azuread_app_role_assignment not properly assigning the role

[detredwings02]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

• Terraform Cloud version - 1.8.5
• AzureAD version - 2.51.0

Affected Resource(s)

• azuread_app_role_assignment

Terraform Configuration Files

# variables.tf
variable "azuread_service_principals" {
  type = any
  default = [
    {
      display_name_suffix           = "LogViewer"
      app_role_create               = true
      app_role_allowed_member_types = ["User"]
      app_role_description          = "Access Connect Logs"
      app_role_display_name         = "ConnectLogViewers"
      app_role_value                = "LogViewer.Read"
      set_web_redirect_uris         = true
    },
    {
      display_name_suffix   = "AppInsights"
      app_role_create       = false
      set_web_redirect_uris = false
    }
  ]
}

# locals.tf
locals {
  azuread_service_principals = [for s in concat(var.azuread_service_principals, var.azuread_service_principals_additional) :
    {
      display_name                  = tostring(try(s.display_name, "${data.azurerm_subscription.current.display_name}-${local.location}-${s.display_name_suffix}"))
      owners                        = [data.azurerm_client_config.current.object_id]
      password_rotation_increment   = tonumber(try(s.password_rotation_increment, null))
      app_role_create               = tobool(try(s.app_role_create, false))
      app_role_allowed_member_types = toset(try(s.app_role_allowed_member_types, null))
      app_role_description          = tostring(try(s.app_role_description, null))
      app_role_display_name         = tostring(try(s.app_role_display_name, null))
      app_role_value                = tostring(try(s.app_role_value, null))
      web_redirect_uris             = toset(try(s.web_redirect_uris, s.set_web_redirect_uris != true ? null : local.azuread_service_principals_web_redirect_uris))
    }
  ]
}

locals {
  app_role_groups = [
    "${local.environment}_LogViewers",
    "Global_LogViewers"
  ]
}

# data.tf

data "azuread_group" "app_roles" {
  for_each = toset(
    [for g in local.app_role_groups : g]
  )
  display_name = each.key
}

locals {
  azuread_app_role_assignments = flatten([
    for a in local.azuread_service_principals : a.app_role_create == true ? [
      for g in data.azuread_group.app_roles :
      {
        application_display_name = a.display_name
        app_role_value           = a.app_role_value
        display_name             = g.display_name
        app_role_id              = azuread_application.test[a.display_name].app_role_ids[a.app_role_value]
        principal_object_id      = g.object_id
        resource_object_id       = azuread_service_principal.test[a.display_name].object_id
      }
    ] : []
  ])
}

# application.tf
resource "azuread_app_role_assignment" "test" {
  for_each            = { for a in local.azuread_app_role_assignments : a.display_name => a }
  app_role_id         = azuread_application.test[each.value.application_display_name].app_role_ids[each.value.app_role_value]
  principal_object_id = each.value.principal_object_id
  resource_object_id  = each.value.resource_object_id
}

Debug Output

Panic Output

Expected Behavior

The app role groups should be assigned the app roles. Please note there are NO errors in the plan or apply.

The service principal used to run terraform has these API permissions: Is an owner of both the Enterprise application and the service principal.

Actual Behavior

This is the app role:

The app role groups are "partially" added to the app role as below:

But when I click on 'edit assignment' you can see that it is 'none' and no role is assigned:

Steps to Reproduce

1. terraform apply

Important Factoids

References

• 0000

[nbaju1]

This is the actual behavior when you manually add an assignment in Entra ID and then edit it. Not sure what you mean by "partially" assigned, that picture states that the roles are assigned.