azuread_conditional_access_policy: restore DiffSuppressFunc for `sess…

…ion_controls` block
hashicorp · Jul 27, 2023 · df8e501 · df8e501
1 parent b0de4dd
commit df8e501
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 5 deletions.
diff --git a/internal/services/conditionalaccess/conditional_access_policy_resource.go b/internal/services/conditionalaccess/conditional_access_policy_resource.go
@@ -426,10 +426,11 @@ func conditionalAccessPolicyResource() *schema.Resource {
 			},
 
 			"session_controls": {
-				Type:         schema.TypeList,
-				Optional:     true,
-				AtLeastOneOf: []string{"grant_controls", "session_controls"},
-				MaxItems:     1,
+				Type:             schema.TypeList,
+				Optional:         true,
+				AtLeastOneOf:     []string{"grant_controls", "session_controls"},
+				MaxItems:         1,
+				DiffSuppressFunc: conditionalAccessPolicyDiffSuppress,
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
 						"application_enforced_restrictions_enabled": {
@@ -501,6 +502,41 @@ func conditionalAccessPolicyCustomizeDiff(ctx context.Context, diff *schema.Reso
 	return nil
 }
 
+func conditionalAccessPolicyDiffSuppress(k, old, new string, d *schema.ResourceData) bool {
+	suppress := false
+
+	switch {
+	case k == "session_controls.#" && old == "0" && new == "1":
+		// When an ineffectual `session_controls` block is configured, the API just ignores it and returns
+		// sessionControls: null
+		sessionControlsRaw := d.Get("session_controls").([]interface{})
+		if len(sessionControlsRaw) == 1 && sessionControlsRaw[0] != nil {
+			sessionControls := sessionControlsRaw[0].(map[string]interface{})
+			suppress = true
+			if v, ok := sessionControls["application_enforced_restrictions_enabled"]; ok && v.(bool) {
+				suppress = false
+			}
+			if v, ok := sessionControls["cloud_app_security_policy"]; ok && v.(string) != "" {
+				suppress = false
+			}
+			if v, ok := sessionControls["disable_resilience_defaults"]; ok && v.(bool) {
+				suppress = false
+			}
+			if v, ok := sessionControls["persistent_browser_mode"]; ok && v.(string) != "" {
+				suppress = false
+			}
+			if v, ok := sessionControls["sign_in_frequency"]; ok && v.(int) > 0 {
+				suppress = false
+			}
+			if v, ok := sessionControls["sign_in_frequency_period"]; ok && v.(string) != "" {
+				suppress = false
+			}
+		}
+	}
+
+	return suppress
+}
+
 func conditionalAccessPolicyResourceCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	client := meta.(*clients.Client).ConditionalAccess.PoliciesClient
 

diff --git a/internal/services/conditionalaccess/conditional_access_policy_resource_test.go b/internal/services/conditionalaccess/conditional_access_policy_resource_test.go
@@ -216,7 +216,7 @@ func TestAccConditionalAccessPolicy_sessionControls(t *testing.T) {
 }
 
 func TestAccConditionalAccessPolicy_sessionControlsDisabled(t *testing.T) {
-	// Remove this test when https://github.com/microsoftgraph/msgraph-metadata/issues/93 is resolved
+	// This is testing the DiffSuppressFunc for the `session_controls` block
 
 	data := acceptance.BuildTestData(t, "azuread_conditional_access_policy", "test")
 	r := ConditionalAccessPolicyResource{}