terraform-provider-azuread icon indicating copy to clipboard operation
terraform-provider-azuread copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

`azuread_group_role_management_policy` unset `approval_stage` causes constant drift

Open paul-hugill opened this issue 1 year ago • 2 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform v1.5.7
on windows_amd64
+ provider registry.terraform.io/env0/env0 v1.18.7
+ provider registry.terraform.io/hashicorp/azuread v2.49.1
+ provider registry.terraform.io/hashicorp/azurerm v3.103.1
+ provider registry.terraform.io/hashicorp/random v3.6.2
+ provider registry.terraform.io/hashicorp/tfe v0.55.0
+ provider registry.terraform.io/hashicorp/time v0.7.2
+ provider registry.terraform.io/hashicorp/vault v3.8.2
+ provider registry.terraform.io/integrations/github v6.2.1

Affected Resource(s)

  • azuread_group_role_management_policy

Terraform Configuration Files

resource "azuread_group_role_management_policy" "groups" {
  group_id = "xxxxx-xxxxx-xxxxx-xxxx"
  role_id  = "member"

  active_assignment_rules {
    expiration_required                = true
    expire_after                       = "P30D"
    require_justification              = true
    require_multifactor_authentication = true
    require_ticket_info                = false
  }

  eligible_assignment_rules {
    expiration_required = false
    expire_after        = "P365D"
  }

  activation_rules {
    maximum_duration                   = "PT12H"
    require_approval                   = false
    require_justification              = true
    require_multifactor_authentication = true
    require_ticket_info                = true
  }
}

Debug Output

Panic Output

Expected Behavior

Resource should not show changes

Actual Behavior

Resource shows changes on every apply. In Terraform Cloud, this doesn't show what is going to be changed, just 4 unchanged attributes hidden and 4 unchanged blocks hidden.

As a CLI run, it shows the activation_rules.approval_stage being removed:

  # module.this.azuread_group_role_management_policy.groups["data_admins"] will be updated in-place
  ~ resource "azuread_group_role_management_policy" "groups" {
        id           = "Group_663174af-0098-4588-87a4-1d10577e22f2_5b6ae689-0d59-41be-b172-3f07be7bff57"
        # (4 unchanged attributes hidden)

      ~ activation_rules {
            # (5 unchanged attributes hidden)

          - approval_stage {
            }
        }

        # (3 unchanged blocks hidden)
    }

Steps to Reproduce

  1. terraform apply
  2. Run the apply again and you will see resource shows changes

I have tried adding an empty approval_stage block but that requires a primary_approver which cannot be empty either.

Important Factoids

References

paul-hugill avatar Jun 03 '24 10:06 paul-hugill

Probably having the same issue with the newly released azurerm_role_management_policy resource as well, both when using v3.108.0, at least I'm having the same empty changes plans every time.

I can open an issue on that provider as well and mention this if desired.

paul-hugill avatar Jun 14 '24 14:06 paul-hugill

Thanks @paul-hugill, if you can open an issue for AzureRM that'd be appreciated 👍

manicminer avatar Jun 17 '24 10:06 manicminer

We are experiencing the same issue with this resource with azuread v3.0.2.

We initially had an approval_stage (group as primary approver) set in the member policy, but as this was not required we removed it so that the approval_stage is not there at all when activation_rules.require_approval is false (using dynamic blocks).

The plan/apply went fine and removed this, however we now experience this constant update when planning.

As a workaround we can keep activation_rules.require_approval but define a approval_stage to a primary_approver (singleUser or groupMembers) that effectively does nothing as approval is not required. The user or group does not really matter as they will not be approving anything for this policy. This at least stops the annoyance of the proposed change in the plan.

Situation is not ideal as why should we need to set and approver on a policy that does not require one.

Having just read the issue for azurerm_role_management_policyI see the comment from JWilkinsonMB (https://github.com/hashicorp/terraform-provider-azurerm/issues/26377#issuecomment-2423683251) is essentially the same as the proposed workaround here.

sunevnuahs avatar Nov 20 '24 22:11 sunevnuahs

Has there been any update on this? We're encountering this issue too with azuread v3.1.0.

christopher-pope avatar Jan 31 '25 18:01 christopher-pope

I confirm that last version of azuread provider contunue to have this probleme, Requiere_approval is not set or set to false, the terraform plan see a drift each time because the missing approval_stage/primary_approver block.

For now, the only workaround i have found is to use this:

approval_stage { primary_approver { object_id = azuread_group.this.object_id type = "groupMembers" } }

I reuse my PIM Group to be the approver, I see it in the GUI, but with require_approval = false, I don't need approval, but it's not a good config, it's a workaround.

Please make a correction to the azuread provider!

alienm16 avatar Mar 04 '25 16:03 alienm16