azuread_service_principal_delegated_permission_grant don't want to grant

[Nabatsar]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform v1.7.4 on linux_amd64

• provider registry.terraform.io/hashicorp/azuread v2.47.0

Affected Resource(s)

azuread_service_principal_delegated_permission_grant

• azuread_XXXXX

Terraform Configuration Files

Here a quick sample used for poc the issue

resource "azuread_application" "template" {
    display_name = "notworking"
    app_role {
      id = "3fffef34-1bc1-4f3f-adb1-4351bf5c2ce8"
      allowed_member_types = ["Application"]
      description = "aws.oidc"
      display_name = "aws.oidc"
      enabled = true
      value = "aws.oidc"
    }
    lifecycle {
      ignore_changes = [ 
        required_resource_access
      ]
    }
}

# azuread_service_principal.template:
resource "azuread_service_principal" "template" {
    account_enabled              = true
    alternative_names            = []
    app_role_assignment_required = false
    client_id               = azuread_application.template.client_id
    feature_tags {
        enterprise = true
        hide       = true
    }
    timeouts {}
}

resource "azuread_application_api_access" "timber" {
    application_id = azuread_application.template.id
    api_client_id = azuread_application.template.client_id
    role_ids = [ "3fffef34-1bc1-4f3f-adb1-4351bf5c2ce8" ]

}

resource "azuread_service_principal_delegated_permission_grant" "timber" {

  service_principal_object_id          = azuread_service_principal.template.object_id
  resource_service_principal_object_id = azuread_service_principal.template.object_id
  claim_values                         = ["aws.oidc"]
}

Apply say that all will be fine

 # azuread_service_principal_delegated_permission_grant.timber will be created
  + resource "azuread_service_principal_delegated_permission_grant" "timber" {
      + claim_values                         = [
          + "aws.oidc",
        ]
      + id                                   = (known after apply)
      + resource_service_principal_object_id = "7b0841d6-37af-4d5b-a798-a6db5d554974"
      + service_principal_object_id          = "7b0841d6-37af-4d5b-a798-a6db5d554974"
    }

Debug Output

permission_grant = {
  "claim_values" = toset([
    "aws.oidc",
  ])
  "id" = "1kEIe683W02nmKbbXVVJdNZBCHuvN1tNp5im211VSXQ"
  "resource_service_principal_object_id" = "7b0841d6-37af-4d5b-a798-a6db5d554974"
  "service_principal_object_id" = "7b0841d6-37af-4d5b-a798-a6db5d554974"
  "timeouts" = null /* object */
  "user_object_id" = ""

Panic Output

Expected Behavior

I expected the permission to be granted ( i use this ressource for grap permission and this is working fine so far )

Actual Behavior

Permission is still not granted

Steps to Reproduce

I could easily reproduce this

Important Factoids

References

• 0000

[nbaju1]

I believe you should use azuread_app_role_assignment when assigning app roles to applications. azuread_service_principal_delegated_permission_grant is for granting OAuth 2 scopes.

resource "azuread_application" "template" {
    display_name = "shouldwork"
    lifecycle {
      ignore_changes = [ 
        required_resource_access,
        app_role
      ]
    }
}

resource "azuread_service_principal" "template" {
    account_enabled              = true
    alternative_names            = []
    app_role_assignment_required = false
    client_id               = azuread_application.template.client_id
    feature_tags {
        enterprise = true
        hide       = true
    }
    timeouts {}
}

resource "azuread_application_app_role" "timber" {
  application_id = azuread_application_registration.example.id
  role_id        = random_uuid.example_administrator.id

  allowed_member_types = ["User"]
  description          = "My role description"
  display_name         = "Administer"
  value                = "admin"
}

resource "azuread_application_api_access" "timber" {
    application_id = azuread_application.template.id
    api_client_id = azuread_application.template.client_id
    role_ids = [ azuread_application_app_role.timber.id ]

}

resource "azuread_app_role_assignment" "timber" {
  app_role_id         = azuread_application_app_role.timber.id
  principal_object_id = azuread_service_principal.template.object_id
  resource_object_id  = azuread_service_principal.template.object_id
}

[Nabatsar]

Hello,

Indeed it's working very well .... i did tried the azuread_app_role_assignement but with azuread_service_principal_delegated_permission_grant in the same time and i guess this is where my mistake was ...

Thank you

[manicminer]

Thanks for opening this issue @Nabatsar and reporting back. Appreciate the help @nbaju1, thank you! Since this appears to be resolved with some configuration changes, I'll close this one out.