terraform-provider-azuread icon indicating copy to clipboard operation
terraform-provider-azuread copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

azuread v2.0 error data.azuread_application with group_membership_claims

Open TerryRomeu3SR opened this issue 4 years ago • 8 comments

Terraform (and AzureAD Provider) Version

terraform {
  required_version = "~> 1.0.3"
  required_providers {
    azuread = {
      version = "~> 2"
      source  = "hashicorp/azuread"
    }
    azurerm = {
      version = "~> 2"
      source  = "hashicorp/azurerm"
    }
  }
}
### Affected Resource(s)

azuread_application

### Terraform Configuration Files

resource "azuread_application" "aad_app_webapp" {
  display_name               = "APP-XXX-XXX"
  identifier_uris            = [lower("https://web-XXX-XXX.azurewebsites.net")]

  api {
    oauth2_permission_scope {
      admin_consent_description  = "Allow the application to access APP-XXX-XXX} on behalf of the signed-in user."
      admin_consent_display_name = "Access APP-XXX-XXX}"
      enabled                    = true
      id                         = ""
      type                       = "User"
      user_consent_description   = "Allow the application to access APP-XXX-XXX} on your behalf."
      user_consent_display_name  = "Access APP-XXX-XXX}"
      value                      = "user_impersonation"
    }
  }
  required_resource_access {
    resource_app_id = "XXXX"
    resource_access {
        id   = "XXXX"
        type = "Scope"
      }
  }
  app_role {
    allowed_member_types = ["Application"]
    description          = "Support applications can access support data"
    display_name         = "Support AppRole"
    id                   = "XXXX"
    enabled              = true
    value                = "SupportAppRole"
  }
}

Error

image

Try

Before i upgraded the provider Azure AD v1.5.0 to v2.0.1, i didnt need to add the parameter group_membership_claims

So I tried to add group_membership_claims with each values and null but the message still be there

In Azure, the ressource haven't got this parameter : image

TerryRomeu3SR avatar Aug 31 '21 12:08 TerryRomeu3SR

Hi @TerryRomeu3SR, thanks for reporting this. In v2.0 the type of the group_membership_claims attribute changed and we introduced a state migration to handle this. It's possible this may not have correctly handled the value in your statefile for this attribute.

Trying a simple example, I was not able to reproduce an error. however I suspect your statefile may contain a legacy value or other similar difference.

In order to aid in reproducing the error and working on a fix, could you please provide:

  • Whilst you are still using a v1.x version of the provider (i.e. before upgrading), the output of: terraform state show azuread_application.aad_app_webapp
  • A full debug log containing the error, after upgrading

Thanks!

manicminer avatar Aug 31 '21 12:08 manicminer

Hi. We are seeing the same issue after upgrading to the 2.0.1 version. In our state file with schema version 0 for all objects, the azuread_application objects have either "group_membership_claims": "" or "group_membership_claims": "None".

The debug logs doesn't show which application it crashes on, as this is the output at the end: azurerm_monitor_diagnostic_setting._monitor: Refreshing state... [id=/subscriptions//resourceGroups/RG-acntech-aro/providers/Microsoft.Network/applicationGateways/ .group_membership_claims: missing expected [

EDIT: After digging some more in the logs, I found this which might suggest that the migration is not done for data objects?

{"@level":"trace","@message":"readResourceInstanceState: reading state for data.azuread_application.","@timestamp":"2021-08-31T19:53:29.246247Z"} {"@level":"debug","@message":"UpgradeResourceState: attribute "name" no longer present in schema","@timestamp":"2021-08-31T19:53:29.246376Z"} {"@level":"debug","@message":"UpgradeResourceState: attribute "type" no longer present in schema","@timestamp":"2021-08-31T19:53:29.246406Z"} {"@level":"debug","@message":"UpgradeResourceState: attribute "homepage" no longer present in schema","@timestamp":"2021-08-31T19:53:29.246418Z"} {"@level":"debug","@message":"UpgradeResourceState: attribute "oauth2_permissions" no longer present in schema","@timestamp":"2021-08-31T19:53:29.246431Z"} {"@level":"debug","@message":"UpgradeResourceState: attribute "logout_url" no longer present in schema","@timestamp":"2021-08-31T19:53:29.246443Z"} {"@level":"debug","@message":"UpgradeResourceState: attribute "oauth2_allow_implicit_flow" no longer present in schema","@timestamp":"2021-08-31T19:53:29.246454Z"} {"@level":"debug","@message":"UpgradeResourceState: attribute "reply_urls" no longer present in schema","@timestamp":"2021-08-31T19:53:29.246469Z"} {"@level":"debug","@message":"UpgradeResourceState: attribute "available_to_other_tenants" no longer present in schema","@timestamp":"2021-08-31T19:53:29.246481Z"} {"@level":"trace","@message":"vertex "data.azuread_application.": visit complete","@timestamp":"2021-08-31T19:53:29.246645Z"} {"@level":"trace","@message":"vertex "data.azuread_application.": dynamic subgraph encountered errors: .group_membership_claims: missing expected [","@timestamp":"2021-08-31T19:53:29.246675Z"} {"@level":"trace","@message":"vertex "data.azuread_application.": visit complete","@timestamp":"2021-08-31T19:53:29.246688Z"} {"@level":"trace","@message":"vertex "data.azuread_application. (expand)": dynamic subgraph encountered errors: .group_membership_claims: missing expected [","@timestamp":"2021-08-31T19:53:29.246705Z"} {"@level":"trace","@message":"vertex "data.azuread_application. (expand)": visit complete","@timestamp":"2021-08-31T19:53:29.246718Z"}

