terraform-provider-azuread icon indicating copy to clipboard operation
terraform-provider-azuread copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Error: Creating custom directory role

Open rohernan opened this issue 2 years ago • 7 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

tf - v1.3.5 azuread - v2.41.0

Affected Resource(s)

  • azuread_custom_directory_role

Terraform Configuration Files

resource "azuread_custom_directory_role" "crK8sSPAdmin" {
    display_name        = var.km_custom_role_display_name
    description         = var.km_custom_role_description
    enabled             = var.km_custom_role_enabled
    version             = var.km_custom_role_version

    permissions {
      allowed_resource_actions = [
        "microsoft.directory/applicationPolicies/allProperties/read",
        "microsoft.directory/applicationPolicies/owners/read",
        "microsoft.directory/applicationPolicies/standard/read",
        "microsoft.directory/applications.myOrganization/allProperties/read",
        "microsoft.directory/applications.myOrganization/allProperties/update",
        "microsoft.directory/applications.myOrganization/audience/update",
        "microsoft.directory/applications.myOrganization/authentication/update",
        "microsoft.directory/applications.myOrganization/basic/update",
        "microsoft.directory/applications.myOrganization/credentials/update",
        "microsoft.directory/applications.myOrganization/delete",
        "microsoft.directory/applications.myOrganization/owners/read",
        "microsoft.directory/applications.myOrganization/owners/update",
        "microsoft.directory/applications.myOrganization/permissions/update",
        "microsoft.directory/applications.myOrganization/standard/read",
        "microsoft.directory/applications/allProperties/read",
        "microsoft.directory/applications/allProperties/update",
        "microsoft.directory/applications/appRoles/update",
        "microsoft.directory/applications/audience/update",
        "microsoft.directory/applications/authentication/update",
        "microsoft.directory/applications/basic/update",
        "microsoft.directory/applications/create",
        "microsoft.directory/applications/createAsOwner",
        "microsoft.directory/applications/credentials/update",
        "microsoft.directory/applications/delete",
        "microsoft.directory/applications/owners/read",
        "microsoft.directory/applications/permissions/update",
        "microsoft.directory/applications/standard/read",
        "microsoft.directory/servicePrincipals/allProperties/read",
        "microsoft.directory/servicePrincipals/allProperties/update",
        "microsoft.directory/servicePrincipals/audience/update",
        "microsoft.directory/servicePrincipals/authentication/update",
        "microsoft.directory/servicePrincipals/basic/update",
        "microsoft.directory/servicePrincipals/create",
        "microsoft.directory/servicePrincipals/createAsOwner",
        "microsoft.directory/servicePrincipals/credentials/update",
        "microsoft.directory/servicePrincipals/delete",
        "microsoft.directory/servicePrincipals/disable",
        "microsoft.directory/servicePrincipals/enable",
        "microsoft.directory/servicePrincipals/getPasswordSingleSignOnCredentials",
        "microsoft.directory/servicePrincipals/managePasswordSingleSignOnCredentials",
        "microsoft.directory/servicePrincipals/oAuth2PermissionGrants/read",
        "microsoft.directory/servicePrincipals/owners/read",
        "microsoft.directory/servicePrincipals/owners/update",
        "microsoft.directory/servicePrincipals/permissions/update",
        "microsoft.directory/servicePrincipals/standard/read",
        "microsoft.directory/servicePrincipals/tag/update"
      ]
    }
}

Debug Output

[ERROR] provider.terraform-provider-azuread_v2.41.0_x5.exe: Response contains error diagnostic: @module=sdk.proto diagnostic_detail="RoleDefinitionsClient.BaseClient.Post(): unexpected status 302 received with no body" tf_proto_version=5.3 tf_provider_addr=provider tf_rpc=ApplyResourceChange diagnostic_severity=ERROR diagnostic_summary="Creating custom directory role "<Redacted>" tf_req_id=e9baeda5-da4a-b191-f396-94bed09e3cec tf_resource_type=azuread_custom_directory_role @caller=github.com/hashicorp/[email protected]/tfprotov5/internal/diag/diagnostics.go:55 timestamp=2023-09-14T16:57:45.444-0400

Expected Behavior

The Custom Directory Role should have been provisioned.

Actual Behavior

An error was returned:

RoleDefinitionsClient.BaseClient.Post(): unexpected status 302 received with no body

Steps to Reproduce

  1. terraform plan -out main.tfplan -var-file serviceprincipal-admins.tfvars
  2. terraform apply main.tfplan

Important Factoids

Operating in Azure Government.

References

rohernan avatar Sep 14 '23 22:09 rohernan

Thanks for reporting @rohernan. This is an unusual one, would you be able to obtain and send a debug log? This will show the full API request and response which will aid in investigating this. You can post it in a gist and link it here if it's lengthy. Thanks!

manicminer avatar Sep 15 '23 14:09 manicminer

Thanks for reporting @rohernan. This is an unusual one, would you be able to obtain and send a debug log? This will show the full API request and response which will aid in investigating this. You can post it in a gist and link it here if it's lengthy. Thanks!

Thanks for the update! The debug logs are here: https://gist.github.com/rohernan/89e7c6ca66874e2aa80c0bf6578d2c14

rohernan avatar Sep 15 '23 14:09 rohernan

@rohernan That's great, thanks. We'll have to try to infer what that response is supposed to mean, since it's both undocumented and noncompliant (no Location header). Do you perhaps already have a custom role having the same display name?

manicminer avatar Sep 15 '23 14:09 manicminer

@rohernan That's great, thanks. We'll have to try to infer what that response is supposed to mean, since it's both undocumented and noncompliant (no Location header). Do you perhaps already have a custom role having the same display name?

This is the first time they are creating a new custom directory role and it is still unique across az resource custom roles as well.

rohernan avatar Sep 15 '23 14:09 rohernan

@rohernan That's great, thanks. We'll have to try to infer what that response is supposed to mean, since it's both undocumented and noncompliant (no Location header). Do you perhaps already have a custom role having the same display name?

Good morning. I'm now experiencing a similar issue when attempting to retrieve an existing AAD group when attempting to utilize azurerm_role_assignment with both display name and objectId:

image

rohernan avatar Sep 19 '23 13:09 rohernan

@rohernan Very interesting - many thanks for the feedback, I'll look into this further and try find out what the responses are supposed to be doing.

manicminer avatar Sep 22 '23 00:09 manicminer

Good morning! Following up on this as I just tried again and am still receiving the 302 error.

Update I just found a relatively similar issue reported: https://github.com/hashicorp/terraform-provider-azuread/issues/588

Changed the provider to 1.6.0 and I can create AAD groups and reference existing groups now! I'm not able to utilize the security_enabled attribute but this will get my guy moving forward!

Thanks!

rohernan avatar Jan 03 '24 14:01 rohernan