Add claims_matching_expression

Author: alexwilcox9

docs/resources/application_federated_identity_credential.md

@@ -39,10 +39,13 @@ The following arguments are supported:
 
 * `application_id` - (Required) The resource ID of the application for which this federated identity credential should be created. Changing this field forces a new resource to be created.
 * `audiences` - (Required) List of audiences that can appear in the external token. This specifies what should be accepted in the `aud` claim of incoming tokens.
+* `claims_matching_expression` - (Optional) The expression that subjects will be matched against.
 * `description` - (Optional) A description for the federated identity credential.
 * `display_name` - (Required) A unique display name for the federated identity credential. Changing this forces a new resource to be created.
 * `issuer` - (Required) The URL of the external identity provider, which must match the issuer claim of the external token being exchanged. The combination of the values of issuer and subject must be unique on the app.
-* `subject` - (Required) The identifier of the external software workload within the external identity provider. The combination of issuer and subject must be unique on the app.
+* `subject` - (Optional) The identifier of the external software workload within the external identity provider. The combination of issuer and subject must be unique on the app.
+
+-> At least one of `subject` or `claims_matching_expression` must be specified.
 
 ## Attributes Reference
 

internal/services/applications/application_federated_identity_credential_resource.go

@@ -78,9 +78,17 @@ func applicationFederatedIdentityCredentialResource() *pluginsdk.Resource {
 			},
 
 			"subject": {
-				Description: "The identifier of the external software workload within the external identity provider. The combination of issuer and subject must be unique on the app.",
-				Type:        pluginsdk.TypeString,
-				Required:    true,
+				Description:  "The identifier of the external software workload within the external identity provider. The combination of issuer and subject must be unique on the app.",
+				Type:         pluginsdk.TypeString,
+				Optional:     true,
+				ExactlyOneOf: []string{"subject", "claims_matching_expression"},
+			},
+
+			"claims_matching_expression": {
+				Description:  "The expression that subjects will be matched against.",
+				Type:         pluginsdk.TypeString,
+				Optional:     true,
+				ExactlyOneOf: []string{"subject", "claims_matching_expression"},
 			},
 
 			"description": {
@@ -128,6 +136,13 @@ func applicationFederatedIdentityCredentialResourceCreate(ctx context.Context, d
 		Subject:     nullable.Value(d.Get("subject").(string)),
 	}
 
+	if v, ok := d.GetOk("claims_matching_expression"); ok {
+		credential.ClaimsMatchingExpression = pointer.To(beta.FederatedIdentityExpression{
+			LanguageVersion: 1,
+			Value:           v.(string),
+		})
+	}
+
 	federatedIdentityCredentialResp, err := federatedIdentityCredentialClient.CreateFederatedIdentityCredential(ctx, *applicationId, credential, federatedidentitycredential.DefaultCreateFederatedIdentityCredentialOperationOptions())
 	if err != nil {
 		return tf.ErrorDiagF(err, "Adding federated identity credential for %s", applicationId)
@@ -203,6 +218,13 @@ func applicationFederatedIdentityCredentialResourceUpdate(ctx context.Context, d
 		Name: d.Get("display_name").(string),
 	}
 
+	if v, ok := d.GetOk("claims_matching_expression"); ok {
+		credential.ClaimsMatchingExpression = pointer.To(beta.FederatedIdentityExpression{
+			LanguageVersion: 1,
+			Value:           v.(string),
+		})
+	}
+
 	credentialId := beta.NewApplicationIdFederatedIdentityCredentialID(id.ObjectId, id.KeyId)
 
 	if _, err = federatedIdentityCredentialClient.UpdateFederatedIdentityCredential(ctx, credentialId, credential, federatedidentitycredential.DefaultUpdateFederatedIdentityCredentialOperationOptions()); err != nil {
@@ -245,7 +267,11 @@ func applicationFederatedIdentityCredentialResourceRead(ctx context.Context, d *
 	tf.Set(d, "description", credential.Description.GetOrZero())
 	tf.Set(d, "display_name", credential.Name)
 	tf.Set(d, "issuer", credential.Issuer)
-	tf.Set(d, "subject", credential.Subject)
+	tf.Set(d, "subject", credential.Subject.GetOrZero())
+
+	if credential.ClaimsMatchingExpression != nil {
+		tf.Set(d, "claims_matching_expression", credential.ClaimsMatchingExpression.Value)
+	}
 
 	return nil
 }

internal/services/applications/application_federated_identity_credential_resource_test.go

@@ -53,6 +53,22 @@ func TestAccApplicationFederatedIdentityCredential_complete(t *testing.T) {
 	})
 }
 
+func TestAccApplicationFederatedIdentityCredential_flexible(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azuread_application_federated_identity_credential", "test")
+	r := ApplicationFederatedIdentityCredentialResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.flexible(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+				check.That(data.ResourceName).Key("credential_id").Exists(),
+			),
+		},
+		data.ImportStep(),
+	})
+}
+
 func TestAccApplicationFederatedIdentityCredential_update(t *testing.T) {
 	data := acceptance.BuildTestData(t, "azuread_application_federated_identity_credential", "test")
 	r := ApplicationFederatedIdentityCredentialResource{}
@@ -142,3 +158,18 @@ resource "azuread_application_federated_identity_credential" "test" {
 }
 `, r.template(data), data.RandomString, data.UUID())
 }
+
+func (r ApplicationFederatedIdentityCredentialResource) flexible(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+%[1]s
+
+resource "azuread_application_federated_identity_credential" "test" {
+  application_id             = azuread_application.test.id
+  display_name               = "hashitown.example.com-%[2]s"
+  description                = "Funtime tokens for HashiTown"
+  audiences                  = ["api://AzureADTokenExchange"]
+  issuer                     = "https://token.actions.githubusercontent.com"
+  claims_matching_expression = "claims['sub'] matches 'repo:contoso/contoso-repo:ref:refs/heads/*'"
+}
+`, r.template(data), data.RandomString)
+}