Make access_type required and support application roles and SharePoint URLs

[jsfr]

Community Note

• Please vote on this PR by adding a 👍 reaction to the original PR to help the community and maintainers prioritize for review
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for PR followers and do not help prioritize for review

Description

This PR makes the access_type argument required for the azuread_access_package_resource_package_association resource and extends its validation to support application role UUIDs and SharePoint URLs in addition to the existing Member and Owner values for Azure AD groups.

The change enables users to grant access to application roles (by specifying a role UUID) and SharePoint Online sites (by specifying a URL) through access packages, not just group memberships.

This is the second try at this PR. The previous attempt was in #1627.

Changes to existing Resource / Data Source

• I have added an explanation of what my changes do and why I'd like you to include them (This may be covered by linking to an issue above, but may benefit from additional explanation).
• I have written new tests for my resource or datasource changes & updated any relevant documentation.
• I have successfully run tests with my changes locally. If not, please provide details on testing challenges that prevented you running the tests.
• (For changes that include a state migration only). I have manually tested the migration path between relevant versions of the provider.

Testing

• My submission includes Test coverage as described in the Contribution Guide and the tests pass. (if this is not possible for any reason, please include details of why you did or could not add test coverage)

Added these new test cases:

• TestAccAccessPackageResourcePackageAssociation_completeWithGroup - validates group membership assignment
• TestAccAccessPackageResourcePackageAssociation_completeWithGroupOwner - validates group owner assignment
• TestAccAccessPackageResourcePackageAssociation_completeWithApplication - validates application role assignment with UUID
• TestAccAccessPackageResourcePackageAssociation_invalidAccessType - validates error handling for invalid access types

I've run all unit tests, but not acceptance tests, as those require creating real resources. I have, however, used the provider locally in a regular setup to create access packages as expected.

Change Log

Below please provide what should go into the changelog (if anything) conforming to the Changelog Format documented here.

• azuread_access_package_resource_package_association - the access_type property is now required and supports application role UUIDs and SharePoint URLs in addition to Member and Owner values

This is a (please select all that apply):

• Bug Fix
• New Feature (ie adding a service, resource, or data source)
• Enhancement
• Breaking Change

Related Issue(s)

Fixes #1066

Rollback Plan

If a change needs to be reverted, we will publish an updated version of the provider.

Changes to Security Controls

This change extends the access control capabilities by enabling application role assignments and SharePoint site access through access packages. No changes to encryption or logging.

Note

If this PR changes meaningfully during the course of review please update the title and description as required.

[Stinjul]

Hi, would it make sense to include a fix for #1776 in this pr as well since it's closely related to this?

(Also really hope it gets merged this time)

[jackofallops]

Hi @jsfr - Thanks for this PR. Unfortunately marking an Optional property as Required is a breaking change for configs, so we can't accept this in the current implementation. If you can take a look at validating the appropriate values in a CustomizeDiff on the resource instead, we can remove the breaking change flag, and still provide users with plan-time validation. There's a few other comments to take a look at too.

Thanks!

[jackofallops]

Unfortunately, changing from Optional to Required is a breaking change (users not already specifying this value will encounter errors in plan/apply).

Instead, this will need to be implemented using a CustomizeDiff to guard against the incorrect values being specified.

[jackofallops]

To provide correct backward compatibility, this should be the default: - This is due to the resource currently not handling validation on the value of resource. OriginSystem and passing it straight through. If this is actually manifesting as an error/issue, we can revisit. Specifically, since we don't validate/restrict input on the azuread_access_package_resource_catalog_association.resource_origin_system value, this is likely to cause some users issues.

[jackofallops]

As noted above, raising this error is likely to cause issues and/or breaking changes for some users.

Suggested change

	func TestAccAccessPackageResourcePackageAssociation_invalidAccessType(t *testing.T) {
	data := acceptance.BuildTestData(t, "azuread_access_package_resource_package_association", "test")
	r := AccessPackageResourcePackageAssociationResource{}
	data.ResourceTest(t, r, []acceptance.TestStep{
	{
	Config: r.invalidAccessType(data),
	ExpectError: regexp.MustCompile(`expected access_type to be one of \[Member Owner\]`),
	},
	})
	}

[jackofallops]

Can we leave this test name intact, and name the others withAccessTypeOwner etc?

[jsfr]

@jackofallops I've tried to address your comments now; please let me know if this suffices. Sorry about the long wait here, but this ended up on the back burner for me.