`terraform plan -refresh-only` command shows the `logo_url` in the diff (when a logo is added to an Application in Azure AD), even if the logo was not managed by terraform

[joachimBurket]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

$ terraform -v
Terraform v1.9.5
on linux_amd64
+ provider registry.terraform.io/hashicorp/azuread v2.53.1

Affected Resource(s)

• azuread_application

Terraform Configuration Files

terraform {
  required_version = ">= 1.6"
  required_providers {
    azuread = {
      source  = "hashicorp/azuread"
      version = ">=2.53.1, <3.0.0"
    }
  }
}

resource "azuread_application" "example" {
  display_name            = "example"
  sign_in_audience        = "AzureADMyOrg"
  group_membership_claims = ["SecurityGroup"]

  api {
    mapped_claims_enabled          = true
    requested_access_token_version = 2
  }

  web {
    homepage_url  = "https://app.example.net"
    logout_url    = "https://app.example.net/logout"
    redirect_uris = ["https://app.example.net/account"]
  }

  lifecycle {
    ignore_changes = [
      identifier_uris,
      owners,
      api[0].known_client_applications,
    ]
  }
}

Debug Output

$ terraform plan -refresh-only
azuread_application.example: Refreshing state... [id=/applications/58a75930-75b3-4a04-a572-4d6383a3dc27]

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the last "terraform apply" which may have affected this plan:

  # azuread_application.example has changed
  ~ resource "azuread_application" "example" {
        id                             = "/applications/58a75930-75b3-4a04-a572-4d6383a3dc27"
      + logo_url                       = "https://aadcdn.msftauthimages.net/c1c6b6c8-3dxsg3uktgsajlp-ib5nh85w5oqsatmsdyrqoxtife4/appbranding/pjyyxkyjzdxnjsrh8o5vdm4cbfst7at6j7gzkskskcw/1033/bannerlogo?ts=638602831655010723"
        tags                           = []
        # (25 unchanged attributes hidden)

        # (6 unchanged blocks hidden)
    }


This is a refresh-only plan, so Terraform will not take any actions to undo these. If you were expecting these changes then you can apply this plan to record
the updated values in the Terraform state without changing any remote objects.

Panic Output

None

Expected Behavior

The logo_url should not be present in the diff if it was added from Azure AD.

Actual Behavior

The terraform plan -refresh-only command showed the added logo_url in the diff.

Steps to Reproduce

1. Create the Application with terraform apply

2. Run terraform plan -refresh-only command to check if there is a diff with the prod

   NOTE: if the terraform plan -refresh-only is launched directly after the apply, the following resources are shown in the diff:

   $ terraform plan -refresh-only
   azuread_application.example: Refreshing state... [id=/applications/58a75930-75b3-4a04-a572-4d6383a3dc27]
   
   Note: Objects have changed outside of Terraform
   
   Terraform detected the following changes made outside of Terraform since the last "terraform apply" which may have affected this plan:
   
     # azuread_application.example has changed
     ~ resource "azuread_application" "example" {
         + group_membership_claims        = []
           id                             = "/applications/48e35d3f-9c02-4a22-add9-c19bb4253bf3"
         + identifier_uris                = []
         + owners                         = []
           tags                           = []
           # (13 unchanged attributes hidden)
   
         ~ api {
             + known_client_applications      = []
               # (2 unchanged attributes hidden)
           }
   
           # (5 unchanged blocks hidden)
       }
   
   This is a refresh-only plan, so Terraform will not take any actions to undo these. If you were expecting these changes then you can apply this plan to record the updated values in the Terraform state without changing any remote objects.
   

   When the terraform apply command is launched a second time, the terraform plan -refresh-only shows no more diff.

3. Add a logo to the Application on Azure AD.

4. Run the command tofu plan -refresh-only. The command shows the logo_url in the diff.

5. Try to ignore the logo_url in the Application's lifecycle. Update the azuread_application:

   resource "azuread_application" "example" {
     [ ... ]
     lifecycle {
     ignore_changes = [
       identifier_uris,
       owners,
       api[0].known_client_applications,
       logo_url,     # add the logo_url
     ]
   }
   

6. Re-run the plan -refresh-only command:

   $ terraform plan -refresh-only
   azuread_application.example: Refreshing state... [id=/applications/58a75930-75b3-4a04-a572-4d6383a3dc27]
   
   Note: Objects have changed outside of Terraform
   
   Terraform detected the following changes made outside of Terraform since the last "terraform apply" which may have affected this plan:
   
     # azuread_application.example has changed
     ~ resource "azuread_application" "example" {
           id                             = "/applications/58a75930-75b3-4a04-a572-4d6383a3dc27"
         + logo_url                       = "https://aadcdn.msftauthimages.net/c1c6b6c8-3dxsg3uktgsajlp-ib5nh85w5oqsatmsdyrqoxtife4/appbranding/pjyyxkyjzdxnjsrh8o5vdm4cbfst7at6j7gzkskskcw/1033/bannerlogo?ts=638602831655010723"
           tags                           = []
           # (25 unchanged attributes hidden)
   
           # (6 unchanged blocks hidden)
       }
   
   
   This is a refresh-only plan, so Terraform will not take any actions to undo these. If you were expecting these changes then you can apply this plan to record
   the updated values in the Terraform state without changing any remote objects.
   ╷
   │ Warning: Redundant ignore_changes element
   │ 
   │   on test_app.tf line 11, in resource "azuread_application" "example":
   │   11: resource "azuread_application" "example" {
   │ 
   │ Adding an attribute name to ignore_changes tells Terraform to ignore future changes to the argument in configuration after the object has been created,
   │ retaining the value originally configured.
   │ 
   │ The attribute logo_url is decided by the provider alone and therefore there can be no configured value to compare with. Including this attribute in
   │ ignore_changes has no effect. Remove the attribute from ignore_changes to quiet this warning.
   

   A Warning tells that the ignore_change of the logo_url is redundant.

Important Factoids

I use the terraform plan -refresh-only command in a recurrent job to check if there was drift on the production, and create an issue in my repository.

References

None