Conditional Access Administrator` or `Global Administrator`\n\n{{% examples %}}\n## Example Usage\n{{% example %}}\n\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as azuread from \"@pulumi/azuread\";\n\nconst example = new azuread.ConditionalAccessPolicy(\"example\", {\n conditions: {\n applications: {\n excludedApplications: [\"00000004-0000-0ff1-ce00-000000000000\"],\n includedApplications: [\"All\"],\n },\n clientAppTypes: [\"all\"],\n devices: {\n filter: {\n mode: \"exclude\",\n rule: \"device.operatingSystem eq \\\"Doors\\\"\",\n },\n },\n locations: {\n excludedLocations: [\"AllTrusted\"],\n includedLocations: [\"All\"],\n },\n platforms: {\n excludedPlatforms: [\"iOS\"],\n includedPlatforms: [\"android\"],\n },\n signInRiskLevels: [\"medium\"],\n userRiskLevels: [\"medium\"],\n users: {\n excludedUsers: [\"GuestsOrExternalUsers\"],\n includedUsers: [\"All\"],\n },\n },\n displayName: \"example policy\",\n grantControls: {\n builtInControls: [\"mfa\"],\n operator: \"OR\",\n },\n sessionControls: {\n applicationEnforcedRestrictions: [{\n enabled: true,\n }],\n cloudAppSecurity: [{\n cloudAppSecurityType: \"monitorOnly\",\n enabled: true,\n }],\n signInFrequency: [{\n enabled: true,\n type: \"hours\",\n value: 10,\n }],\n },\n state: \"disabled\",\n});\n```\n```python\nimport pulumi\nimport pulumi_azuread as azuread\n\nexample = azuread.ConditionalAccessPolicy(\"example\",\n conditions=azuread.ConditionalAccessPolicyConditionsArgs(\n applications=azuread.ConditionalAccessPolicyConditionsApplicationsArgs(\n excluded_applications=[\"00000004-0000-0ff1-ce00-000000000000\"],\n included_applications=[\"All\"],\n ),\n client_app_types=[\"all\"],\n devices=azuread.ConditionalAccessPolicyConditionsDevicesArgs(\n filter=azuread.ConditionalAccessPolicyConditionsDevicesFilterArgs(\n mode=\"exclude\",\n rule=\"device.operatingSystem eq \\\"Doors\\\"\",\n ),\n ),\n locations=azuread.ConditionalAccessPolicyConditionsLocationsArgs(\n excluded_locations=[\"AllTrusted\"],\n included_locations=[\"All\"],\n ),\n platforms=azuread.ConditionalAccessPolicyConditionsPlatformsArgs(\n excluded_platforms=[\"iOS\"],\n included_platforms=[\"android\"],\n ),\n sign_in_risk_levels=[\"medium\"],\n user_risk_levels=[\"medium\"],\n users=azuread.ConditionalAccessPolicyConditionsUsersArgs(\n excluded_users=[\"GuestsOrExternalUsers\"],\n included_users=[\"All\"],\n ),\n ),\n display_name=\"example policy\",\n grant_controls=azuread.ConditionalAccessPolicyGrantControlsArgs(\n built_in_controls=[\"mfa\"],\n operator=\"OR\",\n ),\n session_controls=azuread.ConditionalAccessPolicySessionControlsArgs(\n application_enforced_restrictions=[{\n \"enabled\": True,\n }],\n cloud_app_security=[{\n \"cloudAppSecurityType\": \"monitorOnly\",\n \"enabled\": True,\n }],\n sign_in_frequency=[{\n \"enabled\": True,\n \"type\": \"hours\",\n \"value\": 10,\n }],\n ),\n state=\"disabled\")\n```\n```csharp\nusing Pulumi;\nusing AzureAD = Pulumi.AzureAD;\n\nclass MyStack : Stack\n{\n public MyStack()\n {\n var example = new AzureAD.ConditionalAccessPolicy(\"example\", new AzureAD.ConditionalAccessPolicyArgs\n {\n Conditions = new AzureAD.Inputs.ConditionalAccessPolicyConditionsArgs\n {\n Applications = new AzureAD.Inputs.ConditionalAccessPolicyConditionsApplicationsArgs\n {\n ExcludedApplications = \n {\n \"00000004-0000-0ff1-ce00-000000000000\",\n },\n IncludedApplications = \n {\n \"All\",\n },\n },\n ClientAppTypes = \n {\n \"all\",\n },\n Devices = new AzureAD.Inputs.ConditionalAccessPolicyConditionsDevicesArgs\n {\n Filter = new AzureAD.Inputs.ConditionalAccessPolicyConditionsDevicesFilterArgs\n {\n Mode = \"exclude\",\n Rule = \"device.operatingSystem eq \\\"Doors\\\"\",\n },\n },\n Locations = new AzureAD.Inputs.ConditionalAccessPolicyConditionsLocationsArgs\n {\n ExcludedLocations = \n {\n \"AllTrusted\",\n },\n IncludedLocations = \n {\n \"All\",\n },\n },\n Platforms = new AzureAD.Inputs.ConditionalAccessPolicyConditionsPlatformsArgs\n {\n ExcludedPlatforms = \n {\n \"iOS\",\n },\n IncludedPlatforms = \n {\n \"android\",\n },\n },\n SignInRiskLevels = \n {\n \"medium\",\n },\n UserRiskLevels = \n {\n \"medium\",\n },\n Users = new AzureAD.Inputs.ConditionalAccessPolicyConditionsUsersArgs\n {\n ExcludedUsers = \n {\n \"GuestsOrExternalUsers\",\n },\n IncludedUsers = \n {\n \"All\",\n },\n },\n },\n DisplayName = \"example policy\",\n GrantControls = new AzureAD.Inputs.ConditionalAccessPolicyGrantControlsArgs\n {\n BuiltInControls = \n {\n \"mfa\",\n },\n Operator = \"OR\",\n },\n SessionControls = new AzureAD.Inputs.ConditionalAccessPolicySessionControlsArgs\n {\n ApplicationEnforcedRestrictions = \n {\n \n {\n { \"enabled\", true },\n },\n },\n CloudAppSecurity = \n {\n \n {\n { \"cloudAppSecurityType\", \"monitorOnly\" },\n { \"enabled\", true },\n },\n },\n SignInFrequency = \n {\n \n {\n { \"enabled\", true },\n { \"type\", \"hours\" },\n { \"value\", 10 },\n },\n },\n },\n State = \"disabled\",\n });\n }\n\n}\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := azuread.NewConditionalAccessPolicy(ctx, \"example\", \u0026azuread.ConditionalAccessPolicyArgs{\n\t\t\tConditions: \u0026ConditionalAccessPolicyConditionsArgs{\n\t\t\t\tApplications: \u0026ConditionalAccessPolicyConditionsApplicationsArgs{\n\t\t\t\t\tExcludedApplications: pulumi.StringArray{\n\t\t\t\t\t\tpulumi.String(\"00000004-0000-0ff1-ce00-000000000000\"),\n\t\t\t\t\t},\n\t\t\t\t\tIncludedApplications: pulumi.StringArray{\n\t\t\t\t\t\tpulumi.String(\"All\"),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tClientAppTypes: pulumi.StringArray{\n\t\t\t\t\tpulumi.String(\"all\"),\n\t\t\t\t},\n\t\t\t\tDevices: \u0026ConditionalAccessPolicyConditionsDevicesArgs{\n\t\t\t\t\tFilter: \u0026ConditionalAccessPolicyConditionsDevicesFilterArgs{\n\t\t\t\t\t\tMode: pulumi.String(\"exclude\"),\n\t\t\t\t\t\tRule: pulumi.String(\"device.operatingSystem eq \\\"Doors\\\"\"),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tLocations: \u0026ConditionalAccessPolicyConditionsLocationsArgs{\n\t\t\t\t\tExcludedLocations: pulumi.StringArray{\n\t\t\t\t\t\tpulumi.String(\"AllTrusted\"),\n\t\t\t\t\t},\n\t\t\t\t\tIncludedLocations: pulumi.StringArray{\n\t\t\t\t\t\tpulumi.String(\"All\"),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tPlatforms: \u0026ConditionalAccessPolicyConditionsPlatformsArgs{\n\t\t\t\t\tExcludedPlatforms: pulumi.StringArray{\n\t\t\t\t\t\tpulumi.String(\"iOS\"),\n\t\t\t\t\t},\n\t\t\t\t\tIncludedPlatforms: pulumi.StringArray{\n\t\t\t\t\t\tpulumi.String(\"android\"),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tSignInRiskLevels: pulumi.StringArray{\n\t\t\t\t\tpulumi.String(\"medium\"),\n\t\t\t\t},\n\t\t\t\tUserRiskLevels: pulumi.StringArray{\n\t\t\t\t\tpulumi.String(\"medium\"),\n\t\t\t\t},\n\t\t\t\tUsers: \u0026ConditionalAccessPolicyConditionsUsersArgs{\n\t\t\t\t\tExcludedUsers: pulumi.StringArray{\n\t\t\t\t\t\tpulumi.String(\"GuestsOrExternalUsers\"),\n\t\t\t\t\t},\n\t\t\t\t\tIncludedUsers: pulumi.StringArray{\n\t\t\t\t\t\tpulumi.String(\"All\"),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\tDisplayName: pulumi.String(\"example policy\"),\n\t\t\tGrantControls: \u0026ConditionalAccessPolicyGrantControlsArgs{\n\t\t\t\tBuiltInControls: pulumi.StringArray{\n\t\t\t\t\tpulumi.String(\"mfa\"),\n\t\t\t\t},\n\t\t\t\tOperator: pulumi.String(\"OR\"),\n\t\t\t},\n\t\t\tSessionControls: \u0026ConditionalAccessPolicySessionControlsArgs{\n\t\t\t\tApplicationEnforcedRestrictions: []map[string]interface{}{\n\t\t\t\t\tmap[string]interface{}{\n\t\t\t\t\t\t\"enabled\": true,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tCloudAppSecurity: []map[string]interface{}{\n\t\t\t\t\tmap[string]interface{}{\n\t\t\t\t\t\t\"cloudAppSecurityType\": \"monitorOnly\",\n\t\t\t\t\t\t\"enabled\": true,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tSignInFrequency: pulumi.Int{\n\t\t\t\t\tmap[string]interface{}{\n\t\t\t\t\t\t\"enabled\": true,\n\t\t\t\t\t\t\"type\": \"hours\",\n\t\t\t\t\t\t\"value\": 10,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\tState: pulumi.String(\"disabled\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport java.util.