fix: bug fixes for conditional access policies and fixes for crud per…

…missions (#267)

* fix: update error handling to use WritePermissions in delete and update operations

* fix: return correct api permission requirements if required scopes are missing in the token.

* fix: implement retry logic for resource creation and update operations

* fix: update import commands and modify conditional access policy settings

* feat: add template for Microsoft 365 Graph Beta Identity and Access Conditional Access Policy

* docs: update documentation for Microsoft 365 Graph Beta resources and add example usage for conditional access policy

* chore: update go documentation, provider documentation and format terraform files

Signed-off-by: GitHub Actions Bot <github-actions[bot]@users.noreply.github.com>

* fix: update generate-docs workflow to use the correct examples directory path

* chore: update go documentation, provider documentation and format terraform files

Signed-off-by: GitHub Actions Bot <github-actions[bot]@users.noreply.github.com>

* feat: add workflow dispatch input for release version in provider release workflow

---------

Signed-off-by: GitHub Actions Bot <github-actions[bot]@users.noreply.github.com>
Co-authored-by: GitHub Actions Bot <github-actions[bot]@users.noreply.github.com>

.github/workflows/generate-docs.yml

@@ -45,7 +45,8 @@ jobs:
     - name: Generate tf docs
       run: |
         go install github.com/hashicorp/terraform-plugin-docs/cmd/tfplugindocs
-        tfplugindocs generate --examples-dir examples
+        cd $GITHUB_WORKSPACE
+        tfplugindocs generate --examples-dir $GITHUB_WORKSPACE/examples
 
     - name: Check for changes in generated Go docs and formatted Terraform files
       id: go-gen-check

.github/workflows/provider-release.yml

@@ -4,6 +4,12 @@ on:
   push:
     tags:
       - 'v*'
+  workflow_dispatch:
+    inputs:
+      release_version:
+        description: 'TF Provider Release version to publish'
+        required: true
+        default: 'v0.0.0'
 
 permissions:
   contents: write

docs/index.md

@@ -213,7 +213,7 @@ terraform {
   required_providers {
     microsoft365 = {
       source  = "deploymenttheory/terraform-provider-microsoft365"
-      version = "~> 1.0.0"  
+      version = "~> 1.0.0"
     }
   }
 }
@@ -227,16 +227,16 @@ provider "microsoft365" {
   debug_mode       = var.debug_mode
 
   entra_id_options = {
-    client_id                     = var.client_id
-    client_secret                 = var.client_secret
-    client_certificate            = var.client_certificate
-    client_certificate_password   = var.client_certificate_password
-    send_certificate_chain        = var.send_certificate_chain
-    username                      = var.username
-    password                      = var.password
-    disable_instance_discovery    = var.disable_instance_discovery
-    additionally_allowed_tenants  = var.additionally_allowed_tenants
-    redirect_url                  = var.redirect_url
+    client_id                    = var.client_id
+    client_secret                = var.client_secret
+    client_certificate           = var.client_certificate
+    client_certificate_password  = var.client_certificate_password
+    send_certificate_chain       = var.send_certificate_chain
+    username                     = var.username
+    password                     = var.password
+    disable_instance_discovery   = var.disable_instance_discovery
+    additionally_allowed_tenants = var.additionally_allowed_tenants
+    redirect_url                 = var.redirect_url
   }
 
   client_options = {

docs/resources/graph_beta_device_and_app_management_macos_platform_script.md

@@ -115,6 +115,6 @@ Import is supported using the following syntax:
 ```shell
 # Using the provider-default project ID, the import ID is:
 # {resource_id}
-terraform terraform import microsoft365_graph_beta_device_and_app_management_device_shell_script.example device-shell-script-id
+terraform import microsoft365_graph_beta_device_and_app_management_device_shell_script.example device-shell-script-id
 ```
 

docs/resources/graph_beta_device_and_app_management_settings_catalog.md

@@ -494,6 +494,6 @@ Import is supported using the following syntax:
 ```shell
 # Using the provider-default project ID, the import ID is:
 # {resource_id}
-terraform terraform import microsoft365_graph_beta_device_and_app_management_settings_catalog.example settings-catalog-id
+terraform import microsoft365_graph_beta_device_and_app_management_settings_catalog.example settings-catalog-id
 ```
 

