Conditional access module #13
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Terraform Plan✅ Terraform Init: Plan: 7 to add, 2 to change, 0 to destroyShow summary
Show planResource actions are indicated with the following symbols:
+ create
~ update in-place
Terraform will perform the following actions:
# azuread_named_location.canada will be created
+ resource "azuread_named_location" "canada" {
+ display_name = "Canada"
+ id = (known after apply)
+ country {
+ countries_and_regions = [
+ "CA",
]
+ country_lookup_method = "clientIpAddress"
+ include_unknown_countries_and_regions = false
}
}
# azuread_named_location.esdc_ips will be created
+ resource "azuread_named_location" "esdc_ips" {
+ display_name = "ESDC IPs"
+ id = (known after apply)
+ ip {
+ ip_ranges = [
+ "198.103.0.0/16",
]
+ trusted = true
}
}
# azuread_named_location.united_states will be created
+ resource "azuread_named_location" "united_states" {
+ display_name = "United States"
+ id = (known after apply)
+ country {
+ countries_and_regions = [
+ "US",
]
+ country_lookup_method = "clientIpAddress"
+ include_unknown_countries_and_regions = false
}
}
# module.ai_answers_api_key.azurerm_cognitive_account.openai will be updated in-place
~ resource "azurerm_cognitive_account" "openai" {
id = "/subscriptions/5617b0eb-50cc-4fe6-b57e-021e6ec245f0/resourceGroups/nimwzfg-ai-answers/providers/Microsoft.CognitiveServices/accounts/ai-answers-nimwzfg"
name = "ai-answers-nimwzfg"
~ tags = {
- "division" = "DC" -> null
}
# (19 unchanged attributes hidden)
}
# module.block_non_browser.azuread_conditional_access_policy.this will be created
+ resource "azuread_conditional_access_policy" "this" {
+ display_name = "Conditional Access - Block Non-Browser Access"
+ id = (known after apply)
+ object_id = (known after apply)
+ state = "enabled"
+ conditions {
+ client_app_types = [
+ "exchangeActiveSync",
+ "mobileAppsAndDesktopClients",
+ "other",
]
+ insider_risk_levels = (known after apply)
+ applications {
+ excluded_applications = [
+ "797f4846-ba00-4fd7-ba43-dac1f8f63013",
]
+ included_applications = [
+ "All",
]
}
+ locations {
+ excluded_locations = []
+ included_locations = [
+ "All",
]
}
+ platforms {
+ excluded_platforms = []
+ included_platforms = [
+ "all",
]
}
+ users {
+ excluded_groups = [
+ "86a827be-9f2d-46fe-992e-9445ec10e840",
+ "9c8babe3-fe86-42b1-ace6-16734f559c60",
+ "dda4f58f-e024-40da-9403-761270c5cc47",
]
+ included_users = [
+ "All",
]
}
}
+ grant_controls {
+ built_in_controls = [
+ "block",
]
+ operator = "OR"
}
}
# module.block_non_macos.azuread_conditional_access_policy.this will be created
+ resource "azuread_conditional_access_policy" "this" {
+ display_name = "Conditional Access - Block Non-MacOS Systems"
+ id = (known after apply)
+ object_id = (known after apply)
+ state = "enabled"
+ conditions {
+ client_app_types = [
+ "all",
]
+ insider_risk_levels = (known after apply)
+ applications {
+ excluded_applications = []
+ included_applications = [
+ "All",
]
}
+ locations {
+ excluded_locations = (known after apply)
+ included_locations = [
+ "All",
]
}
+ platforms {
+ excluded_platforms = [
+ "macOS",
+ "linux",
]
+ included_platforms = [
+ "all",
]
}
+ users {
+ excluded_groups = [
+ "86a827be-9f2d-46fe-992e-9445ec10e840",
]
+ included_users = [
+ "All",
]
}
}
+ grant_controls {
+ built_in_controls = [
+ "block",
]
+ operator = "OR"
}
}
# module.block_out_of_canada.azuread_conditional_access_policy.this will be created
+ resource "azuread_conditional_access_policy" "this" {
+ display_name = "Conditional Access - Block Out of Canada"
+ id = (known after apply)
+ object_id = (known after apply)
+ state = "enabled"
+ conditions {
+ client_app_types = [
+ "all",
]
+ insider_risk_levels = (known after apply)
+ applications {
+ excluded_applications = []
+ included_applications = [
+ "All",
]
}
+ locations {
+ excluded_locations = (known after apply)
+ included_locations = [
+ "All",
]
}
+ platforms {
+ excluded_platforms = []
+ included_platforms = [
+ "all",
]
}
+ users {
+ excluded_groups = [
+ "86a827be-9f2d-46fe-992e-9445ec10e840",
]
+ included_users = [
+ "All",
]
}
}
+ grant_controls {
+ built_in_controls = [
+ "block",
]
+ operator = "OR"
}
}
# module.block_tc_user_portal_access.azuread_conditional_access_policy.this will be created
+ resource "azuread_conditional_access_policy" "this" {
+ display_name = "Conditional Access - Block TC Users Portal Access"
+ id = (known after apply)
+ object_id = (known after apply)
+ state = "enabled"
+ conditions {
+ client_app_types = [
+ "all",
]
+ insider_risk_levels = (known after apply)
+ applications {
+ excluded_applications = []
+ included_applications = [
+ "797f4846-ba00-4fd7-ba43-dac1f8f63013",
]
}
+ locations {
+ excluded_locations = []
+ included_locations = [
+ "All",
]
}
+ platforms {
+ excluded_platforms = []
+ included_platforms = [
+ "all",
]
}
+ users {
+ excluded_groups = []
+ included_users = []
}
}
+ grant_controls {
+ built_in_controls = [
+ "block",
]
+ operator = "OR"
}
}
# module.valentine_api_key.azurerm_cognitive_account.openai will be updated in-place
~ resource "azurerm_cognitive_account" "openai" {
id = "/subscriptions/204b7832-86f3-4792-8e35-860862258324/resourceGroups/ctchvym-valentine/providers/Microsoft.CognitiveServices/accounts/valentine-ctchvym"
name = "valentine-ctchvym"
~ tags = {
- "division" = "DC" -> null
}
# (19 unchanged attributes hidden)
}
Plan: 7 to add, 2 to change, 0 to destroy.
─────────────────────────────────────────────────────────────────────────────
Saved the plan to: plan.tfplan
To perform exactly these actions, run the following command to apply:
terraform apply "plan.tfplan"
Show Conftest resultsWARN - plan.json - main - Missing Common Tags: ["module.ai_answers_api_key.azurerm_cognitive_account.openai"]
WARN - plan.json - main - Missing Common Tags: ["module.ai_answers_api_key.azurerm_resource_group.rg"]
WARN - plan.json - main - Missing Common Tags: ["module.saas_app_service_principal.azuread_application.sp_app[0]"]
WARN - plan.json - main - Missing Common Tags: ["module.saas_app_service_principal.azuread_service_principal.sp[0]"]
WARN - plan.json - main - Missing Common Tags: ["module.valentine_api_key.azurerm_cognitive_account.openai"]
WARN - plan.json - main - Missing Common Tags: ["module.valentine_api_key.azurerm_resource_group.rg"]
25 tests, 19 passed, 6 warnings, 0 failures, 0 exceptions
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary | Résumé
Creates a conditional access module that we can be used to create conditional access in our landing zone. Once we create those resources we can move the existing ones in the Sentinel repo since they should not be there (they were created prior to the landing zone).