*;\nimport java.io.*;\nimport java.nio.*;\nimport com.pulumi.*;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var example = new ConditionalAccessPolicy(\"example\", ConditionalAccessPolicyArgs.builder() \n .conditions(ConditionalAccessPolicyConditions.builder()\n .applications(ConditionalAccessPolicyConditionsApplications.builder()\n .excludedApplications(\"00000004-0000-0ff1-ce00-000000000000\")\n .includedApplications(\"All\")\n .build())\n .clientAppTypes(\"all\")\n .devices(ConditionalAccessPolicyConditionsDevices.builder()\n .filter(ConditionalAccessPolicyConditionsDevicesFilter.builder()\n .mode(\"exclude\")\n .rule(\"device.operatingSystem eq \\\"Doors\\\"\")\n .build())\n .build())\n .locations(ConditionalAccessPolicyConditionsLocations.builder()\n .excludedLocations(\"AllTrusted\")\n .includedLocations(\"All\")\n .build())\n .platforms(ConditionalAccessPolicyConditionsPlatforms.builder()\n .excludedPlatforms(\"iOS\")\n .includedPlatforms(\"android\")\n .build())\n .signInRiskLevels(\"medium\")\n .userRiskLevels(\"medium\")\n .users(ConditionalAccessPolicyConditionsUsers.builder()\n .excludedUsers(\"GuestsOrExternalUsers\")\n .includedUsers(\"All\")\n .build())\n .build())\n .displayName(\"example policy\")\n .grantControls(ConditionalAccessPolicyGrantControls.builder()\n .builtInControls(\"mfa\")\n .operator(\"OR\")\n .build())\n .sessionControls(ConditionalAccessPolicySessionControls.builder()\n .applicationEnforcedRestrictions(Map.of(\"enabled\", true))\n .cloudAppSecurity(Map.ofEntries(\n Map.entry(\"cloudAppSecurityType\", \"monitorOnly\"),\n Map.entry(\"enabled\", true)\n ))\n .signInFrequency(Map.ofEntries(\n Map.entry(\"enabled\", true),\n Map.entry(\"type\", \"hours\"),\n Map.entry(\"value\", 10)\n ))\n .build())\n .state(\"disabled\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n example:\n type: azuread:ConditionalAccessPolicy\n properties:\n conditions:\n applications:\n excludedApplications:\n - 00000004-0000-0ff1-ce00-000000000000\n includedApplications:\n - All\n clientAppTypes:\n - all\n devices:\n filter:\n mode: exclude\n rule: device.operatingSystem eq \"Doors\"\n locations:\n excludedLocations:\n - AllTrusted\n includedLocations:\n - All\n platforms:\n excludedPlatforms:\n - iOS\n includedPlatforms:\n - android\n signInRiskLevels:\n - medium\n userRiskLevels:\n - medium\n users:\n excludedUsers:\n - GuestsOrExternalUsers\n includedUsers:\n - All\n displayName: example policy\n grantControls:\n builtInControls:\n - mfa\n operator: OR\n sessionControls:\n applicationEnforcedRestrictions:\n - enabled: true\n cloudAppSecurity:\n - cloudAppSecurityType: monitorOnly\n enabled: true\n signInFrequency:\n - enabled: true\n type: hours\n value: 10\n state: disabled\n```\n{{% /example %}}\n{{% /examples %}}\n\n## Import\n\nConditional Access Policies can be imported using the `id`, e.g.\n\n```sh\n $ pulumi import azuread:index/conditionalAccessPolicy:ConditionalAccessPolicy my_location 00000000-0000-0000-0000-000000000000\n```\n\n ", + "description": "Manages a Conditional Access Policy within Azure Active Directory.\n\n## API Permissions\n\nThe following API permissions are required in order to use this resource.\n\nWhen authenticated with a service principal, this resource requires the following application roles: `Policy.ReadWrite.ConditionalAccess` and `Policy.Read.All`\n\nWhen authenticated with a user principal, this resource requires one of the following directory roles: `Conditional Access Administrator` or `Global Administrator`\n\n{{% examples %}}\n## Example Usage\n{{% example %}}\n\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as azuread from \"@pulumi/azuread\";\n\nconst example = new azuread.ConditionalAccessPolicy(\"example\", {\n conditions: {\n applications: {\n excludedApplications: [],\n includedApplications: [\"All\"],\n },\n clientAppTypes: [\"all\"],\n devices: {\n filter: {\n mode: \"exclude\",\n rule: \"device.operatingSystem eq \\\"Doors\\\"\",\n },\n },\n locations: {\n excludedLocations: [\"AllTrusted\"],\n includedLocations: [\"All\"],\n },\n platforms: {\n excludedPlatforms: [\"iOS\"],\n includedPlatforms: [\"android\"],\n },\n signInRiskLevels: [\"medium\"],\n userRiskLevels: [\"medium\"],\n users: {\n excludedUsers: [\"GuestsOrExternalUsers\"],\n includedUsers: [\"All\"],\n },\n },\n displayName: \"example policy\",\n grantControls: {\n builtInControls: [\"mfa\"],\n operator: \"OR\",\n },\n sessionControls: {\n applicationEnforcedRestrictionsEnabled: true,\n cloudAppSecurityPolicy: \"monitorOnly\",\n signInFrequency: 10,\n signInFrequencyPeriod: \"hours\",\n },\n state: \"disabled\",\n});\n```\n```python\nimport pulumi\nimport pulumi_azuread as azuread\n\nexample = azuread.ConditionalAccessPolicy(\"example\",\n conditions=azuread.ConditionalAccessPolicyConditionsArgs(\n applications=azuread.ConditionalAccessPolicyConditionsApplicationsArgs(\n excluded_applications=[],\n included_applications=[\"All\"],\n ),\n client_app_types=[\"all\"],\n devices=azuread.ConditionalAccessPolicyConditionsDevicesArgs(\n filter=azuread.ConditionalAccessPolicyConditionsDevicesFilterArgs(\n mode=\"exclude\",\n rule=\"device.operatingSystem eq \\\"Doors\\\"\",\n ),\n ),\n locations=azuread.ConditionalAccessPolicyConditionsLocationsArgs(\n excluded_locations=[\"AllTrusted\"],\n included_locations=[\"All\"],\n ),\n platforms=azuread.ConditionalAccessPolicyConditionsPlatformsArgs(\n excluded_platforms=[\"iOS\"],\n included_platforms=[\"android\"],\n ),\n sign_in_risk_levels=[\"medium\"],\n user_risk_levels=[\"medium\"],\n users=azuread.ConditionalAccessPolicyConditionsUsersArgs(\n excluded_users=[\"GuestsOrExternalUsers\"],\n included_users=[\"All\"],\n ),\n ),\n display_name=\"example policy\",\n grant_controls=azuread.ConditionalAccessPolicyGrantControlsArgs(\n built_in_controls=[\"mfa\"],\n operator=\"OR\",\n ),\n session_controls=azuread.ConditionalAccessPolicySessionControlsArgs(\n application_enforced_restrictions_enabled=True,\n cloud_app_security_policy=\"monitorOnly\",\n sign_in_frequency=10,\n sign_in_frequency_period=\"hours\",\n ),\n state=\"disabled\")\n```\n```csharp\nusing Pulumi;\nusing AzureAD = Pulumi.AzureAD;\n\nclass MyStack : Stack\n{\n public MyStack()\n {\n var example = new AzureAD.ConditionalAccessPolicy(\"example\", new AzureAD.ConditionalAccessPolicyArgs\n {\n Conditions = new AzureAD.Inputs.ConditionalAccessPolicyConditionsArgs\n {\n Applications = new AzureAD.Inputs.ConditionalAccessPolicyConditionsApplicationsArgs\n {\n ExcludedApplications = {},\n IncludedApplications = \n {\n \"All\",\n },\n },\n ClientAppTypes = \n {\n \"all\",\n },\n Devices = new AzureAD.Inputs.ConditionalAccessPolicyConditionsDevicesArgs\n {\n Filter = new AzureAD.Inputs.ConditionalAccessPolicyConditionsDevicesFilterArgs\n {\n Mode = \"exclude\",\n Rule = \"device.operatingSystem eq \\\"Doors\\\"\",\n },\n },\n Locations = new AzureAD.Inputs.ConditionalAccessPolicyConditionsLocationsArgs\n {\n ExcludedLocations = \n {\n \"AllTrusted\",\n },\n IncludedLocations = \n {\n \"All\",\n },\n },\n Platforms = new AzureAD.Inputs.ConditionalAccessPolicyConditionsPlatformsArgs\n {\n ExcludedPlatforms = \n {\n \"iOS\",\n },\n IncludedPlatforms = \n {\n \"android\",\n },\n },\n SignInRiskLevels = \n {\n \"medium\",\n },\n UserRiskLevels = \n {\n \"medium\",\n },\n Users = new