search

hashicorp / terraform-provider-azuread

Terraform provider for Azure Active Directory
https://registry.terraform.io/providers/hashicorp/azuread/latest/docs
Mozilla Public License 2.0
417 stars 283 forks source link

Improve documentation for "azuread_application" #1354

Closed JSeluga closed 3 months ago

JSeluga commented 3 months ago 
          After speaking with several parties seemingly affected by this issue, for each case it was resolved by double checking the Terraform configuration in question and ensuring that the `owners` field is specified for both the linked application and the service principal itself. We'll seek to document this to help future practitioners from falling afoul here.

To clarify, owners must be set for both the application and the service principal, e.g.

data "azuread_client_config" "current" {}

resource "azuread_application" "myapp" {
  display_name = "myapp"
  owners = [
    data.azuread_client_config.current.object_id,
    # ... plus any other desired owners
  ]
}

resource "azuread_service_principal" "myapp" {
  application_id = azuread_application.myapp.application_id
  owners = [
    data.azuread_client_config.current.object_id,
    # ... plus any other desired owners
  ]
}

As such I'm going to close this issue as resolved. Terraform appears to be doing the right thing given the correct configuration. If anyone is still experiencing this after double checking their configuration, please feel free to post a further comment with your exact configuration and debug logs, and I will be happy to help investigate.

Thanks!

Originally posted by @manicminer in https://github.com/hashicorp/terraform-provider-azuread/issues/535#issuecomment-916394802

This is still not documented or a required input in azuread_application https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application#owners

manicminer commented 3 months ago

Hi @JSeluga, thanks for raising this. We do have the following info box in both documentation pages for azuread_application and azuread_service_principal.

SCR-20240409-xa7

This won't become a required property for either resource, since as this isn't a required property in the API, users can elect to specify or omit owners to suit their particular circumstances.

It's worth noting that there are now additional resources for applications available in the provider, starting with azuread_application_registration - which does not have an owners property and always inherits the owner assigned by the API. For this reason and others, you may prefer to use these resources instead of the more monolithic azuread_application resources and I'd encourage you to try them out. Note that you would still need to explicitly manage owners for linked service principals at this time.

Since I don't believe there is anything else for us to do here, since, as noted above we did in fact document the requirement to carefully specify the owners when working with the Application.OwnedBy.ReadWrite app role, I'll go ahead and close this issue.