@pulumi/azuread
Version:
A Pulumi package for creating and managing Azure Active Directory (Azure AD) cloud resources.
226 lines • 8.99 kB
JavaScript
;
// *** WARNING: this file was generated by pulumi-language-nodejs. ***
// *** Do not edit by hand unless you're certain you know what you are doing! ***
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
var desc = Object.getOwnPropertyDescriptor(m, k);
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
desc = { enumerable: true, get: function() { return m[k]; } };
}
Object.defineProperty(o, k2, desc);
}) : (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
o[k2] = m[k];
}));
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
Object.defineProperty(o, "default", { enumerable: true, value: v });
}) : function(o, v) {
o["default"] = v;
});
var __importStar = (this && this.__importStar) || function (mod) {
if (mod && mod.__esModule) return mod;
var result = {};
if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
__setModuleDefault(result, mod);
return result;
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.ConditionalAccessPolicy = void 0;
const pulumi = __importStar(require("@pulumi/pulumi"));
const utilities = __importStar(require("./utilities"));
/**
* Manages a Conditional Access Policy within Azure Active Directory.
*
* > **Licensing Requirements** Specifying `clientApplications` property requires the activation of Microsoft Entra on your tenant and the availability of sufficient Workload Identities Premium licences (one per service principal managed by a conditional access).
*
* > **API Limits** This resource is subject to a restrictive API request limit of 1 request/second. Whilst Terraform will automatically back-off and retry throttled requests, if you have a large number of resource changes to make, you may wish to reduce parallelism or specify extended custom resource timeouts.
*
* ## API Permissions
*
* The following API permissions are required in order to use this resource.
*
* When authenticated with a service principal, this resource requires the following application roles: `Policy.ReadWrite.ConditionalAccess` and `Policy.Read.All`
*
* When authenticated with a user principal, this resource requires one of the following directory roles: `Conditional Access Administrator` or `Global Administrator`
*
* ## Example Usage
*
* ### All users except guests or external users
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as azuread from "@pulumi/azuread";
*
* const example = new azuread.ConditionalAccessPolicy("example", {
* displayName: "example policy",
* state: "disabled",
* conditions: {
* clientAppTypes: ["all"],
* signInRiskLevels: ["medium"],
* userRiskLevels: ["medium"],
* applications: {
* includedApplications: ["All"],
* excludedApplications: [],
* },
* devices: {
* filter: {
* mode: "exclude",
* rule: "device.operatingSystem eq \"Doors\"",
* },
* },
* locations: {
* includedLocations: ["All"],
* excludedLocations: ["AllTrusted"],
* },
* platforms: {
* includedPlatforms: ["android"],
* excludedPlatforms: ["iOS"],
* },
* users: {
* includedUsers: ["All"],
* excludedUsers: ["GuestsOrExternalUsers"],
* },
* },
* grantControls: {
* operator: "OR",
* builtInControls: ["mfa"],
* },
* sessionControls: {
* applicationEnforcedRestrictionsEnabled: true,
* disableResilienceDefaults: false,
* signInFrequency: 10,
* signInFrequencyPeriod: "hours",
* cloudAppSecurityPolicy: "monitorOnly",
* },
* });
* ```
*
* ### Included client applications / service principals
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as azuread from "@pulumi/azuread";
*
* const current = azuread.getClientConfig({});
* const example = new azuread.ConditionalAccessPolicy("example", {
* displayName: "example policy",
* state: "disabled",
* conditions: {
* clientAppTypes: ["all"],
* applications: {
* includedApplications: ["All"],
* },
* clientApplications: {
* includedServicePrincipals: [current.then(current => current.objectId)],
* excludedServicePrincipals: [],
* },
* users: {
* includedUsers: ["None"],
* },
* },
* grantControls: {
* operator: "OR",
* builtInControls: ["block"],
* },
* });
* ```
*
* ### Excluded client applications / service principals
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as azuread from "@pulumi/azuread";
*
* const current = azuread.getClientConfig({});
* const example = new azuread.ConditionalAccessPolicy("example", {
* displayName: "example policy",
* state: "disabled",
* conditions: {
* clientAppTypes: ["all"],
* applications: {
* includedApplications: ["All"],
* },
* clientApplications: {
* includedServicePrincipals: ["ServicePrincipalsInMyTenant"],
* excludedServicePrincipals: [current.then(current => current.objectId)],
* },
* users: {
* includedUsers: ["None"],
* },
* },
* grantControls: {
* operator: "OR",
* builtInControls: ["block"],
* },
* });
* ```
*
* ## Import
*
* Conditional Access Policies can be imported using the `id`, e.g.
*
* ```sh
* $ pulumi import azuread:index/conditionalAccessPolicy:ConditionalAccessPolicy my_location /identity/conditionalAccess/policies/00000000-0000-0000-0000-000000000000
* ```
*/
class ConditionalAccessPolicy extends pulumi.CustomResource {
/**
* Get an existing ConditionalAccessPolicy resource's state with the given name, ID, and optional extra
* properties used to qualify the lookup.
*
* @param name The _unique_ name of the resulting resource.
* @param id The _unique_ provider ID of the resource to lookup.
* @param state Any extra arguments used during the lookup.
* @param opts Optional settings to control the behavior of the CustomResource.
*/
static get(name, id, state, opts) {
return new ConditionalAccessPolicy(name, state, { ...opts, id: id });
}
/** @internal */
static __pulumiType = 'azuread:index/conditionalAccessPolicy:ConditionalAccessPolicy';
/**
* Returns true if the given object is an instance of ConditionalAccessPolicy. This is designed to work even
* when multiple copies of the Pulumi SDK have been loaded into the same process.
*/
static isInstance(obj) {
if (obj === undefined || obj === null) {
return false;
}
return obj['__pulumiType'] === ConditionalAccessPolicy.__pulumiType;
}
constructor(name, argsOrState, opts) {
let resourceInputs = {};
opts = opts || {};
if (opts.id) {
const state = argsOrState;
resourceInputs["conditions"] = state?.conditions;
resourceInputs["displayName"] = state?.displayName;
resourceInputs["grantControls"] = state?.grantControls;
resourceInputs["objectId"] = state?.objectId;
resourceInputs["sessionControls"] = state?.sessionControls;
resourceInputs["state"] = state?.state;
}
else {
const args = argsOrState;
if (args?.conditions === undefined && !opts.urn) {
throw new Error("Missing required property 'conditions'");
}
if (args?.displayName === undefined && !opts.urn) {
throw new Error("Missing required property 'displayName'");
}
if (args?.state === undefined && !opts.urn) {
throw new Error("Missing required property 'state'");
}
resourceInputs["conditions"] = args?.conditions;
resourceInputs["displayName"] = args?.displayName;
resourceInputs["grantControls"] = args?.grantControls;
resourceInputs["sessionControls"] = args?.sessionControls;
resourceInputs["state"] = args?.state;
resourceInputs["objectId"] = undefined /*out*/;
}
opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
super(ConditionalAccessPolicy.__pulumiType, name, resourceInputs, opts);
}
}
exports.ConditionalAccessPolicy = ConditionalAccessPolicy;
//# sourceMappingURL=conditionalAccessPolicy.js.map