terraform-provider-azuread icon indicating copy to clipboard operation
terraform-provider-azuread copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

bug: changing order of `resource_access` in `azuread_application` destroys and recreats all `resource_access`

Open hegerdes opened this issue 2 years ago • 1 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform v1.5.6 on windows_amd64

  • provider registry.terraform.io/hashicorp/azuread v2.41.0
  • provider registry.terraform.io/hashicorp/azurerm v3.69.0
  • provider registry.terraform.io/hashicorp/local v2.4.0
  • provider registry.terraform.io/hashicorp/null v3.2.1
  • provider registry.terraform.io/hashicorp/random v3.5.1

Affected Resource(s)

  • azuread_application

Terraform Configuration Files

data "azuread_client_config" "current" {}

resource "azuread_application" "default" {
  display_name     = var.aad_app_name
  owners           = [data.azuread_client_config.current.object_id]
  sign_in_audience = "AzureADMyOrg"

  api {
    mapped_claims_enabled          = true
    requested_access_token_version = 2
  }

  # Soem IDs: https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference
  required_resource_access {
    resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph

    resource_access {
      id   = "a154be20-db9c-4678-8ab7-66f6cc099a59" # User.ReadAll
      type = "Scope"
    }
    resource_access {
      id   = "5f8c59db-677d-491f-a6b8-5f174b11ec1d" # Group.Read.All or GroupMember.Read.All
      type = "Scope"
    }
    resource_access {
      id   = "bc024368-1153-4739-b217-4326f2e966d0" # Group.Read.All or GroupMember.Read.All
      type = "Scope"
    }
  }
}

Debug Output

Logs 
Terraform will perform the following actions:

  # azuread_application.default will be updated in-place
  ~ resource "azuread_application" "default" {
        id                             = "2341de89-144e-47a6-8ca0-a7dfaae50d71"
        tags                           = []
        # (15 unchanged attributes hidden)

      - required_resource_access {
          - resource_app_id = "00000003-0000-0000-c000-000000000000" -> null

          - resource_access {
              - id   = "a154be20-db9c-4678-8ab7-66f6cc099a59" -> null
              - type = "Scope" -> null
            }
          - resource_access {
              - id   = "5f8c59db-677d-491f-a6b8-5f174b11ec1d" -> null
              - type = "Scope" -> null
            }
          - resource_access {
              - id   = "bc024368-1153-4739-b217-4326f2e966d0" -> null
              - type = "Scope" -> null
            }
        }
      + required_resource_access {
          + resource_app_id = "00000003-0000-0000-c000-000000000000"

          + resource_access {
              + id   = "a154be20-db9c-4678-8ab7-66f6cc099a59"
              + type = "Scope"
            }
          + resource_access {
              + id   = "bc024368-1153-4739-b217-4326f2e966d0"
              + type = "Scope"
            }
          + resource_access {
              + id   = "5f8c59db-677d-491f-a6b8-5f174b11ec1d"
              + type = "Scope"
            }
        }

        # (6 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Panic Output

None

Expected Behavior

Changing the order of resource_access in required_resource_access should not destroy and recreate the required_resource_access field.

Actual Behavior

Changing the order of resource_access in required_resource_access destroys and recreates the required_resource_access field. Resulting in lost admin grants. ~Since admin grants can not be done in terraform (as far as I know)~ this could destroy the functionality of the App registration.

Update: Thank you @manicminer for pointing out that admin-grants can be done with terraform using azuread_app_role_assignment or service_principal_delegated_permission_grant. Unfortunately users need admin permissions to grant them, but do not need admin permissions to create/delete resource_access. So using the above resources can be a work-around if the needed permissions are granted. Otherwise just make sure to dont change the order of resource_access for now.

Steps to Reproduce

  1. terraform init
  2. terraform apply
  3. Change the order of the resource_access in required_resource_access
  4. terraform apply

Important Factoids

References

hegerdes avatar Sep 06 '23 14:09 hegerdes

Thanks for reporting @hegerdes.

Just wanted to note that you can perform admin grants with Terraform, using the azuread_app_role_assignment resource (for roles) and the azuread_service_principal_delegated_permission_grant resource (for scopes) - which should help you achieve service continuity until this is resolved.

manicminer avatar Sep 06 '23 16:09 manicminer