docs/resources/graph_beta_device_and_app_management_windows_platform_script.md

@@ -106,6 +106,6 @@ Import is supported using the following syntax:
 ```shell
 # Using the provider-default project ID, the import ID is:
 # {resource_id}
-terraform terraform import microsoft365_graph_beta_device_and_app_management_device_management_script.example device-management-script-id
+terraform import microsoft365_graph_beta_device_and_app_management_device_management_script.example device-management-script-id
 ```
 

docs/resources/graph_beta_identity_and_access_conditional_access_policy.md

@@ -1,7 +1,6 @@
 ---
-# generated by https://github.com/hashicorp/terraform-plugin-docs
 page_title: "microsoft365_graph_beta_identity_and_access_conditional_access_policy Resource - terraform-provider-microsoft365"
-subcategory: ""
+subcategory: "Identity & Access: Conditional Access Policy"
 description: |-
   
 ---
@@ -10,7 +9,110 @@ description: |-
 
 
 
-
+## Example Usage
+
+```terraform
+resource "microsoft365_graph_beta_identity_and_access_conditional_access_policy" "example_policy" {
+  display_name = "test"
+  state        = "disabled"
+
+  conditions = {
+    applications = {
+      include_applications = ["All"]
+      exclude_applications = []
+      include_user_actions = []
+      application_filter   = null
+    }
+
+    users = {
+      include_users  = ["All"]
+      exclude_users  = ["11111111-1111-1111-1111-111111111111"]
+      include_groups = []
+      exclude_groups = ["11111111-1111-1111-1111-111111111111"]
+      exclude_roles = [
+        "11111111-1111-1111-1111-111111111111",
+        "11111111-1111-1111-1111-111111111111"
+      ]
+      exclude_guests_or_external_users = {
+        guest_or_external_user_types = ["b2bCollaborationGuest", "b2bCollaborationMember"]
+        external_tenants = {
+          membership_kind = "all"
+        }
+      }
+    }
+
+    platforms = {
+      include_platforms = ["iOS", "windows", "windowsPhone"]
+      exclude_platforms = []
+    }
+
+    locations = {
+      include_locations = [
+        "11111111-1111-1111-1111-111111111111",
+        "11111111-1111-1111-1111-111111111111"
+      ]
+      exclude_locations = []
+    }
+
+    client_app_types = ["browser", "mobileAppsAndDesktopClients", "exchangeActiveSync", "other"]
+
+    devices = {
+      device_filter = {
+        mode = "include"
+        rule = "device.deviceId -eq \"thing\""
+      }
+      include_devices = []
+      exclude_devices = []
+    }
+
+    user_risk_levels    = ["high"]
+    sign_in_risk_levels = ["none"]
+
+    authentication_flows = {
+      transfer_methods = ["deviceCodeFlow", "authenticationTransfer"]
+    }
+  }
+
+  grant_controls = {
+    operator          = "AND"
+    built_in_controls = ["mfa", "approvedApplication"]
+  }
+
+  session_controls = {
+    cloud_app_security = {
+      is_enabled              = true
+      cloud_app_security_type = "monitorOnly"
+    }
+
+    sign_in_frequency = {
+      is_enabled          = true
+      type                = "hours"
+      value               = 5
+      frequency_interval  = "timeBased"
+      authentication_type = "primaryAndSecondaryAuthentication"
+    }
+
+    persistent_browser = {
+      is_enabled = true
+      mode       = "always"
+    }
+
+    continuous_access_evaluation = {
+      mode = "strictLocation"
+    }
+
+    disable_resilience_defaults = true
+  }
+
+  # Optional: Define custom timeouts
+  timeouts = {
+    create = "30m"
+    read   = "10m"
+    update = "30m"
+    delete = "30m"
+  }
+}
+```
 
 <!-- schema generated by tfplugindocs -->
 ## Schema
@@ -96,7 +198,7 @@ Optional:
 
 Required:
 
-- `guest_or_external_user_types` (String) Indicates internal guests or external user types. Possible values are: none, internalGuest, b2bCollaborationGuest, b2bCollaborationMember, b2bDirectConnectUser, otherExternalUser, serviceProvider, unknownFutureValue.
+- `guest_or_external_user_types` (List of String) Indicates internal guests or external user types. Possible values are: none, internalGuest, b2bCollaborationGuest, b2bCollaborationMember, b2bDirectConnectUser, otherExternalUser, serviceProvider, unknownFutureValue.
 
