Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug: changing order of resource_access in azuread_application destroys and recreats all resource_access #1182

Open
hegerdes opened this issue Sep 6, 2023 · 1 comment
Open

bug: changing order of resource_access in azuread_application destroys and recreats all resource_access #1182

hegerdes opened this issue Sep 6, 2023 · 1 comment
Labels
bug feature/applications

Comments

@hegerdes
Copy link

hegerdes commented Sep 6, 2023
edited
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform v1.5.6
on windows_amd64

  • provider registry.terraform.io/hashicorp/azuread v2.41.0
  • provider registry.terraform.io/hashicorp/azurerm v3.69.0
  • provider registry.terraform.io/hashicorp/local v2.4.0
  • provider registry.terraform.io/hashicorp/null v3.2.1
  • provider registry.terraform.io/hashicorp/random v3.5.1

Affected Resource(s)

  • azuread_application

Terraform Configuration Files

data "azuread_client_config" "current" {}

resource "azuread_application" "default" {
  display_name     = var.aad_app_name
  owners           = [data.azuread_client_config.current.object_id]
  sign_in_audience = "AzureADMyOrg"

  api {
    mapped_claims_enabled          = true
    requested_access_token_version = 2
  }

  # Soem IDs: https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference
  required_resource_access {
    resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph

    resource_access {
      id   = "a154be20-db9c-4678-8ab7-66f6cc099a59" # User.ReadAll
      type = "Scope"
    }
    resource_access {
      id   = "5f8c59db-677d-491f-a6b8-5f174b11ec1d" # Group.Read.All or GroupMember.Read.All
      type = "Scope"
    }
    resource_access {
      id   = "bc024368-1153-4739-b217-4326f2e966d0" # Group.Read.All or GroupMember.Read.All
      type = "Scope"
    }
  }
}

Debug Output

Logs 
Terraform will perform the following actions:

  # azuread_application.default will be updated in-place
  ~ resource "azuread_application" "default" {
        id                             = "2341de89-144e-47a6-8ca0-a7dfaae50d71"
        tags                           = []
        # (15 unchanged attributes hidden)

      - required_resource_access {
          - resource_app_id = "00000003-0000-0000-c000-000000000000" -> null

          - resource_access {
              - id   = "a154be20-db9c-4678-8ab7-66f6cc099a59" -> null
              - type = "Scope" -> null
            }
          - resource_access {
              - id   = "5f8c59db-677d-491f-a6b8-5f174b11ec1d" -> null
              - type = "Scope" -> null
            }
          - resource_access {
              - id   = "bc024368-1153-4739-b217-4326f2e966d0" -> null
              - type = "Scope" -> null
            }
        }
      + required_resource_access {
          + resource_app_id = "00000003-0000-0000-c000-000000000000"

          + resource_access {
              + id   = "a154be20-db9c-4678-8ab7-66f6cc099a59"
              + type = "Scope"
            }
          + resource_access {
              + id   = "bc024368-1153-4739-b217-4326f2e966d0"
              + type = "Scope"
            }
          + resource_access {
              + id   = "5f8c59db-677d-491f-a6b8-5f174b11ec1d"
              + type = "Scope"
            }
        }

        # (6 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Panic Output

None

Expected Behavior

Changing the order of resource_access in required_resource_access should not destroy and recreate the required_resource_access field.

Actual Behavior

Changing the order of resource_access in required_resource_access destroys and recreates the required_resource_access field. Resulting in lost admin grants. Since admin grants can not be done in terraform (as far as I know) this could destroy the functionality of the App registration.

Update: Thank you @manicminer for pointing out that admin-grants can be done with terraform using azuread_app_role_assignment or service_principal_delegated_permission_grant. Unfortunately users need admin permissions to grant them, but do not need admin permissions to create/delete resource_access. So using the above resources can be a work-around if the needed permissions are granted. Otherwise just make sure to dont change the order of resource_access for now.

Steps to Reproduce

  1. terraform init
  2. terraform apply
  3. Change the order of the resource_access in required_resource_access
  4. terraform apply

Important Factoids

References
@manicminer
Copy link
Contributor

Thanks for reporting @hegerdes.

Just wanted to note that you can perform admin grants with Terraform, using the azuread_app_role_assignment resource (for roles) and the azuread_service_principal_delegated_permission_grant resource (for scopes) - which should help you achieve service continuity until this is resolved.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug feature/applications
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@manicminer @hegerdes