Segfault Attempting to Import azuread_service_principal_token_signing_certificate

[vschum]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

terraform -v
Terraform v1.4.5
on darwin_amd64
+ provider registry.terraform.io/hashicorp/aws v4.63.0
+ provider registry.terraform.io/hashicorp/azuread v2.37.2
+ provider registry.terraform.io/hashicorp/http v3.2.1
+ provider registry.terraform.io/hashicorp/null v3.2.1
+ provider registry.terraform.io/hashicorp/random v3.5.1

Affected Resource(s)

azuread_service_principal_token_signing_certificate

resource "azuread_service_principal_token_signing_certificate" "this" {
  service_principal_id = azuread_service_principal.this.id
}

Debug Output

https://gist.github.com/vschum/f8fcc4d4cca06c61aa47245445f9ee55

Panic Output

Expected Behavior

Existing resource is imported.

Actual Behavior

Provider plugin segfaults.

Steps to Reproduce

1. terraform import -var-file=environments/prod.tfvars module.adfs_readonly_application.azuread_service_principal_token_signing_certificate.this cd6e112f-ab30-4b63-be67-886288099624/tokenSigningCertificate/76710fde-d07b-4995-8abf-6cdfc0722cb6

Important Factoids

This service principal has a keyCredential and passwordCredential with the same keyId.

{
  "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#servicePrincipals/$entity",
  "id": "cd6e112f-ab30-4b63-be67-886288099624",
  "deletedDateTime": null,
  "accountEnabled": true,
  "alternativeNames": [],
  "appDisplayName": "AWSGlobalReadOnly",
  "appDescription": null,
  "appId": "3229171e-edaa-4ee7-aa2d-129feea704ca",
  "applicationTemplateId": "21ed01d2-ec13-4e9e-86c1-cd546719ebc4",
  "appOwnerOrganizationId": "3cb070fe-7299-4f60-b422-59adc339decf",
  "appRoleAssignmentRequired": true,
  "createdDateTime": "2022-11-17T18:14:15Z",
  "description": null,
  "disabledByMicrosoftStatus": null,
  "displayName": "AWSGlobalReadOnly",
  "homepage": "https://*.signin.aws.amazon.com/platform/saml/acs/*?metadata=awssinglesignon|ISV9.1|primary|z",
  "loginUrl": null,
  "logoutUrl": null,
  "notes": null,
  "notificationEmailAddresses": [
    "email@address.com"
  ],
  "preferredSingleSignOnMode": "saml",
  "preferredTokenSigningKeyThumbprint": "EFFD0A39AC68A765B373820A87CBDE4923EA37CA",
  "replyUrls": [
    "https://signin.aws.amazon.com/saml"
  ],
  "servicePrincipalNames": [
    "https://signin.aws.amazon.com/saml#893508359344",
    "3229171e-edaa-4ee7-aa2d-129feea704ca"
  ],
  "servicePrincipalType": "Application",
  "signInAudience": "AzureADMyOrg",
  "tags": [
    "WindowsAzureActiveDirectoryIntegratedApp"
  ],
  "tokenEncryptionKeyId": null,
  "addIns": [],
  "appRoles": [],
  "info": {
    "logoUrl": null,
    "marketingUrl": null,
    "privacyStatementUrl": null,
    "supportUrl": null,
    "termsOfServiceUrl": null
  },
  "keyCredentials": [
    {
      "customKeyIdentifier": "7/0KOaxop2Wzc4IKh8veSSPqN8o=",
      "displayName": "CN=Microsoft Azure Federated SSO Certificate",
      "endDateTime": "2024-11-16T13:16:05Z",
      "key": null,
      "keyId": "00adcd55-8b02-439b-8beb-fe93926e9e18",
      "startDateTime": "2022-11-17T18:06:07.2784674Z",
      "type": "AsymmetricX509Cert",
      "usage": "Verify"
    },
    {
      "customKeyIdentifier": "7/0KOaxop2Wzc4IKh8veSSPqN8o=",
      "displayName": "CN=Microsoft Azure Federated SSO Certificate",
      "endDateTime": "2024-11-16T13:16:05Z",
      "key": null,
      "keyId": "76710fde-d07b-4995-8abf-6cdfc0722cb6",
      "startDateTime": "2022-11-17T18:06:07.2784674Z",
      "type": "AsymmetricX509Cert",
      "usage": "Sign"
    }
  ],
  "oauth2PermissionScopes": [],
  "passwordCredentials": [
    {
      "customKeyIdentifier": "7/0KOaxop2Wzc4IKh8veSSPqN8o=",
      "displayName": "CN=Microsoft Azure Federated SSO Certificate",
      "endDateTime": "2024-11-16T13:16:05Z",
      "hint": null,
      "keyId": "76710fde-d07b-4995-8abf-6cdfc0722cb6",
      "secretText": null,
      "startDateTime": "2022-11-17T18:06:07.2784674Z"
    }
  ],
  "resourceSpecificApplicationPermissions": [],
  "samlSingleSignOnSettings": {
    "relayState": ""
  },
  "verifiedPublisher": {
    "displayName": null,
    "verifiedPublisherId": null,
    "addedDateTime": null
  }
}

References

• 968

[manicminer]

Hi @vschum, thank you for reporting this crash and for providing a full log. It looks like the API is returning null instead of the certificate data here. We can easily fix the crash, but it's unlikely you'll get much value from importing this particular certificate since the API is not returning it.

[vschum]

Thanks. Yes; I figured there was something going on with the cert but figured I'd at least report the panic.

On Tue, Apr 25, 2023, 08:17 Tom Bamford @.***> wrote:

Hi @vschum https://github.com/vschum, thank you for reporting this crash. It looks like the API is returning null instead of the certificate data here. We can easily fix the crash, but it's unlikely you'll get much value from importing this particular certificate since the API is not returning it.

— Reply to this email directly, view it on GitHub https://github.com/hashicorp/terraform-provider-azuread/issues/1080#issuecomment-1521690101, or unsubscribe https://github.com/notifications/unsubscribe-auth/AALKBOLQO42M5QYTEP3AONDXC66ENANCNFSM6AAAAAAXG3I7TM . You are receiving this because you were mentioned.Message ID: @.***>

[github-actions[bot]]

This functionality has been released in v2.38.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!