AzureAD.Inputs.ConditionalAccessPolicyConditionsUsersArgs\n {\n ExcludedUsers = \n {\n \"GuestsOrExternalUsers\",\n },\n IncludedUsers = \n {\n \"All\",\n },\n },\n },\n DisplayName = \"example policy\",\n GrantControls = new AzureAD.Inputs.ConditionalAccessPolicyGrantControlsArgs\n {\n BuiltInControls = \n {\n \"mfa\",\n },\n Operator = \"OR\",\n },\n SessionControls = new AzureAD.Inputs.ConditionalAccessPolicySessionControlsArgs\n {\n ApplicationEnforcedRestrictionsEnabled = true,\n CloudAppSecurityPolicy = \"monitorOnly\",\n SignInFrequency = 10,\n SignInFrequencyPeriod = \"hours\",\n },\n State = \"disabled\",\n });\n }\n\n}\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := azuread.NewConditionalAccessPolicy(ctx, \"example\", \u0026azuread.ConditionalAccessPolicyArgs{\n\t\t\tConditions: \u0026ConditionalAccessPolicyConditionsArgs{\n\t\t\t\tApplications: \u0026ConditionalAccessPolicyConditionsApplicationsArgs{\n\t\t\t\t\tExcludedApplications: pulumi.StringArray{},\n\t\t\t\t\tIncludedApplications: pulumi.StringArray{\n\t\t\t\t\t\tpulumi.String(\"All\"),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tClientAppTypes: pulumi.StringArray{\n\t\t\t\t\tpulumi.String(\"all\"),\n\t\t\t\t},\n\t\t\t\tDevices: \u0026ConditionalAccessPolicyConditionsDevicesArgs{\n\t\t\t\t\tFilter: \u0026ConditionalAccessPolicyConditionsDevicesFilterArgs{\n\t\t\t\t\t\tMode: pulumi.String(\"exclude\"),\n\t\t\t\t\t\tRule: pulumi.String(\"device.operatingSystem eq \\\"Doors\\\"\"),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tLocations: \u0026ConditionalAccessPolicyConditionsLocationsArgs{\n\t\t\t\t\tExcludedLocations: pulumi.StringArray{\n\t\t\t\t\t\tpulumi.String(\"AllTrusted\"),\n\t\t\t\t\t},\n\t\t\t\t\tIncludedLocations: pulumi.StringArray{\n\t\t\t\t\t\tpulumi.String(\"All\"),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tPlatforms: \u0026ConditionalAccessPolicyConditionsPlatformsArgs{\n\t\t\t\t\tExcludedPlatforms: pulumi.StringArray{\n\t\t\t\t\t\tpulumi.String(\"iOS\"),\n\t\t\t\t\t},\n\t\t\t\t\tIncludedPlatforms: pulumi.StringArray{\n\t\t\t\t\t\tpulumi.String(\"android\"),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tSignInRiskLevels: pulumi.StringArray{\n\t\t\t\t\tpulumi.String(\"medium\"),\n\t\t\t\t},\n\t\t\t\tUserRiskLevels: pulumi.StringArray{\n\t\t\t\t\tpulumi.String(\"medium\"),\n\t\t\t\t},\n\t\t\t\tUsers: \u0026ConditionalAccessPolicyConditionsUsersArgs{\n\t\t\t\t\tExcludedUsers: pulumi.StringArray{\n\t\t\t\t\t\tpulumi.String(\"GuestsOrExternalUsers\"),\n\t\t\t\t\t},\n\t\t\t\t\tIncludedUsers: pulumi.StringArray{\n\t\t\t\t\t\tpulumi.String(\"All\"),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\tDisplayName: pulumi.String(\"example policy\"),\n\t\t\tGrantControls: \u0026ConditionalAccessPolicyGrantControlsArgs{\n\t\t\t\tBuiltInControls: pulumi.StringArray{\n\t\t\t\t\tpulumi.String(\"mfa\"),\n\t\t\t\t},\n\t\t\t\tOperator: pulumi.String(\"OR\"),\n\t\t\t},\n\t\t\tSessionControls: \u0026ConditionalAccessPolicySessionControlsArgs{\n\t\t\t\tApplicationEnforcedRestrictionsEnabled: pulumi.Bool(true),\n\t\t\t\tCloudAppSecurityPolicy: pulumi.String(\"monitorOnly\"),\n\t\t\t\tSignInFrequency: pulumi.Int(10),\n\t\t\t\tSignInFrequencyPeriod: pulumi.String(\"hours\"),\n\t\t\t},\n\t\t\tState: pulumi.String(\"disabled\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport java.util.*;\nimport java.io.*;\nimport java.nio.*;\nimport com.pulumi.*;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var example = new ConditionalAccessPolicy(\"example\", ConditionalAccessPolicyArgs.builder() \n .conditions(ConditionalAccessPolicyConditions.builder()\n .applications(ConditionalAccessPolicyConditionsApplications.builder()\n .excludedApplications()\n .includedApplications(\"All\")\n .build())\n .clientAppTypes(\"all\")\n .devices(ConditionalAccessPolicyConditionsDevices.builder()\n .filter(ConditionalAccessPolicyConditionsDevicesFilter.builder()\n .mode(\"exclude\")\n .rule(\"device.operatingSystem eq \\\"Doors\\\"\")\n .build())\n .build())\n .locations(ConditionalAccessPolicyConditionsLocations.builder()\n .excludedLocations(\"AllTrusted\")\n .includedLocations(\"All\")\n .build())\n .platforms(ConditionalAccessPolicyConditionsPlatforms.builder()\n .excludedPlatforms(\"iOS\")\n .includedPlatforms(\"android\")\n .build())\n .signInRiskLevels(\"medium\")\n .userRiskLevels(\"medium\")\n .users(ConditionalAccessPolicyConditionsUsers.builder()\n .excludedUsers(\"GuestsOrExternalUsers\")\n .includedUsers(\"All\")\n .build())\n .build())\n .displayName(\"example policy\")\n .grantControls(ConditionalAccessPolicyGrantControls.builder()\n .builtInControls(\"mfa\")\n .operator(\"OR\")\n .build())\n .sessionControls(ConditionalAccessPolicySessionControls.builder()\n .applicationEnforcedRestrictionsEnabled(true)\n .cloudAppSecurityPolicy(\"monitorOnly\")\n .signInFrequency(10)\n .signInFrequencyPeriod(\"hours\")\n .build())\n .state(\"disabled\")\n .build());\n\n }\n}\n```\n```yaml\nresources:\n example:\n type: azuread:ConditionalAccessPolicy\n properties:\n conditions:\n applications:\n excludedApplications: []\n includedApplications:\n - All\n clientAppTypes:\n - all\n devices:\n filter:\n mode: exclude\n rule: device.operatingSystem eq \"Doors\"\n locations:\n excludedLocations:\n - AllTrusted\n includedLocations:\n - All\n platforms:\n excludedPlatforms:\n - iOS\n includedPlatforms:\n - android\n signInRiskLevels:\n - medium\n userRiskLevels:\n - medium\n users:\n excludedUsers:\n - GuestsOrExternalUsers\n includedUsers:\n - All\n displayName: example policy\n grantControls:\n builtInControls:\n - mfa\n operator: OR\n sessionControls:\n applicationEnforcedRestrictionsEnabled: true\n cloudAppSecurityPolicy: monitorOnly\n signInFrequency: 10\n signInFrequencyPeriod: hours\n state: disabled\n```\n{{% /example %}}\n{{% /examples %}}\n\n## Import\n\nConditional Access Policies can be imported using the `id`, e.g.\n\n```sh\n $ pulumi import azuread:index/conditionalAccessPolicy:ConditionalAccessPolicy my_location 00000000-0000-0000-0000-000000000000\n```\n\n ", "properties": { "conditions": { "$ref": "#/types/azuread:index/ConditionalAccessPolicyConditions:ConditionalAccessPolicyConditions", diff --git a/provider/go.mod b/provider/go.mod index 2e96f3025..c2f2599c5 100644 --- a/provider/go.mod +++ b/provider/go.mod @@ -94,7 +94,7 @@ require ( github.com/hashicorp/terraform-plugin-log v0.4.0 // indirect github.com/hashicorp/terraform-plugin-sdk v1.7.0 // indirect github.com/hashicorp/terraform-plugin-sdk/v2 v2.13.0 // indirect - github.com/hashicorp/terraform-provider-azuread v1.6.1-0.20220428202731-e2c57af04dd1 // indirect + github.com/hashicorp/terraform-provider-azuread v1.6.1-0.20220610072126-28b840bedd5c // indirect github.com/hashicorp/terraform-registry-address v0.0.0-20220131103327-5c1c5e123275 // indirect github.com/hashicorp/terraform-svchost v0.0.0-20200729002733-f050f53b9734 // indirect github.com/hashicorp/vault/api v1.1.0 // indirect diff --git a/provider/go.sum b/provider/go.sum index 214956d9d..7385a08ff 100644 --- a/provider/go.sum +++ b/provider/go.sum @@ -553,8 +553,8 @@ github.com/hashicorp/terraform-plugin-sdk v1.7.0 h1:B//oq0ZORG+EkVrIJy0uPGSonvmX github.com/hashicorp/terraform-plugin-sdk v1.7.0/go.mod h1:OjgQmey5VxnPej/buEhe+YqKm0KNvV3QqU4hkqHqPCY= github.com/hashicorp/terraform-plugin-test v1.2.0 h1:AWFdqyfnOj04sxTdaAF57QqvW7XXrT8PseUHkbKsE8I= github.com/hashicorp/terraform-plugin-test v1.2.0/go.mod h1:QIJHYz8j+xJtdtLrFTlzQVC0ocr3rf/OjIpgZLK56Hs= -github.com/hashicorp/terraform-provider-azuread v1.6.1-0.20220428202731-e2c57af04dd1 h1:I0iWKGSLM3vYZpvFjNAPWQKoRySENSXA2UHIS+eAeQo= -github.com/hashicorp/terraform-provider-azuread v1.6.1-0.20220428202731-e2c57af04dd1/go.mod h1:Hd7l5g0G9OMjk3/gtJXfwYipPcTEdsxZk/awH3d5fNk= +github.com/hashicorp/terraform-provider-azuread