Predefined parameters are missed in the application provisioned from template

[alexvvladimirov]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform v1.2.5 Provider registry.terraform.io/hashicorp/azuread v2.26.1

Affected Resource(s)

• azuread_application
• azuread_service_principal
• azuread_application_template

Terraform Configuration Files

data "azuread_application_template" "this" {
  display_name = "GitHub Enterprise Managed User"
}

resource "azuread_application" "this" {
  display_name = "GitHub EMU"
  template_id  = data.azuread_application_template.this.template_id
}

resource "azuread_service_principal" "this" {
  application_id = azuread_application.this.application_id
  use_existing   = true
}

Debug Output

https://gist.github.com/alexvvladimirov/9b9204b917db2ffa7a79dba2a055ca61

Expected Behavior

The gallery application provisioned from template should contain all predefined parameters (incl. appRoles, redirectUris, homePageUrl, etc) as we would provision it through Graph API or Azure portal.

POST https://graph.microsoft.com/v1.0/applicationTemplates/3b5ca639-0790-480e-9b24-9625375a05e7/instantiate
Content-type: application/json
{
    "displayName": "GitHub EMU (test)"
}

Actual Behavior

The gallery app provisioned from template doesn't contain a lot of predefined parameters (incl. appRoles, redirectUris, homePageUr).

After analyzing debug output I can see when TF starts creating the gallery app, it sends POST request to Graph API. The response contains all necessary predefined parameters:

2022/07/27 10:37:26 [DEBUG] ============================ Begin AzureAD Response ===========================
POST https://graph.microsoft.com/v1.0/***/applicationTemplates/3b5ca639-0790-480e-9b24-9625375a05e7/instantiate
Request ID: ***

HTTP/1.1 201 Created
Transfer-Encoding: chunked
Cache-Control: no-cache
Client-Request-Id: b330754e-2273-484a-ad28-a482284443eb
Content-Type: application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8
Date: Wed, 27 Jul 2022 01:37:26 GMT
Location: https://graph.microsoft.com
Odata-Version: 4.0
Request-Id: b330754e-2273-484a-ad28-a482284443eb
Strict-Transport-Security: max-age=31536000
Vary: Accept-Encoding
X-Ms-Ags-Diagnostic: {"ServerInfo":{***}}

12a7
{"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#microsoft.graph.applicationServicePrincipal","application":{"id":"5e831e8e-889e-429c-aa72-e526daaf26f8","appId":"2112f37e-3e7b-4608-bfad-3eccdf0961e7","applicationTemplateId":"3b5ca639-0790-480e-9b24-9625375a05e7","createdDateTime":"2022-07-27T01:37:23Z","deletedDateTime":null,"displayName":"GitHub EMU","description":null,"groupMembershipClaims":null,"identifierUris":[],"isFallbackPublicClient":false,"signInAudience":"AzureADMyOrg","tags":[],"tokenEncryptionKeyId":null,"defaultRedirectUri":null,"optionalClaims":null,"addIns":[],"api":{"acceptMappedClaims":null,"knownClientApplications":[],"requestedAccessTokenVersion":null,"oauth2PermissionScopes":[{"adminConsentDescription":"Allow the application to access GitHub EMU on behalf of the signed-in user.","adminConsentDisplayName":"Access GitHub EMU","id":"0e4b3147-70b6-4138-ac08-ac25da9cc368","isEnabled":true,"type":"User","userConsentDescription":"Allow the application to access GitHub EMU on your behalf.","userConsentDisplayName":"Access GitHub EMU","value":"user_impersonation"}],"preAuthorizedApplications":[]},"appRoles":[{"allowedMemberTypes":["User"],"displayName":"Enterprise Owner","id":"981df190-8801-4618-a08a-d91f6206c954","isEnabled":true,"description":"Enterprise Owner","value":null,"origin":"Application"},{"allowedMemberTypes":["User"],"displayName":"User","id":"27d9891d-2c17-4f45-a262-781a0e55c80a","isEnabled":true,"description":"User","value":null,"origin":"Application"},{"allowedMemberTypes":["User"],"displayName":"msiam_access","id":"5a6327d3-9140-458a-b894-320a25d0f525","isEnabled":true,"description":"msiam_access","value":null,"origin":"Application"},{"allowedMemberTypes":["User"],"displayName":"Billing Manager","id":"0e338b8c-cc7f-498a-928d-ea3470d7e7e3","isEnabled":true,"description":"Billing Manager","value":null,"origin":"Application"}],"info":{"logoUrl":null,"marketingUrl":null,"privacyStatementUrl":null,"supportUrl":null,"termsOfServiceUrl":null},"keyCredentials":[],"parentalControlSettings":{"countriesBlockedForMinors":[],"legalAgeGroupRule":"Allow"},"passwordCredentials":[],"publicClient":{"redirectUris":[]},"requiredResourceAccess":[],"verifiedPublisher":{"displayName":null,"verifiedPublisherId":null,"addedDateTime":null},"web":{"homePageUrl":"https://github.com/enterprises/*?metadata=githubenterprisemanageduser|ISV9.1|primary|z","redirectUris":["https://github.com/enterprises/*"],"logoutUrl":null}},"servicePrincipal":{"id":"e530b277-1a56-4227-9cd7-515f145cb482","deletedDateTime":null,"accountEnabled":true,"appId":"2112f37e-3e7b-4608-bfad-3eccdf0961e7","applicationTemplateId":"3b5ca639-0790-480e-9b24-9625375a05e7","appDisplayName":"GitHub EMU","alternativeNames":[],"appOwnerOrganizationId":"***","displayName":"GitHub EMU","appRoleAssignmentRequired":true,"loginUrl":null,"logoutUrl":null,"homepage":"https://github.com/enterprises/*?metadata=githubenterprisemanageduser|ISV9.1|primary|z","notificationEmailAddresses":[],"preferredSingleSignOnMode":null,"preferredTokenSigningKeyThumbprint":null,"replyUrls":[],"servicePrincipalNames":["2112f37e-3e7b-4608-bfad-3eccdf0961e7"],"servicePrincipalType":"Application","tags":["WindowsAzureActiveDirectoryIntegratedApp"],"tokenEncryptionKeyId":null,"samlSingleSignOnSettings":null,"verifiedPublisher":{"displayName":null,"verifiedPublisherId":null,"addedDateTime":null},"addIns":[],"appRoles":[{"allowedMemberTypes":["User"],"displayName":"Enterprise Owner","id":"981df190-8801-4618-a08a-d91f6206c954","isEnabled":true,"description":"Enterprise Owner","value":null,"origin":"Application"},{"allowedMemberTypes":["User"],"displayName":"User","id":"27d9891d-2c17-4f45-a262-781a0e55c80a","isEnabled":true,"description":"User","value":null,"origin":"Application"},{"allowedMemberTypes":["User"],"displayName":"msiam_access","id":"5a6327d3-9140-458a-b894-320a25d0f525","isEnabled":true,"description":"msiam_access","value":null,"origin":"Application"},{"allowedMemberTypes":["User"],"displayName":"Billing Manager","id":"0e338b8c-cc7f-498a-928d-ea3470d7e7e3","isEnabled":true,"description":"Billing Manager","value":null,"origin":"Application"}],"info":{"logoUrl":null,"marketingUrl":null,"privacyStatementUrl":null,"supportUrl":null,"termsOfServiceUrl":null},"keyCredentials":[],"oauth2PermissionScopes":[{"adminConsentDescription":"Allow the application to access GitHub EMU on behalf of the signed-in user.","adminConsentDisplayName":"Access GitHub EMU","id":"0e4b3147-70b6-4138-ac08-ac25da9cc368","isEnabled":true,"type":"User","userConsentDescription":"Allow the application to access GitHub EMU on your behalf.","userConsentDisplayName":"Access GitHub EMU","value":"user_impersonation"}],"passwordCredentials":[]}}
0

