azuread_application_owner will throw error for the current user applying

[svenclaesson]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

v2.47

Affected Resource(s)

• azuread_application_owner

Terraform Configuration Files

The following will throw an error (only for my user, not my colleague) Error: A resource with the ID "/applications/.../owners/..." already exists - to be managed via Terraform this resource needs to be imported into the State. Please see the resource documentation for "azuread_application_owner" for more information.

locals {
  owners = [
    "me@company.com",
    "colleague@company.com"
  ]
}

data "azuread_user" "o" {
  for_each            = toset(local.owners)
  user_principal_name = each.value
}

resource "azuread_application_registration" "app2" {
  display_name = "owner test application_registration"
}

resource "azuread_application_owner" "app2" {
  for_each = data.azuread_user.o

  application_id  = azuread_application_registration.app2.id
  owner_object_id = each.value.object_id
}

This works without any issues

locals {
  owners = [
    "me@company.com",
    "colleague@company.com"
  ]
}

data "azuread_user" "o" {
  for_each            = toset(local.owners)
  user_principal_name = each.value
}

resource "azuread_application" "app" {
  display_name = "owner test application"

  owners = [for user in data.azuread_user.o : user.object_id]
}

Expected Behavior

No error thrown

Actual Behavior

Since i was automatically added as owner when running terraform apply azuread_application_registration this error occurs.

Steps to Reproduce

1. terraform apply

[manicminer]

Hi @svenclaesson, thanks for opening this issue. This is expected behavior when using the azuread_application_registration resource as we intentionally let the API set a default owner, which is typically the calling principal. This was a design goal for that resource, since the larger azuread_application resource takes the opposite approach and ensures an explicit list of owners. If you require this functionality, it's recommended to use azuread_application instead of azuread_application_registration - though you may need to use the ignore_changes lifecycle meta-argument to prevent management of properties you are setting elsewhere.

Since the import message you are seeing is to be expected, I'm going to close this issue with my recommendation above. Please feel free to open further issues for any other potential bugs you might encounter. Thanks!