v1.6.1-0.20220610072126-28b840bedd5c h1:N6WMlFOet0EX3yPvjLrkPdvwvYVvkMbAZFcvsWWfaY0= +github.com/hashicorp/terraform-provider-azuread v1.6.1-0.20220610072126-28b840bedd5c/go.mod h1:Hd7l5g0G9OMjk3/gtJXfwYipPcTEdsxZk/awH3d5fNk= github.com/hashicorp/terraform-registry-address v0.0.0-20210412075316-9b2996cce896/go.mod h1:bzBPnUIkI0RxauU8Dqo+2KrZZ28Cf48s8V6IHt3p4co= github.com/hashicorp/terraform-registry-address v0.0.0-20220131103327-5c1c5e123275 h1:x/8cnK295F9NK18FXxsJxU1bz2PusWH52DDDsuao+88= github.com/hashicorp/terraform-registry-address v0.0.0-20220131103327-5c1c5e123275/go.mod h1:bdLC+qQlJIBHKbCMA6GipcuaKjmjcvZlnVdpU583z3Y= diff --git a/provider/shim/go.mod b/provider/shim/go.mod index cea14693c..a838f42ea 100644 --- a/provider/shim/go.mod +++ b/provider/shim/go.mod @@ -4,7 +4,7 @@ go 1.15 require ( github.com/hashicorp/terraform-plugin-sdk/v2 v2.13.0 - github.com/hashicorp/terraform-provider-azuread v1.6.1-0.20220428202731-e2c57af04dd1 + github.com/hashicorp/terraform-provider-azuread v1.6.1-0.20220610072126-28b840bedd5c ) replace github.com/hashicorp/terraform-plugin-sdk/v2 => github.com/pulumi/terraform-plugin-sdk/v2 v2.0.0-20211230170131-3a7c83bfab87 diff --git a/provider/shim/go.sum b/provider/shim/go.sum index c54782850..892575e07 100644 --- a/provider/shim/go.sum +++ b/provider/shim/go.sum @@ -229,8 +229,8 @@ github.com/hashicorp/terraform-plugin-go v0.8.0/go.mod h1:E3GuvfX0Pz2Azcl6BegD6t github.com/hashicorp/terraform-plugin-log v0.2.0/go.mod h1:E1kJmapEHzqu1x6M++gjvhzM2yMQNXPVWZRCB8sgYjg= github.com/hashicorp/terraform-plugin-log v0.3.0 h1:NPENNOjaJSVX0f7JJTl4f/2JKRPQ7S2ZN9B4NSqq5kA= github.com/hashicorp/terraform-plugin-log v0.3.0/go.mod h1:EjueSP/HjlyFAsDqt+okpCPjkT4NDynAe32AeDC4vps= -github.com/hashicorp/terraform-provider-azuread v1.6.1-0.20220428202731-e2c57af04dd1 h1:I0iWKGSLM3vYZpvFjNAPWQKoRySENSXA2UHIS+eAeQo= -github.com/hashicorp/terraform-provider-azuread v1.6.1-0.20220428202731-e2c57af04dd1/go.mod h1:Hd7l5g0G9OMjk3/gtJXfwYipPcTEdsxZk/awH3d5fNk= +github.com/hashicorp/terraform-provider-azuread v1.6.1-0.20220610072126-28b840bedd5c h1:N6WMlFOet0EX3yPvjLrkPdvwvYVvkMbAZFcvsWWfaY0= +github.com/hashicorp/terraform-provider-azuread v1.6.1-0.20220610072126-28b840bedd5c/go.mod h1:Hd7l5g0G9OMjk3/gtJXfwYipPcTEdsxZk/awH3d5fNk= github.com/hashicorp/terraform-registry-address v0.0.0-20210412075316-9b2996cce896/go.mod h1:bzBPnUIkI0RxauU8Dqo+2KrZZ28Cf48s8V6IHt3p4co= github.com/hashicorp/terraform-registry-address v0.0.0-20220131103327-5c1c5e123275 h1:x/8cnK295F9NK18FXxsJxU1bz2PusWH52DDDsuao+88= github.com/hashicorp/terraform-registry-address v0.0.0-20220131103327-5c1c5e123275/go.mod h1:bdLC+qQlJIBHKbCMA6GipcuaKjmjcvZlnVdpU583z3Y= diff --git a/sdk/dotnet/ClaimsMappingPolicy.cs b/sdk/dotnet/ClaimsMappingPolicy.cs index a5ff4d340..44f28ca96 100644 --- a/sdk/dotnet/ClaimsMappingPolicy.cs +++ b/sdk/dotnet/ClaimsMappingPolicy.cs @@ -16,7 +16,7 @@ namespace Pulumi.AzureAD /// /// The following API permissions are required in order to use this resource. /// - /// When authenticated with a service principal, this resource requires the following application roles: `Policy.ReadWrite.ApplicationConfiguration` + /// When authenticated with a service principal, this resource requires the following application roles: `Policy.ReadWrite.ApplicationConfiguration` and `Policy.Read.All` /// /// When authenticated with a user principal, this resource requires one of the following directory roles: `Application Administrator` or `Global Administrator` /// diff --git a/sdk/dotnet/ConditionalAccessPolicy.cs b/sdk/dotnet/ConditionalAccessPolicy.cs index bc746ee89..5c31743f3 100644 --- a/sdk/dotnet/ConditionalAccessPolicy.cs +++ b/sdk/dotnet/ConditionalAccessPolicy.cs @@ -36,10 +36,7 @@ namespace Pulumi.AzureAD /// { /// Applications = new AzureAD.Inputs.ConditionalAccessPolicyConditionsApplicationsArgs /// { - /// ExcludedApplications = - /// { - /// "00000004-0000-0ff1-ce00-000000000000", - /// }, + /// ExcludedApplications = {}, /// IncludedApplications = /// { /// "All", @@ -110,30 +107,10 @@ namespace Pulumi.AzureAD /// }, /// SessionControls = new AzureAD.Inputs.ConditionalAccessPolicySessionControlsArgs /// { - /// ApplicationEnforcedRestrictions = - /// { - /// - /// { - /// { "enabled", true }, - /// }, - /// }, - /// CloudAppSecurity = - /// { - /// - /// { - /// { "cloudAppSecurityType", "monitorOnly" }, - /// { "enabled", true }, - /// }, - /// }, - /// SignInFrequency = - /// { - /// - /// { - /// { "enabled", true }, - /// { "type", "hours" }, - /// { "value", 10 }, - /// }, - /// }, + /// ApplicationEnforcedRestrictionsEnabled = true, + /// CloudAppSecurityPolicy = "monitorOnly", + /// SignInFrequency = 10, + /// SignInFrequencyPeriod = "hours", /// }, /// State = "disabled", /// }); diff --git a/sdk/dotnet/Config/Config.cs b/sdk/dotnet/Config/Config.cs index f97b9eb51..dd6617d23 100644 --- a/sdk/dotnet/Config/Config.cs +++ b/sdk/dotnet/Config/Config.cs @@ -115,6 +115,28 @@ public static string? MsiEndpoint set => _msiEndpoint.Set(value); } + private static readonly __Value _oidcRequestToken = new __Value(() => __config.Get("oidcRequestToken")); + /// + /// The bearer token for the request to the OIDC provider. For use when authenticating as a Service Principal using OpenID + /// Connect. + /// + public static string? OidcRequestToken + { + get => _oidcRequestToken.Get(); + set => _oidcRequestToken.Set(value); + } + + private static readonly __Value _oidcRequestUrl = new __Value(() => __config.Get("oidcRequestUrl")); + /// + /// The URL for the OIDC provider from which to request an ID token. For use when authenticating as a Service Principal + /// using OpenID Connect. + /// + public static string? OidcRequestUrl + { + get => _oidcRequestUrl.Get(); + set => _oidcRequestUrl.Set(value); + } + private static readonly __Value _partnerId = new __Value(() => __config.Get("partnerId")); /// /// A GUID/UUID that is registered with Microsoft to facilitate partner resource usage attribution @@ -155,5 +177,15 @@ public static bool? UseMsi set => _useMsi.Set(value); } + private static readonly __Value _useOidc = new __Value(() => __config.GetBoolean("useOidc")); + /// + /// Allow OpenID Connect to be used for authentication + /// + public static bool? UseOidc + { + get => _useOidc.Get(); + set => _useOidc.Set(value); + } + } } diff --git a/sdk/dotnet/Provider.cs b/sdk/dotnet/Provider.cs index 9a3ace26c..60a756f6f 100644 --- a/sdk/dotnet/Provider.cs +++ b/sdk/dotnet/Provider.cs @@ -63,6 +63,20 @@ public partial class Provider : Pulumi.ProviderResource [Output("msiEndpoint")] public Output MsiEndpoint { get; private set; } = null!; + /// + /// The bearer token for the request to the OIDC provider. For use when authenticating as a Service Principal using OpenID + /// Connect. + /// + [Output("oidcRequestToken")] + public Output OidcRequestToken { get; private set; } = null!; + + /// + /// The URL for the OIDC provider from which to request an ID token. For use when authenticating as a Service Principal + /// using OpenID Connect. + /// + [Output("oidcRequestUrl")] + public Output OidcRequestUrl { get; private set; } = null!; + /// /// A GUID/UUID that is registered with Microsoft to facilitate partner resource usage attribution /// @@ -154,6 +168,20 @@ public sealed class ProviderArgs : Pulumi.ResourceArgs [Input("msiEndpoint")] public Input? MsiEndpoint { get; set; } + /// + /// The bearer token for the request to the OIDC provider. For use when authenticating as a Service Principal using OpenID + /// Connect. + /// + [Input("oidcRequestToken")] + public Input? OidcRequestToken { get; set; } + + /// + /// The URL for the OIDC provider from which to request an ID token. For use when