But then TF sends PATCH request and set the most of predefined parameters to empty/null values:

2022/07/27 10:37:28 [DEBUG] ============================ Begin AzureAD Request ============================
Request ID: ***

PATCH /beta/***/applications/5e831e8e-889e-429c-aa72-e526daaf26f8 HTTP/1.1
Host: graph.microsoft.com
User-Agent: HashiCorp Terraform/1.2.5 (+https://www.terraform.io) Terraform Plugin SDK/2.10.1 terraform-provider-azuread/dev Hamilton (Go-http-client/1.1) pid-222c6c49-1b0a-5959-a213-6608f9eb8820
Content-Length: 752
Accept: application/json; charset=utf-8; IEEE754Compatible=false
Content-Type: application/json; charset=utf-8
Odata-Maxversion: 4.0
Odata-Version: 4.0
Accept-Encoding: gzip

{"groupMembershipClaims":null,"id":"5e831e8e-889e-429c-aa72-e526daaf26f8","api":{"acceptMappedClaims":false,"knownClientApplications":[],"oauth2PermissionScopes":[],"requestedAccessTokenVersion":1},"appRoles":[],"displayName":"GitHub EMU","identifierUris":[],"info":{"marketingUrl":"","privacyStatementUrl":"","supportUrl":"","termsOfServiceUrl":""},"isDeviceOnlyAuthSupported":false,"isFallbackPublicClient":false,"oauth2RequirePostResponse":false,"optionalClaims":{},"publicClient":{"redirectUris":[]},"requiredResourceAccess":[],"signInAudience":"AzureADMyOrg","spa":{"redirectUris":[]},"tags":[],"web":{"homePageUrl":null,"implicitGrantSettings":{"enableAccessTokenIssuance":false,"enableIdTokenIssuance":false},"logoutUrl":null,"redirectUris":[]}}
============================= End AzureAD Request =============================:

As a result the app loses important predefined parameters.

Steps to Reproduce

1. terraform apply

Important Factoids

References

[Threpio]

The culprit: https://github.com/hashicorp/terraform-provider-azuread/blob/bf65f5d71a5f080a7006b3a1d34f4af74903adad/internal/services/applications/application_resource.go#L940

I am not 100% sure how to tackle this straight away - I will let someone more experienced than I to see how to implement the template correctly.

[manicminer]

Thanks for reporting @alexvvladimirov. This is something we should be able to improve, however at this time such improvement depends on further investigation of improving Computed properties. I'm hoping we'll be in a position to address this in the next major version of the provider which is due in the coming months.

In the meantime, you would need to work around this by explicitly configuring these predefined parameters as part of your Terraform config for the application.

[manicminer]

We are working on a new resource azuread_application_from_template along with a host of additional resources for managing individual components of applications, which I believe will resolve this issue of clobbering application properties that were inherited from the gallery application template. These resources are in flight in #1214 and will land in the next provider release.

Our recommendation will be to adopt this new resource for launching applications from gallery templates, particularly in cases where the existing azuread_application scrambles these predefined properties. Accordingly, I've marked this issue for closure with #1214.