terraform-provider-azuread icon indicating copy to clipboard operation
terraform-provider-azuread copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

azuread_invitation requires User.ReadWrite permissions

Open pmjacinto opened this issue 2 years ago • 3 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform v1.2.7 on darwin_amd64 azuread 2.28.1

Affected Resource(s)

  • azuread_invitation

Terraform Configuration Files

provider "azuread" {
  tenant_id = "..."
  client_id     = "..."
  client_secret = "..."
}

resource "azuread_invitation" "test" {
  redirect_url       = "https://portal.azure.com/"
  user_email_address = "[email protected]"
}

terraform {
  required_providers {
    azuread = {
      source  = "hashicorp/azuread"
      version = "=2.28.1"
    }
  }
  required_version = ">= 0.15"
}

Expected Behavior

Expected to be able to invite a user when authenticated with an SP that only has User.Invite.All and does not have User.ReadWrite.All or Directory.ReadWrite.All as stated in the provider docs.

https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/invitation

When authenticated with a service principal, this resource requires one of the following application roles: User.Invite.All, User.ReadWrite.All or Directory.ReadWrite.All

Actual Behavior

Error when applying: "Failed to patch guest user after creating invitation"

Steps to Reproduce

  1. terraform apply

Important Factoids

The provider code tries to patch the newly created guest user to determine if it exists.

https://github.com/hashicorp/terraform-provider-azuread/blob/720f09e61d0b14e4a36ef0380ec77dde321afc73/internal/services/invitations/invitation_resource.go#L166-L191

Is a PATCH required for this scenario instead of a GET?

pmjacinto avatar Sep 12 '22 13:09 pmjacinto

@pmjacinto Thanks for reporting this. Whilst it's possible to create invitations having only User.Invite.All, unfortunately a PATCH request has been found to be necessary as GET operations on newly created objects in MS Graph exhibit behavior attributable to caching, and are not reliable. Accordingly we will have to put this down as a documentation bug.

manicminer avatar Sep 12 '22 19:09 manicminer

I just ran into the same problem, providing User.ReadWrite to the user executing terraform is not an option for me. Would it be possible to make this check optional insted? or maybe an option to select PATCH or GET in the terraform configuration.

AzCii avatar Mar 27 '23 08:03 AzCii

When doing a destroy, the User.Invite.All, is also not enough.

UsersClient.BaseClient.Delete(): unexpected status 403 with OData error: Authorization_RequestDenied: Insufficient privileges to complete the operation.

Here i would again suggest that the delete is optional in the terraform configuration, if it's not possible to do this with only Users.Invite.All

AzCii avatar Mar 27 '23 08:03 AzCii