authenticating as a Service Principal + /// using OpenID Connect. + /// + [Input("oidcRequestUrl")] + public Input? OidcRequestUrl { get; set; } + /// /// A GUID/UUID that is registered with Microsoft to facilitate partner resource usage attribution /// @@ -178,6 +206,12 @@ public sealed class ProviderArgs : Pulumi.ResourceArgs [Input("useMsi", json: true)] public Input? UseMsi { get; set; } + /// + /// Allow OpenID Connect to be used for authentication + /// + [Input("useOidc", json: true)] + public Input? UseOidc { get; set; } + public ProviderArgs() { Environment = Utilities.GetEnv("ARM_ENVIRONMENT") ?? "public"; diff --git a/sdk/dotnet/go.mod b/sdk/dotnet/go.mod new file mode 100644 index 000000000..522baad68 --- /dev/null +++ b/sdk/dotnet/go.mod @@ -0,0 +1,3 @@ +module fake_dotnet_module // Exclude this directory from Go tools + +go 1.16 diff --git a/sdk/go/azuread/claimsMappingPolicy.go b/sdk/go/azuread/claimsMappingPolicy.go index ca9d55f5b..289084ba0 100644 --- a/sdk/go/azuread/claimsMappingPolicy.go +++ b/sdk/go/azuread/claimsMappingPolicy.go @@ -17,7 +17,7 @@ import ( // // The following API permissions are required in order to use this resource. // -// When authenticated with a service principal, this resource requires the following application roles: `Policy.ReadWrite.ApplicationConfiguration` +// When authenticated with a service principal, this resource requires the following application roles: `Policy.ReadWrite.ApplicationConfiguration` and `Policy.Read.All` // // When authenticated with a user principal, this resource requires one of the following directory roles: `Application Administrator` or `Global Administrator` // diff --git a/sdk/go/azuread/conditionalAccessPolicy.go b/sdk/go/azuread/conditionalAccessPolicy.go index f7a4f6df8..176af57d1 100644 --- a/sdk/go/azuread/conditionalAccessPolicy.go +++ b/sdk/go/azuread/conditionalAccessPolicy.go @@ -36,9 +36,7 @@ import ( // _, err := azuread.NewConditionalAccessPolicy(ctx, "example", &azuread.ConditionalAccessPolicyArgs{ // Conditions: &ConditionalAccessPolicyConditionsArgs{ // Applications: &ConditionalAccessPolicyConditionsApplicationsArgs{ -// ExcludedApplications: pulumi.StringArray{ -// pulumi.String("00000004-0000-0ff1-ce00-000000000000"), -// }, +// ExcludedApplications: pulumi.StringArray{}, // IncludedApplications: pulumi.StringArray{ // pulumi.String("All"), // }, @@ -91,24 +89,10 @@ import ( // Operator: pulumi.String("OR"), // }, // SessionControls: &ConditionalAccessPolicySessionControlsArgs{ -// ApplicationEnforcedRestrictions: []map[string]interface{}{ -// map[string]interface{}{ -// "enabled": true, -// }, -// }, -// CloudAppSecurity: []map[string]interface{}{ -// map[string]interface{}{ -// "cloudAppSecurityType": "monitorOnly", -// "enabled": true, -// }, -// }, -// SignInFrequency: pulumi.Int{ -// map[string]interface{}{ -// "enabled": true, -// "type": "hours", -// "value": 10, -// }, -// }, +// ApplicationEnforcedRestrictionsEnabled: pulumi.Bool(true), +// CloudAppSecurityPolicy: pulumi.String("monitorOnly"), +// SignInFrequency: pulumi.Int(10), +// SignInFrequencyPeriod: pulumi.String("hours"), // }, // State: pulumi.String("disabled"), // }) diff --git a/sdk/go/azuread/config/config.go b/sdk/go/azuread/config/config.go index c4d18d465..61a0386e2 100644 --- a/sdk/go/azuread/config/config.go +++ b/sdk/go/azuread/config/config.go @@ -59,6 +59,18 @@ func GetMsiEndpoint(ctx *pulumi.Context) string { return getEnvOrDefault("", nil, "ARM_MSI_ENDPOINT").(string) } +// The bearer token for the request to the OIDC provider. For use when authenticating as a Service Principal using OpenID +// Connect. +func GetOidcRequestToken(ctx *pulumi.Context) string { + return config.Get(ctx, "azuread:oidcRequestToken") +} + +// The URL for the OIDC provider from which to request an ID token. For use when authenticating as a Service Principal +// using OpenID Connect. +func GetOidcRequestUrl(ctx *pulumi.Context) string { + return config.Get(ctx, "azuread:oidcRequestUrl") +} + // A GUID/UUID that is registered with Microsoft to facilitate partner resource usage attribution func GetPartnerId(ctx *pulumi.Context) string { return config.Get(ctx, "azuread:partnerId") @@ -82,3 +94,8 @@ func GetUseMsi(ctx *pulumi.Context) bool { } return getEnvOrDefault(false, parseEnvBool, "ARM_USE_MSI").(bool) } + +// Allow OpenID Connect to be used for authentication +func GetUseOidc(ctx *pulumi.Context) bool { + return config.GetBool(ctx, "azuread:useOidc") +} diff --git a/sdk/go/azuread/provider.go b/sdk/go/azuread/provider.go index d467b851b..bcccb3e75 100644 --- a/sdk/go/azuread/provider.go +++ b/sdk/go/azuread/provider.go @@ -34,6 +34,12 @@ type Provider struct { Environment pulumi.StringPtrOutput `pulumi:"environment"` // The path to a custom endpoint for Managed Identity - in most circumstances this should be detected automatically MsiEndpoint pulumi.StringPtrOutput `pulumi:"msiEndpoint"` + // The bearer token for the request to the OIDC provider. For use when authenticating as a Service Principal using OpenID + // Connect. + OidcRequestToken pulumi.StringPtrOutput `pulumi:"oidcRequestToken"` + // The URL for the OIDC provider from which to request an ID token. For use when authenticating as a Service Principal + // using OpenID Connect. + OidcRequestUrl pulumi.StringPtrOutput `pulumi:"oidcRequestUrl"` // A GUID/UUID that is registered with Microsoft to facilitate partner resource usage attribution PartnerId pulumi.StringPtrOutput `pulumi:"partnerId"` // The Tenant ID which should be used. Works with all authentication methods except Managed Identity @@ -84,6 +90,12 @@ type providerArgs struct { Environment *string `pulumi:"environment"` // The path to a custom endpoint for Managed Identity - in most circumstances this should be detected automatically MsiEndpoint *string `pulumi:"msiEndpoint"` + // The bearer token for the request to the OIDC provider. For use when authenticating as a Service Principal using OpenID + // Connect. + OidcRequestToken *string `pulumi:"oidcRequestToken"` + // The URL for the OIDC provider from which to request an ID token. For use when authenticating as a Service Principal + // using OpenID Connect. + OidcRequestUrl *string `pulumi:"oidcRequestUrl"` // A GUID/UUID that is registered with Microsoft to facilitate partner resource usage attribution PartnerId *string `pulumi:"partnerId"` // The Tenant ID which should be used. Works with all authentication methods except Managed Identity @@ -92,6 +104,8 @@ type providerArgs struct { UseCli *bool `pulumi:"useCli"` // Allow Managed Identity to be used for Authentication UseMsi *bool `pulumi:"useMsi"` + // Allow OpenID Connect to be used for authentication + UseOidc *bool `pulumi:"useOidc"` } // The set of arguments for constructing a Provider resource. @@ -115,6 +129,12 @@ type ProviderArgs struct { Environment pulumi.StringPtrInput // The path to a custom endpoint for Managed Identity - in most circumstances this should be detected automatically MsiEndpoint pulumi.StringPtrInput + // The bearer token for the request to the OIDC provider. For use when authenticating as a Service Principal using OpenID + // Connect. + OidcRequestToken pulumi.StringPtrInput + // The URL for the OIDC provider from which to request an ID token. For use when authenticating as a Service Principal + // using OpenID Connect. + OidcRequestUrl pulumi.StringPtrInput // A GUID/UUID that is registered with Microsoft to facilitate partner resource usage attribution PartnerId pulumi.StringPtrInput // The Tenant ID which should be used. Works with all authentication methods except Managed Identity @@ -123,6 +143,8 @@ type ProviderArgs struct { UseCli pulumi.BoolPtrInput // Allow Managed Identity to be used for Authentication UseMsi pulumi.BoolPtrInput + // Allow OpenID Connect to be used for authentication + UseOidc pulumi.BoolPtrInput } func (ProviderArgs) ElementType() reflect.Type { @@ -200,6 +222,18 @@ func (o ProviderOutput) MsiEndpoint() pulumi.StringPtrOutput { return o.ApplyT(func(v *Provider) pulumi.StringPtrOutput { return v.MsiEndpoint }).