azuread_access_package_assignment_policy: cannot destroy access_package policy when removing the access_package

[alsastre]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform v1.9.0
on darwin_arm64
+ provider registry.terraform.io/hashicorp/azuread v2.52.0
+ provider registry.terraform.io/hashicorp/azurerm v3.109.0

Affected Resource(s)

• azuread_access_package_assignment_policy upon destroy operation

Terraform Configuration Files

resource "azuread_access_package_catalog" "example" {
  display_name = "example-catalog"
  description  = "Example catalog"
}

resource "azuread_access_package" "example" {
  catalog_id   = azuread_access_package_catalog.example.id
  display_name = "Test AP"
  description  = "Access Package for granting"
}

resource "azuread_access_package_assignment_policy" "example" {
  access_package_id = azuread_access_package.example.id
  display_name      = "policy"
  description       = "My Policy"
  duration_in_days  = 90

  requestor_settings {
    scope_type = "AllExistingDirectoryMemberUsers"
  }

  approval_settings {
    approval_required = false
  }

  assignment_review_settings {
    enabled                        = true
    review_frequency               = "weekly"
    duration_in_days               = 3
    review_type                    = "Self"
    access_review_timeout_behavior = "keepAccess"
  }
}

Debug Output

Gist

Panic Output

Expected Behavior

Access package and catalog gets removed without issues

Actual Behavior

Access package removal gets blocked because the policy gets removed and later terraform is not able to find it, reporting that is not authorised to see the resource (which terraform just removed). When looking at the access package from the portal, I can see the policy was successfully removed but terraform did not remove it form the state. If I remove the policy from the state (terraform state rm 'azuread_access_package_assignment_policy.example') the pipeline continues as expected. If I try to rerun, plan fails as it cannot find the access_package policy.

Error message on 1st apply:

╷
│ Error: Waiting for deletion of access package assignment policy with object ID "c5671f08-4c53-4ab0-9756-09d16f5a41cd"
│ 
│ retrieving resource: AccessPackageAssignmentPolicyClient.BaseClient.Get():
│ unexpected status 403 with OData error: UnAuthorized: User is not
│ authorized to perform the operation. Reason: Unauthorized

Steps to Reproduce

1. Configure the terraform with the above configuration file
2. Apply the terraform which will create the objects
3. Comment all the code and run again. Terraform will plan the removal of all the objects
4. Upon apply terraform will remove the policy and complain it cannot find the policy.

Important Factoids

Due to a bug on the azcli (#1407), the terraform apply must be executed with a service principal. The service principal is configured with Identity Governance Administrator which allows terraform to create and remove all objects.

References