terraform-provider-azuread
terraform-provider-azuread copied to clipboard
hashicorp
identifier_uri must start with "api://, https://"
When creating AppRegistrations, the identifier_uri must start with "api://, https://" and so on, unfortunately not all applications support this prefix at the service provider side. Can you please add a method to skip this validation, so we can use arbitrary identifier uris.
kind regards Philipp
"identifier_uris": {
Type: schema.TypeList,
Optional: true,
Computed: true,
Elem: &schema.Schema{
Type: schema.TypeString,
ValidateFunc: validate.URLIsAppURI,
},
},
Hi @philipp1992, thanks for reporting this. Do you have an example of an identifier URI you'd like to set that is failing our validation? We can definitely look to expanding the validation however it may be that the API does not accept the value, in which case changing the validation will not help you. Thank!
Hello, i've encounter the same situation.
As an example
identifier_uris = abc.eu
This is possible via MsGraph or UI. However the error from TF is Error: URI has no host. If i use the same code but add identifier_uris = https://abc.eu the plan is ok.
Unfortunately, some vendors are not flexible enough with their application and hardcoded the identifier in format abc.eu
It will be great if the validation can be expanded to include the above format
Thank you
Unfortunately a domain-only identifier URI isn't actually supported by Microsoft Graph - see the following screenshot:
If this is supported in the portal, then this is unfortunately not extended to the public API which means we cannot support it. We do aim to match the validation of the API, so if this changes then we'll update the provider validation accordingly.
Since there is nothing that we can do here, I'm going to close this issue for now. However, if the API gets updated, please feel free to comment further, or open a new issue, and we'll be happy to look at it again.
Hello, thanks for the quick response, but as mentioned, it is possible via MsGraph, using the PATCH method
Documentation https://learn.microsoft.com/en-us/graph/api/application-update?view=graph-rest-1.0&tabs=http
Before
After the patch
Can you please re-open the issue? Thank you
@manicminer can you reopen the issue or we need to wait for @philipp1992 ?
Either way, I hit the same issue, and I also suspect it might not be possible to fix at all - is TF able to differentiate between PUT and PATCH to append such configuration?
Whether or not should have MS allowed this with PATCH is another discussion, but we have 3rd Party App integrations that we simply can't provision with Terraform, and that kinda put the spanner in the wheels of the "move to TFE" bandwagon.
Thanks for reporting back. I've reopened this although I suspect there's more going on here because it still doesn't work for me.
@alex-nutu Is abc.eu a verified domain of your tenant? Do you need to first set https://abc.eu before patching it to be abc.eu? I've tried this and it doesn't seem to work either way for me. Any other context you can provide will be helpful!
@Tbohunek Do you have an example that works for you outside of Terraform?
We can manipulate the logic in the provider to patch the application for specific properties, or even call additional endpoints as necessary - we do this already for a few application properties and a lot with groups. But ideally I'd like to have a better picture of what the rules actually are, if nothing else to avoid breaking existing configs and to keep apply-time surprises to a minimum.
Hi, abc.eu is not a verified domain. Indeed, TF is configured to use https://abc.eu as initial deployment. If not, the URI error is present.
After the application is created, i use GraphExplorer to change the identifier
The process is:
- apply without
identifierUrisattribute, because of the following errorApplicationsClient.BaseClient.Post(): unexpected status 400 with OData error: HostNameNotOnVerifiedDomain: Values of identifierUris property must use a verified domain of the organization or its subdomain: 'https://abc.eu' - add the attribute
identifierUrisin tf code in formathttps://abc.euand run another apply - If i try another apply with
identifierUrisin formatabc.eui get theError: URI has no host - Use MsGraph with the patch method as explained before
Hopefully this will provide the full picture, if not let me know what other info i can provide.
I appreciate your help.
@alex-nutu Can you post your full application resource config? I am unable to patch an application with an unverified domain (i.e. step 2 in your repro guide):
The deployment is done using a module where the service principal is also created. I've tried to replicate the deployment without the module and i encounter the same error as you mention above.
However, this is not the topic of the issue, because i've used one of the custom domain we have added to AzureAD under custom domain names and i have the error Error: URI has no host for "identifier_uris.0" which was the reason why Github issue was raised.
Steps to replicate
resource "azuread_application" "test" {
display_name = "issue951"
identifier_uris = ["https://abc.<custom.domain>"]
}
Apply and then replace the code with
resource "azuread_application" "test" {
display_name = "issue951"
identifier_uris = ["abc.<custom.domain>"]
}
To summarize, using a verified domain i can use format identifier_uris = https://abc.custom.domain but not identifier_uris = abc.custom.domain
I will check why with the module i can deploy unverified domain, but only in format https://unverified.domain
Thanks, I'll continue experimenting with a verified domain but I thought it would be relevant to maybe work out the conditions under which an unverified domain was permitted since it could be related.
Thank you, i believe the focus should be on the validation function for identifier_uris