(pulumi.StringPtrOutput) } +// The bearer token for the request to the OIDC provider. For use when authenticating as a Service Principal using OpenID +// Connect. +func (o ProviderOutput) OidcRequestToken() pulumi.StringPtrOutput { + return o.ApplyT(func(v *Provider) pulumi.StringPtrOutput { return v.OidcRequestToken }).(pulumi.StringPtrOutput) +} + +// The URL for the OIDC provider from which to request an ID token. For use when authenticating as a Service Principal +// using OpenID Connect. +func (o ProviderOutput) OidcRequestUrl() pulumi.StringPtrOutput { + return o.ApplyT(func(v *Provider) pulumi.StringPtrOutput { return v.OidcRequestUrl }).(pulumi.StringPtrOutput) +} + // A GUID/UUID that is registered with Microsoft to facilitate partner resource usage attribution func (o ProviderOutput) PartnerId() pulumi.StringPtrOutput { return o.ApplyT(func(v *Provider) pulumi.StringPtrOutput { return v.PartnerId }).(pulumi.StringPtrOutput) diff --git a/sdk/nodejs/claimsMappingPolicy.ts b/sdk/nodejs/claimsMappingPolicy.ts index 42d59fd8f..dfe09b456 100644 --- a/sdk/nodejs/claimsMappingPolicy.ts +++ b/sdk/nodejs/claimsMappingPolicy.ts @@ -11,7 +11,7 @@ import * as utilities from "./utilities"; * * The following API permissions are required in order to use this resource. * - * When authenticated with a service principal, this resource requires the following application roles: `Policy.ReadWrite.ApplicationConfiguration` + * When authenticated with a service principal, this resource requires the following application roles: `Policy.ReadWrite.ApplicationConfiguration` and `Policy.Read.All` * * When authenticated with a user principal, this resource requires one of the following directory roles: `Application Administrator` or `Global Administrator` * diff --git a/sdk/nodejs/conditionalAccessPolicy.ts b/sdk/nodejs/conditionalAccessPolicy.ts index 25c260a99..6b8bd3a7a 100644 --- a/sdk/nodejs/conditionalAccessPolicy.ts +++ b/sdk/nodejs/conditionalAccessPolicy.ts @@ -25,7 +25,7 @@ import * as utilities from "./utilities"; * const example = new azuread.ConditionalAccessPolicy("example", { * conditions: { * applications: { - * excludedApplications: ["00000004-0000-0ff1-ce00-000000000000"], + * excludedApplications: [], * includedApplications: ["All"], * }, * clientAppTypes: ["all"], @@ -56,18 +56,10 @@ import * as utilities from "./utilities"; * operator: "OR", * }, * sessionControls: { - * applicationEnforcedRestrictions: [{ - * enabled: true, - * }], - * cloudAppSecurity: [{ - * cloudAppSecurityType: "monitorOnly", - * enabled: true, - * }], - * signInFrequency: [{ - * enabled: true, - * type: "hours", - * value: 10, - * }], + * applicationEnforcedRestrictionsEnabled: true, + * cloudAppSecurityPolicy: "monitorOnly", + * signInFrequency: 10, + * signInFrequencyPeriod: "hours", * }, * state: "disabled", * }); diff --git a/sdk/nodejs/config/vars.ts b/sdk/nodejs/config/vars.ts index 79b4e4232..be478d41c 100644 --- a/sdk/nodejs/config/vars.ts +++ b/sdk/nodejs/config/vars.ts @@ -98,6 +98,30 @@ Object.defineProperty(exports, "msiEndpoint", { enumerable: true, }); +/** + * The bearer token for the request to the OIDC provider. For use when authenticating as a Service Principal using OpenID + * Connect. + */ +export declare const oidcRequestToken: string | undefined; +Object.defineProperty(exports, "oidcRequestToken", { + get() { + return __config.get("oidcRequestToken"); + }, + enumerable: true, +}); + +/** + * The URL for the OIDC provider from which to request an ID token. For use when authenticating as a Service Principal + * using OpenID Connect. + */ +export declare const oidcRequestUrl: string | undefined; +Object.defineProperty(exports, "oidcRequestUrl", { + get() { + return __config.get("oidcRequestUrl"); + }, + enumerable: true, +}); + /** * A GUID/UUID that is registered with Microsoft to facilitate partner resource usage attribution */ @@ -142,3 +166,14 @@ Object.defineProperty(exports, "useMsi", { enumerable: true, }); +/** + * Allow OpenID Connect to be used for authentication + */ +export declare const useOidc: boolean | undefined; +Object.defineProperty(exports, "useOidc", { + get() { + return __config.getObject("useOidc"); + }, + enumerable: true, +}); + diff --git a/sdk/nodejs/go.mod b/sdk/nodejs/go.mod new file mode 100644 index 000000000..4e2f58f3a --- /dev/null +++ b/sdk/nodejs/go.mod @@ -0,0 +1,3 @@ +module fake_nodejs_module // Exclude this directory from Go tools + +go 1.16 diff --git a/sdk/nodejs/provider.ts b/sdk/nodejs/provider.ts index d65125457..2848523e3 100644 --- a/sdk/nodejs/provider.ts +++ b/sdk/nodejs/provider.ts @@ -56,6 +56,16 @@ export class Provider extends pulumi.ProviderResource { * The path to a custom endpoint for Managed Identity - in most circumstances this should be detected automatically */ public readonly msiEndpoint!: pulumi.Output; + /** + * The bearer token for the request to the OIDC provider. For use when authenticating as a Service Principal using OpenID + * Connect. + */ + public readonly oidcRequestToken!: pulumi.Output; + /** + * The URL for the OIDC provider from which to request an ID token. For use when authenticating as a Service Principal + * using OpenID Connect. + */ + public readonly oidcRequestUrl!: pulumi.Output; /** * A GUID/UUID that is registered with Microsoft to facilitate partner resource usage attribution */ @@ -84,10 +94,13 @@ export class Provider extends pulumi.ProviderResource { resourceInputs["disableTerraformPartnerId"] = pulumi.output(args ? args.disableTerraformPartnerId : undefined).apply(JSON.stringify); resourceInputs["environment"] = (args ? args.environment : undefined) ?? (utilities.getEnv("ARM_ENVIRONMENT") || "public"); resourceInputs["msiEndpoint"] = (args ? args.msiEndpoint : undefined) ?? utilities.getEnv("ARM_MSI_ENDPOINT"); + resourceInputs["oidcRequestToken"] = args ? args.oidcRequestToken : undefined; + resourceInputs["oidcRequestUrl"] = args ? args.oidcRequestUrl : undefined; resourceInputs["partnerId"] = args ? args.partnerId : undefined; resourceInputs["tenantId"] = args ? args.tenantId : undefined; resourceInputs["useCli"] = pulumi.output(args ? args.useCli : undefined).apply(JSON.stringify); resourceInputs["useMsi"] = pulumi.output((args ? args.useMsi : undefined) ?? (utilities.getEnvBoolean("ARM_USE_MSI") || false)).apply(JSON.stringify); + resourceInputs["useOidc"] = pulumi.output(args ? args.useOidc : undefined).apply(JSON.stringify); } opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); super(Provider.