knutejoh avatar Aug 31 '21 19:08 knutejoh

@knutejoh Brilliant, thanks for spotting that! You are correct, the migration is mising from data.azuread_application

manicminer avatar Sep 01 '21 10:09 manicminer

Hi all,

I'm working with @TerryRomeu3SR and I continue this thread with you. We have found a workaround in this project. The reason is that in this project, we data source 2 other azure ad application. In state, theses 2 objects was in "group_membership_claims": ""

I just remove form state with terraform state rm data.azuread_application.xxxxxx then remove/import the azure ad app resource. I start a new refresh. now the attributes group_membership_claims is not present anymore in data source, but still present on resources with "group_membership_claims": [].

Now I can still have a valid terraform plan

Hope that it can help someone, before next fix

Regards Alexandre

alex-3sr avatar Sep 01 '21 13:09 alex-3sr

I am seeing similar however I'm not trying to create a resource, I want to access an existing azuread_application via the data keyword. This was working in azuread v1.6.0 Terraform Cloud Azure DevOps CI/CD pipeline (no CLI)

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = ">=2.69.0"
    }
    azuread = {
      source   = "hashicorp/azuread"
      version  = ">=2.0.0"
    }
  }
}

data "azuread_application" "ams_app_registration" {
  application_id = var.ams_app_reg_clientid
}

resource "azuread_application_password" "ams_app_client_secret" {
  application_object_id = data.azuread_application.ams_app_registration.id
  display_name          = "${var.resource_prefix}-ams"
  end_date_relative     = var.ams_api_password_lifespan
}

produces the following log entry:

{
  "@level":"error",
  "@message":"Error: .group_membership_claims: missing expected [",
  "@module":"terraform.ui",
  "@timestamp":"2021-09-01T23:42:09.997946Z",
  "diagnostic":{
    "severity":"error",
    "summary":".group_membership_claims: missing expected [",
    "detail":""
  },
  "type":"diagnostic"
}

How do I carry out this workaround when I only have Terraform Cloud?

remove form state with terraform state rm data.azuread_application.xxxxxx then remove/import the azure ad app resource.

sezf-opscentral avatar Sep 02 '21 03:09 sezf-opscentral

It appears that Terraform doesn't support State Upgraders for data sources, which unfortunately means we are blocked on resolving this in the provider at this time.

The workaround by @alex-3sr should work (terraform state rm data.azuread_application.foo) and I have also found that if you remove (i.e. comment out) the data source in your config, Terraform will seemingly skip parsing the old state for it and not error out. You can re-add (uncomment) the data source after a terraform refresh or terraform apply and it will continue as it should have in the first instance.

manicminer avatar Sep 02 '21 14:09 manicminer

It appears that Terraform doesn't support State Upgraders for data sources, which unfortunately means we are blocked on resolving this in the provider at this time.

The workaround by @alex-3sr should work (terraform state rm data.azuread_application.foo) and I have also found that if you remove (i.e. comment out) the data source in your config, Terraform will seemingly skip parsing the old state for it and not error out. You can re-add (uncomment) the data source after a terraform refresh or terraform apply and it will continue as it should have in the first instance.

Thank you; commenting out the data source, running a refresh, and reincorporating was successful for me :thumbsup:.

sezf-opscentral avatar Sep 05 '21 21:09 sezf-opscentral

I've got the same problem with "data azuread_application". I can't update the release pipeline to remove and then add back that step, so instead I've be editing the state file and

replaceing: "group_membership_claims": "", with: "group_membership_claims": [],

andrew-sumner avatar Sep 13 '21 03:09 andrew-sumner