`azuread_group_role_management_policy` unset `approval_stage` causes constant drift

[paul-hugill]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform v1.5.7
on windows_amd64
+ provider registry.terraform.io/env0/env0 v1.18.7
+ provider registry.terraform.io/hashicorp/azuread v2.49.1
+ provider registry.terraform.io/hashicorp/azurerm v3.103.1
+ provider registry.terraform.io/hashicorp/random v3.6.2
+ provider registry.terraform.io/hashicorp/tfe v0.55.0
+ provider registry.terraform.io/hashicorp/time v0.7.2
+ provider registry.terraform.io/hashicorp/vault v3.8.2
+ provider registry.terraform.io/integrations/github v6.2.1

Affected Resource(s)

• azuread_group_role_management_policy

Terraform Configuration Files

resource "azuread_group_role_management_policy" "groups" {
  group_id = "xxxxx-xxxxx-xxxxx-xxxx"
  role_id  = "member"

  active_assignment_rules {
    expiration_required                = true
    expire_after                       = "P30D"
    require_justification              = true
    require_multifactor_authentication = true
    require_ticket_info                = false
  }

  eligible_assignment_rules {
    expiration_required = false
    expire_after        = "P365D"
  }

  activation_rules {
    maximum_duration                   = "PT12H"
    require_approval                   = false
    require_justification              = true
    require_multifactor_authentication = true
    require_ticket_info                = true
  }
}

Debug Output

Panic Output

Expected Behavior

Resource should not show changes

Actual Behavior

Resource shows changes on every apply. In Terraform Cloud, this doesn't show what is going to be changed, just 4 unchanged attributes hidden and 4 unchanged blocks hidden.

As a CLI run, it shows the activation_rules.approval_stage being removed:

  # module.this.azuread_group_role_management_policy.groups["data_admins"] will be updated in-place
  ~ resource "azuread_group_role_management_policy" "groups" {
        id           = "Group_663174af-0098-4588-87a4-1d10577e22f2_5b6ae689-0d59-41be-b172-3f07be7bff57"
        # (4 unchanged attributes hidden)

      ~ activation_rules {
            # (5 unchanged attributes hidden)

          - approval_stage {
            }
        }

        # (3 unchanged blocks hidden)
    }

Steps to Reproduce

1. terraform apply
2. Run the apply again and you will see resource shows changes

I have tried adding an empty approval_stage block but that requires a primary_approver which cannot be empty either.

Important Factoids

References

[paul-hugill]

Probably having the same issue with the newly released azurerm_role_management_policy resource as well, both when using v3.108.0, at least I'm having the same empty changes plans every time.

I can open an issue on that provider as well and mention this if desired.

[manicminer]

Thanks @paul-hugill, if you can open an issue for AzureRM that'd be appreciated 👍