__pulumiType, name, resourceInputs, opts); @@ -133,6 +146,16 @@ export interface ProviderArgs { * The path to a custom endpoint for Managed Identity - in most circumstances this should be detected automatically */ msiEndpoint?: pulumi.Input; + /** + * The bearer token for the request to the OIDC provider. For use when authenticating as a Service Principal using OpenID + * Connect. + */ + oidcRequestToken?: pulumi.Input; + /** + * The URL for the OIDC provider from which to request an ID token. For use when authenticating as a Service Principal + * using OpenID Connect. + */ + oidcRequestUrl?: pulumi.Input; /** * A GUID/UUID that is registered with Microsoft to facilitate partner resource usage attribution */ @@ -149,4 +172,8 @@ export interface ProviderArgs { * Allow Managed Identity to be used for Authentication */ useMsi?: pulumi.Input; + /** + * Allow OpenID Connect to be used for authentication + */ + useOidc?: pulumi.Input; } diff --git a/sdk/python/go.mod b/sdk/python/go.mod new file mode 100644 index 000000000..08d8d6798 --- /dev/null +++ b/sdk/python/go.mod @@ -0,0 +1,3 @@ +module fake_python_module // Exclude this directory from Go tools + +go 1.16 diff --git a/sdk/python/pulumi_azuread/claims_mapping_policy.py b/sdk/python/pulumi_azuread/claims_mapping_policy.py index 85decd13e..0d2d23ab2 100644 --- a/sdk/python/pulumi_azuread/claims_mapping_policy.py +++ b/sdk/python/pulumi_azuread/claims_mapping_policy.py @@ -103,7 +103,7 @@ def __init__(__self__, The following API permissions are required in order to use this resource. - When authenticated with a service principal, this resource requires the following application roles: `Policy.ReadWrite.ApplicationConfiguration` + When authenticated with a service principal, this resource requires the following application roles: `Policy.ReadWrite.ApplicationConfiguration` and `Policy.Read.All` When authenticated with a user principal, this resource requires one of the following directory roles: `Application Administrator` or `Global Administrator` @@ -164,7 +164,7 @@ def __init__(__self__, The following API permissions are required in order to use this resource. - When authenticated with a service principal, this resource requires the following application roles: `Policy.ReadWrite.ApplicationConfiguration` + When authenticated with a service principal, this resource requires the following application roles: `Policy.ReadWrite.ApplicationConfiguration` and `Policy.Read.All` When authenticated with a user principal, this resource requires one of the following directory roles: `Application Administrator` or `Global Administrator` diff --git a/sdk/python/pulumi_azuread/conditional_access_policy.py b/sdk/python/pulumi_azuread/conditional_access_policy.py index 381dc8eea..724da71af 100644 --- a/sdk/python/pulumi_azuread/conditional_access_policy.py +++ b/sdk/python/pulumi_azuread/conditional_access_policy.py @@ -215,7 +215,7 @@ def __init__(__self__, example = azuread.ConditionalAccessPolicy("example", conditions=azuread.ConditionalAccessPolicyConditionsArgs( applications=azuread.ConditionalAccessPolicyConditionsApplicationsArgs( - excluded_applications=["00000004-0000-0ff1-ce00-000000000000"], + excluded_applications=[], included_applications=["All"], ), client_app_types=["all"], @@ -246,18 +246,10 @@ def __init__(__self__, operator="OR", ), session_controls=azuread.ConditionalAccessPolicySessionControlsArgs( - application_enforced_restrictions=[{ - "enabled": True, - }], - cloud_app_security=[{ - "cloudAppSecurityType": "monitorOnly", - "enabled": True, - }], - sign_in_frequency=[{ - "enabled": True, - "type": "hours", - "value": 10, - }], + application_enforced_restrictions_enabled=True, + cloud_app_security_policy="monitorOnly", + sign_in_frequency=10, + sign_in_frequency_period="hours", ), state="disabled") ``` @@ -304,7 +296,7 @@ def __init__(__self__, example = azuread.ConditionalAccessPolicy("example", conditions=azuread.ConditionalAccessPolicyConditionsArgs( applications=azuread.ConditionalAccessPolicyConditionsApplicationsArgs( - excluded_applications=["00000004-0000-0ff1-ce00-000000000000"], + excluded_applications=[], included_applications=["All"], ), client_app_types=["all"], @@ -335,18 +327,10 @@ def __init__(__self__, operator="OR", ), session_controls=azuread.ConditionalAccessPolicySessionControlsArgs( - application_enforced_restrictions=[{ - "enabled": True, - }], - cloud_app_security=[{ - "cloudAppSecurityType": "monitorOnly", - "enabled": True, - }], - sign_in_frequency=[{ - "enabled": True, - "type": "hours", - "value": 10, - }], + application_enforced_restrictions_enabled=True, + cloud_app_security_policy="monitorOnly", + sign_in_frequency=10, + sign_in_frequency_period="hours", ), state="disabled") ``` diff --git a/sdk/python/pulumi_azuread/config/__init__.pyi b/sdk/python/pulumi_azuread/config/__init__.pyi index e02d020e0..da6e0faeb 100644 --- a/sdk/python/pulumi_azuread/config/__init__.pyi +++ b/sdk/python/pulumi_azuread/config/__init__.pyi @@ -51,6 +51,18 @@ msiEndpoint: Optional[str] The path to a custom endpoint for Managed Identity - in most circumstances this should be detected automatically """ +oidcRequestToken: Optional[str] +""" +The bearer token for the request to the OIDC provider. For use when authenticating as a Service Principal using OpenID +Connect. +""" + +oidcRequestUrl: Optional[str] +""" +The URL for the OIDC provider from which to request an ID token. For use when authenticating as a Service Principal +using OpenID Connect. +""" + partnerId: Optional[str] """ A GUID/UUID that is registered with Microsoft to facilitate partner resource usage attribution @@ -71,3 +83,8 @@ useMsi: bool Allow Managed Identity to be used for Authentication """ +useOidc: Optional[bool] +""" +Allow OpenID Connect to be used for authentication +""" + diff --git a/sdk/python/pulumi_azuread/config/vars.py b/sdk/python/pulumi_azuread/config/vars.py index aa23a721b..f79ced45b 100644 --- a/sdk/python/pulumi_azuread/config/vars.py +++ b/sdk/python/pulumi_azuread/config/vars.py @@ -73,6 +73,22 @@ def msi_endpoint(self) -> Optional[str]: """ return __config__.get('msiEndpoint') or _utilities.get_env('ARM_MSI_ENDPOINT') + @property + def oidc_request_token(self) -> Optional[str]: + """ + The bearer token for the request to the OIDC provider. For use when authenticating as a Service Principal using OpenID + Connect. + """ + return __config__.get('oidcRequestToken') + + @property + def oidc_request_url(self) -> Optional[str]: + """ + The URL for the OIDC provider from which to request an ID token. For use when authenticating as a Service Principal + using OpenID Connect. + """ + return __config__.get('oidcRequestUrl') + @property def partner_id(self) -> Optional[str]: """ @@ -101,3 +117,10 @@ def use_msi(self) -> bool: """ return __config__.get_bool('useMsi') or (_utilities.get_env_bool('ARM_USE_MSI') or False) + @property + def use_oidc(self) -> Optional[bool]: + """ + Allow OpenID Connect to be used for authentication + """ + return __config__.get_bool('useOidc') + diff --git a/sdk/python/pulumi_azuread/provider.py b/sdk/python/pulumi_azuread/provider.py index 7f9688eb4..75312a618 100644 --- a/sdk/python/pulumi_azuread/provider.py +++ b/sdk/python/pulumi_azuread/provider.py @@ -21,10 +21,13 @@ def __init__(__self__, *, disable_terraform_partner_id: Optional[pulumi.Input[bool]] = None, environment: Optional[pulumi.Input[str]] = None, msi_endpoint: Optional[pulumi.Input[str]] = None, + oidc_request_token: Optional[pulumi.Input[str]] = None, + oidc_request_url: Optional[pulumi.Input[str]] = None, partner_id: Optional[pulumi.Input[str]] = None, tenant_id: Optional[pulumi.Input[str]] = None, use_cli: Optional[pulumi.Input[bool]] = None, - use_msi: Optional[pulumi.Input[bool]] = None): + use_msi: Optional[pulumi.Input[bool]] = None, + use_oidc: Optional[pulumi.Input[bool]] = None): """ The set of arguments for constructing a Provider resource. :param pulumi.Input[str] client_certificate: Base64 encoded PKCS#12 certificate bundle to use when authenticating as a Service Principal using a Client Certificate @@ -38,10 +41,15 @@ def __init__(__self__, *, :param pulumi.Input[str] environment: The cloud environment which should be used. Possible values are: `global` (also `public`), `usgovernmentl4` (also `usgovernment`), `usgovernmentl5` (also `dod`), and `china`. Defaults to `global` :param pulumi.Input[str] msi_endpoint: The path to a custom endpoint for Managed Identity - in most circumstances this should be detected automatically + :param pulumi.Input[str] oidc_request_token: The bearer token for the request to the OIDC provider. For use when authenticating