Plugin crash on azuread_privileged_access_group_eligibility_schedule resource with permanent_assignment=true

akselleirv commented 2 months ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

terraform v1.5.7

Affected Resource(s)

azuread_privileged_access_group_eligibility_schedule

Terraform Configuration Files

terraform {
  required_providers {
    azuread = {
      source  = "hashicorp/azuread"
      version = "2.49.0"
    }
  }
}

provider "azuread" {}

data "azuread_client_config" "current" {}

resource "azuread_group" "main" {
  display_name            = "my-group"
  owners                  = [data.azuread_client_config.current.object_id]
  security_enabled        = true
  prevent_duplicate_names = true
}

resource "azuread_group" "pim" {
  display_name            = "my-pim-group"
  owners                  = [data.azuread_client_config.current.object_id]
  security_enabled        = true
  prevent_duplicate_names = true
}

resource "azuread_group_role_management_policy" "main" {
  group_id = azuread_group.pim.id
  role_id  = "member"

  eligible_assignment_rules {
    expiration_required = false
  }
}

resource "azuread_privileged_access_group_eligibility_schedule" "main" {
  group_id             = azuread_group.pim.id
  principal_id         = azuread_group.main.object_id
  assignment_type      = "member"
  permanent_assignment = true
  justification        = "as requested"

  depends_on = [azuread_group_role_management_policy.main]
}

Debug Output

The first time the terraform files is applied: https://gist.github.com/akselleirv/a0307596843f5ffd18350866a7b8ba5b

The second time the terraform is applied: https://gist.github.com/akselleirv/1711a191372b187329d611a2d43d966f

The line it complains about: https://github.com/hashicorp/terraform-provider-azuread/blob/main/internal/services/identitygovernance/privileged_access_group_eligiblity_schedule_resource.go#L169

I guess it should not check the expiry date as that is probably nil when permanent_assignment = true ?

Expected Behavior

It should have been able to apply it without a crash.

Actual Behavior

It crashes but is able to create the resources with expiration type permanent:

Steps to Reproduce

terraform apply (first crash)
terraform apply (complains about role assignment already existing)

manicminer commented 2 months ago

@akselleirv Thanks for reporting this crash and for attaching debug logs. I've fixed up several potential crashes including this one, and we'll push out a patch release early on Monday for this.

akselleirv commented 2 months ago

Thank you @manicminer for the quick fix!

hashicorp / terraform-provider-azuread