 Optional:
 
@@ -116,7 +218,7 @@ Required:
 
 Required:
 
-- `guest_or_external_user_types` (String) Indicates internal guests or external user types. Possible values are: none, internalGuest, b2bCollaborationGuest, b2bCollaborationMember, b2bDirectConnectUser, otherExternalUser, serviceProvider, unknownFutureValue.
+- `guest_or_external_user_types` (List of String) Indicates internal guests or external user types. Possible values are: none, internalGuest, b2bCollaborationGuest, b2bCollaborationMember, b2bDirectConnectUser, otherExternalUser, serviceProvider, unknownFutureValue.
 
 Optional:
 
@@ -137,7 +239,7 @@ Required:
 
 Optional:
 
-- `transfer_methods` (String) Represents the transfer methods in scope for the policy. The possible values are: none, deviceCodeFlow, authenticationTransfer, unknownFutureValue.
+- `transfer_methods` (List of String) Represents the transfer methods in scope for the policy. The possible values are: none, deviceCodeFlow, authenticationTransfer, unknownFutureValue.
 
 
 <a id="nestedatt--conditions--client_applications"></a>
@@ -174,9 +276,7 @@ Optional:
 Optional:
 
 - `device_filter` (Attributes) Filter that defines the dynamic-device-syntax rule to include/exclude devices. A filter can use device properties (such as extension attributes) to include/exclude them. Cannot be set if includeDevices or excludeDevices is set. (see [below for nested schema](#nestedatt--conditions--devices--device_filter))
-- `exclude_device_states` (List of String, Deprecated) (Deprecated) States excluded from the scope of the policy. Possible values: 'Compliant', 'DomainJoined'.
 - `exclude_devices` (List of String) States excluded from the scope of the policy. Possible values: 'Compliant', 'DomainJoined'. Cannot be set if deviceFilter is set.
-- `include_device_states` (List of String, Deprecated) (Deprecated) States in the scope of the policy. 'All' is the only allowed value.
 - `include_devices` (List of String) States in the scope of the policy. 'All' is the only allowed value. Cannot be set if deviceFilter is set.
 
 <a id="nestedatt--conditions--devices--device_filter"></a>
@@ -321,3 +421,13 @@ Optional:
 - `delete` (String) A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs.
 - `read` (String) A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Read operations occur during any refresh or planning operation when refresh is enabled.
 - `update` (String) A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
+
+## Import
+
+Import is supported using the following syntax:
+
+```shell
+# Using the provider-default project ID, the import ID is:
+# {resource_id}
+terraform import microsoft365_graph_beta_identity_and_access_conditional_access_policy.example conditional-access-policy-id
+```

examples/microsoft365_graph_beta/microsoft365_graph_beta_device_and_app_management_macos_platform_script/import.sh

@@ -1,4 +1,4 @@
 # Using the provider-default project ID, the import ID is:
 # {resource_id}
-terraform terraform import microsoft365_graph_beta_device_and_app_management_device_shell_script.example device-shell-script-id
+terraform import microsoft365_graph_beta_device_and_app_management_device_shell_script.example device-shell-script-id
 

examples/microsoft365_graph_beta/microsoft365_graph_beta_device_and_app_management_settings_catalog/import.sh

@@ -1,4 +1,4 @@
 # Using the provider-default project ID, the import ID is:
 # {resource_id}
-terraform terraform import microsoft365_graph_beta_device_and_app_management_settings_catalog.example settings-catalog-id
+terraform import microsoft365_graph_beta_device_and_app_management_settings_catalog.example settings-catalog-id
 

examples/microsoft365_graph_beta/microsoft365_graph_beta_device_and_app_management_windows_platform_script/import.sh

@@ -1,4 +1,4 @@
 # Using the provider-default project ID, the import ID is:
 # {resource_id}
-terraform terraform import microsoft365_graph_beta_device_and_app_management_device_management_script.example device-management-script-id
+terraform import microsoft365_graph_beta_device_and_app_management_device_management_script.example device-management-script-id
 

examples/microsoft365_graph_beta/microsoft365_graph_beta_identity_and_access_conditional_access_policy/import.sh

@@ -0,0 +1,4 @@
+# Using the provider-default project ID, the import ID is:
+# {resource_id}
+terraform import microsoft365_graph_beta_identity_and_access_conditional_access_policy.example conditional-access-policy-id
+