as a Service Principal using OpenID + Connect. + :param pulumi.Input[str] oidc_request_url: The URL for the OIDC provider from which to request an ID token. For use when authenticating as a Service Principal + using OpenID Connect. :param pulumi.Input[str] partner_id: A GUID/UUID that is registered with Microsoft to facilitate partner resource usage attribution :param pulumi.Input[str] tenant_id: The Tenant ID which should be used. Works with all authentication methods except Managed Identity :param pulumi.Input[bool] use_cli: Allow Azure CLI to be used for Authentication :param pulumi.Input[bool] use_msi: Allow Managed Identity to be used for Authentication + :param pulumi.Input[bool] use_oidc: Allow OpenID Connect to be used for authentication """ if client_certificate is not None: pulumi.set(__self__, "client_certificate", client_certificate) @@ -63,6 +71,10 @@ def __init__(__self__, *, msi_endpoint = _utilities.get_env('ARM_MSI_ENDPOINT') if msi_endpoint is not None: pulumi.set(__self__, "msi_endpoint", msi_endpoint) + if oidc_request_token is not None: + pulumi.set(__self__, "oidc_request_token", oidc_request_token) + if oidc_request_url is not None: + pulumi.set(__self__, "oidc_request_url", oidc_request_url) if partner_id is not None: pulumi.set(__self__, "partner_id", partner_id) if tenant_id is not None: @@ -73,6 +85,8 @@ def __init__(__self__, *, use_msi = (_utilities.get_env_bool('ARM_USE_MSI') or False) if use_msi is not None: pulumi.set(__self__, "use_msi", use_msi) + if use_oidc is not None: + pulumi.set(__self__, "use_oidc", use_oidc) @property @pulumi.getter(name="clientCertificate") @@ -173,6 +187,32 @@ def msi_endpoint(self) -> Optional[pulumi.Input[str]]: def msi_endpoint(self, value: Optional[pulumi.Input[str]]): pulumi.set(self, "msi_endpoint", value) + @property + @pulumi.getter(name="oidcRequestToken") + def oidc_request_token(self) -> Optional[pulumi.Input[str]]: + """ + The bearer token for the request to the OIDC provider. For use when authenticating as a Service Principal using OpenID + Connect. + """ + return pulumi.get(self, "oidc_request_token") + + @oidc_request_token.setter + def oidc_request_token(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "oidc_request_token", value) + + @property + @pulumi.getter(name="oidcRequestUrl") + def oidc_request_url(self) -> Optional[pulumi.Input[str]]: + """ + The URL for the OIDC provider from which to request an ID token. For use when authenticating as a Service Principal + using OpenID Connect. + """ + return pulumi.get(self, "oidc_request_url") + + @oidc_request_url.setter + def oidc_request_url(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "oidc_request_url", value) + @property @pulumi.getter(name="partnerId") def partner_id(self) -> Optional[pulumi.Input[str]]: @@ -221,6 +261,18 @@ def use_msi(self) -> Optional[pulumi.Input[bool]]: def use_msi(self, value: Optional[pulumi.Input[bool]]): pulumi.set(self, "use_msi", value) + @property + @pulumi.getter(name="useOidc") + def use_oidc(self) -> Optional[pulumi.Input[bool]]: + """ + Allow OpenID Connect to be used for authentication + """ + return pulumi.get(self, "use_oidc") + + @use_oidc.setter + def use_oidc(self, value: Optional[pulumi.Input[bool]]): + pulumi.set(self, "use_oidc", value) + class Provider(pulumi.ProviderResource): @overload @@ -235,10 +287,13 @@ def __init__(__self__, disable_terraform_partner_id: Optional[pulumi.Input[bool]] = None, environment: Optional[pulumi.Input[str]] = None, msi_endpoint: Optional[pulumi.Input[str]] = None, + oidc_request_token: Optional[pulumi.Input[str]] = None, + oidc_request_url: Optional[pulumi.Input[str]] = None, partner_id: Optional[pulumi.Input[str]] = None, tenant_id: Optional[pulumi.Input[str]] = None, use_cli: Optional[pulumi.Input[bool]] = None, use_msi: Optional[pulumi.Input[bool]] = None, + use_oidc: Optional[pulumi.Input[bool]] = None, __props__=None): """ The provider type for the azuread package. By default, resources use package-wide configuration @@ -259,10 +314,15 @@ def __init__(__self__, :param pulumi.Input[str] environment: The cloud environment which should be used. Possible values are: `global` (also `public`), `usgovernmentl4` (also `usgovernment`), `usgovernmentl5` (also `dod`), and `china`. Defaults to `global` :param pulumi.Input[str] msi_endpoint: The path to a custom endpoint for Managed Identity - in most circumstances this should be detected automatically + :param pulumi.Input[str] oidc_request_token: The bearer token for the request to the OIDC provider. For use when authenticating as a Service Principal using OpenID + Connect. + :param pulumi.Input[str] oidc_request_url: The URL for the OIDC provider from which to request an ID token. For use when authenticating as a Service Principal + using OpenID Connect. :param pulumi.Input[str] partner_id: A GUID/UUID that is registered with Microsoft to facilitate partner resource usage attribution :param pulumi.Input[str] tenant_id: The Tenant ID which should be used. Works with all authentication methods except Managed Identity :param pulumi.Input[bool] use_cli: Allow Azure CLI to be used for Authentication :param pulumi.Input[bool] use_msi: Allow Managed Identity to be used for Authentication + :param pulumi.Input[bool] use_oidc: Allow OpenID Connect to be used for authentication """ ... @overload @@ -299,10 +359,13 @@ def _internal_init(__self__, disable_terraform_partner_id: Optional[pulumi.Input[bool]] = None, environment: Optional[pulumi.Input[str]] = None, msi_endpoint: Optional[pulumi.Input[str]] = None, + oidc_request_token: Optional[pulumi.Input[str]] = None, + oidc_request_url: Optional[pulumi.Input[str]] = None, partner_id: Optional[pulumi.Input[str]] = None, tenant_id: Optional[pulumi.Input[str]] = None, use_cli: Optional[pulumi.Input[bool]] = None, use_msi: Optional[pulumi.Input[bool]] = None, + use_oidc: Optional[pulumi.Input[bool]] = None, __props__=None): if opts is None: opts = pulumi.ResourceOptions() @@ -327,12 +390,15 @@ def _internal_init(__self__, if msi_endpoint is None: msi_endpoint = _utilities.get_env('ARM_MSI_ENDPOINT') __props__.__dict__["msi_endpoint"] = msi_endpoint + __props__.__dict__["oidc_request_token"] = oidc_request_token + __props__.__dict__["oidc_request_url"] = oidc_request_url __props__.__dict__["partner_id"] = partner_id __props__.__dict__["tenant_id"] = tenant_id __props__.__dict__["use_cli"] = pulumi.Output.from_input(use_cli).apply(pulumi.runtime.to_json) if use_cli is not None else None if use_msi is None: use_msi = (_utilities.get_env_bool('ARM_USE_MSI') or False) __props__.__dict__["use_msi"] = pulumi.Output.from_input(use_msi).apply(pulumi.runtime.to_json) if use_msi is not None else None + __props__.__dict__["use_oidc"] = pulumi.Output.from_input(use_oidc).apply(pulumi.runtime.to_json) if use_oidc is not None else None super(Provider, __self__).__init__( 'azuread', resource_name, @@ -398,6 +464,24 @@ def msi_endpoint(self) -> pulumi.Output[Optional[str]]: """ return pulumi.get(self, "msi_endpoint") + @property + @pulumi.getter(name="oidcRequestToken") + def oidc_request_token(self) -> pulumi.Output[Optional[str]]: + """ + The bearer token for the request to the OIDC provider. For use when authenticating as a Service Principal using OpenID + Connect. + """ + return pulumi.get(self, "oidc_request_token") + + @property + @pulumi.getter(name="oidcRequestUrl") + def oidc_request_url(self) -> pulumi.Output[Optional[str]]: + """ + The URL for the OIDC provider from which to request an ID token. For use when authenticating as a Service Principal + using OpenID Connect. + """ + return pulumi.get(self, "oidc_request_url") + @property @pulumi.getter(name="partnerId") def partner_id(self) -> pulumi.Output[Optional[str]]: