feat: extend powerplatform_enterprise_policy to include identity policy type and related resources

[mawasile]

This pull request introduces support for the "Identity" enterprise policy type in the Power Platform Terraform provider, along with example usage and related infrastructure updates. The changes span provider schema updates, new example modules, and enhancements to internal data structures. The most important changes are summarized below.

Support for Identity Enterprise Policy Type

• Added IDENTITY_POLICY_TYPE constant and integrated it into the provider schema, allowing "Identity" as a valid policy_type for enterprise policies. This includes updating documentation, validation, and plan modifiers to support the new type. [1] [2]
• Updated the resource read logic to handle the "Identity" policy type, ensuring the correct system_id is set when reading Identity policies.

Example Usage and Module Enhancements

• Introduced a new example module identity in examples/resources/powerplatform_enterprise_policy/identity/main.tf to demonstrate provisioning of the Identity enterprise policy, including required variables, Azure resources, and outputs.
• Integrated the new identity module into the main example composition (resource.tf), ensuring proper execution order between identity, network injection, and encryption policy modules using depends_on. [1] [2] [3]

Provider and Data Structure Updates

• Updated internal DTOs and models to include the new Identity property for enterprise policies, ensuring the provider can serialize and deserialize Identity policy data. [1] [2]

Provider Version and Documentation Improvements

• Aligned provider version requirements in all relevant example main.tf files for consistency and clarity. [1] [2]
• Added documentation in .terraformrc on how to include additional local binaries and configure the CLI config file.

[Copilot]

Pull request overview

This PR extends the Power Platform Terraform provider to support the "Identity" enterprise policy type, enabling users to configure identity-based enterprise policies for Power Platform environments. The changes introduce the new policy type alongside existing NetworkInjection and Encryption policies, with supporting examples and infrastructure updates.

Key Changes:

• Added Identity policy type constant and integrated it into validation, schema, and read operations for enterprise policy resources
• Introduced a complete example module demonstrating Identity policy provisioning with Azure resources
• Aligned provider version requirements across example modules for consistency

Reviewed changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
internal/services/enterprise_policy/dto.go	Adds IDENTITY_POLICY_TYPE constant to define the new policy type
internal/services/enterprise_policy/resource_enterprise_policy.go	Updates schema validation, documentation, and Read operation to support Identity policy type
internal/services/environment/dto.go	Extends DTO structure to include Identity field in enterprise policies
internal/services/environment/models.go	Adds conversion logic to map Identity policy from DTO to Terraform state model
examples/resources/powerplatform_enterprise_policy/identity/main.tf	New example module showing complete Identity policy setup with Azure resources
examples/resources/powerplatform_enterprise_policy/resource.tf	Integrates Identity module with execution ordering via depends_on
examples/resources/powerplatform_enterprise_policy/network_injection/main.tf	Aligns provider version constraints with other modules
examples/resources/powerplatform_enterprise_policy/encryption/main.tf	Aligns provider version constraints and fixes naming consistency
.terraformrc	Adds documentation for configuring additional local provider binaries

Comments suppressed due to low confidence (1)

internal/services/environment/models.go:444

• This logic has a critical bug: each enterprise policy type check overwrites the model.EnterprisePolicies value instead of appending to it. When multiple enterprise policies are attached to an environment (which is the intended use case based on the example that adds both identity, network injection, and encryption policies), only the last policy type evaluated will be retained in the state.

The code should collect all present policies into a slice and then create the SetValueMust once with all policies, similar to how other list attributes are handled in Terraform. For example:

1. Create an empty slice to collect policies
2. Check each policy type (Identity, Vnets, CustomerManagedKeys) and append to the slice if present
3. Create the SetValueMust once at the end with all collected policies

		if environmentDto.Properties.EnterprisePolicies.Identity != nil {
			model.EnterprisePolicies = types.SetValueMust(enterprisePolicyAttrType, []attr.Value{
				types.ObjectValueMust(
					map[string]attr.Type{
						"type":      types.StringType,
						"id":        types.StringType,
						"location":  types.StringType,
						"system_id": types.StringType,
						"status":    types.StringType,
					},
					map[string]attr.Value{
						"type":      types.StringValue("Identity"),
						"id":        types.StringValue(environmentDto.Properties.EnterprisePolicies.Identity.Id),
						"location":  types.StringValue(environmentDto.Properties.EnterprisePolicies.Identity.Location),
						"system_id": types.StringValue(environmentDto.Properties.EnterprisePolicies.Identity.SystemId),
						"status":    types.StringValue(environmentDto.Properties.EnterprisePolicies.Identity.LinkStatus),
					},
				),
			})
		}
		if environmentDto.Properties.EnterprisePolicies.Vnets != nil {
			model.EnterprisePolicies = types.SetValueMust(enterprisePolicyAttrType, []attr.Value{
				types.ObjectValueMust(
					map[string]attr.Type{
						"type":      types.StringType,
						"id":        types.StringType,
						"location":  types.StringType,
						"system_id": types.StringType,
						"status":    types.StringType,
					},
					map[string]attr.Value{
						"type":      types.StringValue("NetworkInjection"),
						"id":        types.StringValue(environmentDto.Properties.EnterprisePolicies.Vnets.Id),
						"location":  types.StringValue(environmentDto.Properties.EnterprisePolicies.Vnets.Location),
						"system_id": types.StringValue(environmentDto.Properties.EnterprisePolicies.Vnets.SystemId),
						"status":    types.StringValue(environmentDto.Properties.EnterprisePolicies.Vnets.LinkStatus),
					},
				),
			})
		}
		if environmentDto.Properties.EnterprisePolicies.CustomerManagedKeys != nil {
			model.EnterprisePolicies = types.SetValueMust(enterprisePolicyAttrType, []attr.Value{
				types.ObjectValueMust(
					map[string]attr.Type{
						"type":      types.StringType,
						"id":        types.StringType,
						"location":  types.StringType,
						"system_id": types.StringType,
						"status":    types.StringType,
					},
					map[string]attr.Value{
						"type":      types.StringValue("Encryption"),
						"id":        types.StringValue(environmentDto.Properties.EnterprisePolicies.CustomerManagedKeys.Id),
						"location":  types.StringValue(environmentDto.Properties.EnterprisePolicies.CustomerManagedKeys.Location),
						"system_id": types.StringValue(environmentDto.Properties.EnterprisePolicies.CustomerManagedKeys.SystemId),
						"status":    types.StringValue(environmentDto.Properties.EnterprisePolicies.CustomerManagedKeys.LinkStatus),
					},
				),
			})
		}

[polatengin]

Approved with comments 👍

• Could you add unit tests for the Identity policy type? The existing test in resource_enterprise_policy_test.go only covers NetworkInjection

• I also noticed that convertEnterprisePolicyModelFromDto overwrites EnterprisePolicies rather than adding them to existing ones. If the environment already has enterprise policies they'll be overwritten. What you think?