search

hashicorp / terraform-provider-azuread

Terraform provider for Azure Active Directory
https://registry.terraform.io/providers/hashicorp/azuread/latest/docs
Mozilla Public License 2.0
415 stars 280 forks source link

azuread_synchronization_job_provision_on_demand sometimes deploys prior to the entra group being assigned to the enterprise application #1423

Open Eternious opened 1 week ago

Eternious commented 1 week ago

Community Note

Terraform (and AzureAD Provider) Version

Affected Resource(s)

Terraform Configuration Files


resource "azuread_group" "test" {
  display_name     = "TestGroup"
  security_enabled = true
}

resource "azuread_access_package_resource_catalog_association" "test" {
  catalog_id             = "<Some pre-existing catalog id>"
  resource_origin_id     = azuread_group.test.object_id
  resource_origin_system = "AadGroup"
}

resource "azuread_access_package" "test" {
  catalog_id   = "<Some pre-existing catalog id>"
  display_name = "TestPackage"
  description  = "Test Package"
}

resource "azuread_access_package_resource_package_association" "test" {
  access_package_id               = azuread_access_package.test.id
  catalog_resource_association_id = azuread_access_package_resource_catalog_association.test.id
  access_type                     = "Member"
}

resource "azuread_access_package_assignment_policy" "test" {
  access_package_id = azuread_access_package.test.id
  display_name      = "Initial Policy"
  description       = "Initial Policy"
  duration_in_days  = 1
  requestor_settings {
    scope_type        = "SpecificDirectorySubjects"
    requests_accepted = true
    requestor {
      object_id    = "<Some pre-existing group object id>"
      subject_type = "groupMembers"
    }
  }
}

resource "azuread_app_role_assignment" "test" {
  app_role_id         = "<Some pre-existing enterprise application role id>"
  principal_object_id = azuread_group.test.object_id
  resource_object_id  = "<Some pre-existing enterprise application object id>"
}

resource "azuread_synchronization_job_provision_on_demand" "test" {
  depends_on             = [azuread_app_role_assignment.test]
  service_principal_id   = "<Some pre-existing enterprise application object id>"
  synchronization_job_id = "<Some pre-existing enterprise application synchronization job id>"
  parameter {
    rule_id = "<Some pre-existing enterprise application synchronization job rule id>"
    subject {
      object_id        = azuread_group.test.object_id
      object_type_name = "Group"
    }
  }
}

Expected Behavior

The azuread_synchronization_job_provision_on_demand resource should allow for propagation of the entra group being assigned to the enterprise application.

It should retry if the expected group has not yet propagated after being assigned.

Actual Behavior

Sometimes the azuread_synchronization_job_provision_on_demand resource will deploy prior to the entra group assignment to the enterprise application propagating, causing a failed provision.

Below log from the Audit Logs of the Enterprise App The Group 'TestGroup' will be skipped due to the following reasons: 1) This object is not assigned to the application. If you did not expect the object to be skipped, assign the object to the application or change your scoping filter to allow all users and groups to be in scope for provisioning.

Steps to Reproduce

  1. terraform apply
vegardx commented 6 days ago

I think it would make more sense to fix azuread_app_role_assignment so that it waits for propagation to return success rather than retrying azuread_synchronization_job_provision_on_demand until it succeeds. I'm fairly new to using the AzureAD provider, and Azure in general, and was just bit by this because I expected that an assignment was propagated when it returned success. Took me some time to realize.

But either options works. We should at the very least update the documentation on azuread_app_role_assignment to add a notice about propagation.