addTokenSigningCertificate Invalid Parameters GCC High

offlineadmin commented 3 months ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform v1.9.3 provider registry.terraform.io/hashicorp/azuread v2.53.1

Affected Resource(s)

azuread_service_principal_token_signing_certificate

Terraform Configuration Files

resource "azuread_application" "nexusdev" {
  display_name = "Nexus Dev"
}

resource "azuread_service_principal" "nexusdev" {
  client_id                     = azuread_application.nexusdev.client_id
}

resource "azuread_service_principal_token_signing_certificate" "nexusdev" {
  service_principal_id = azuread_service_principal.nexusdev.object_id
}

Debug Output

https://gist.github.com/offlineadmin/f039c2015b3dc34748be3c75abd111e8

Panic Output

Expected Behavior

Resource should have been created

Actual Behavior

2024-07-31T13:38:10.127-0700 [ERROR] vertex "azuread_service_principal_token_signing_certificate.nexusdev" error: Could not add token signing certificate to service principal with object ID: "ad81c254-7034-4c0a-b008-16db79e1815f"
╷
│ Error: Could not add token signing certificate to service principal with object ID: "ad81c254-7034-4c0a-b008-16db79e1815f"
│
│   with azuread_service_principal_token_signing_certificate.nexusdev,
│   on apps_group.tf line 46, in resource "azuread_service_principal_token_signing_certificate" "nexusdev":
│   46: resource "azuread_service_principal_token_signing_certificate" "nexusdev" {
│
│ ServicePrincipalsClient.BaseClient.Post(): unexpected status 400 with OData error: Request_BadRequest: The parameter 'type' in the request payload is not a valid parameter for the
│ operation 'addTokenSigningCertificate'.

The API post for addTokenSigningCertificate fails because TF is sending invalid parameters in the request body. See below on line 13

2024-07-31T13:38:09.998-0700 [INFO]  provider.terraform-provider-azuread_v2.53.1_x5.exe: 2024/07/31 13:38:09 [DEBUG] ============================ Begin AzureAD Request ============================
Request ID: 8d3e059a-5127-c899-377f-6a1383fffc46

POST /v1.0/servicePrincipals/ad81c254-7034-4c0a-b008-16db79e1815f/addTokenSigningCertificate HTTP/1.1
Host: graph.microsoft.us
User-Agent: HashiCorp Terraform/1.9.3 (+https://www.terraform.io) Terraform Plugin SDK/2.10.1 terraform-provider-azuread/2.53.1 Hamilton (Go-http-client/1.1) pid-222c6c49-1b0a-5959-a213-6608f9eb8820
Content-Length: 22
Accept: application/json; charset=utf-8; IEEE754Compatible=false
Content-Type: application/json; charset=utf-8
Odata-Maxversion: 4.0
Odata-Version: 4.0
Accept-Encoding: gzip

{"type":"","usage":""}
============================= End AzureAD Request =============================: timestamp=2024-07-31T13:38:09.998-0700
2024-07-31T13:38:10.125-0700 [INFO]  provider.terraform-provider-azuread_v2.53.1_x5.exe: 2024/07/31 13:38:10 [DEBUG] ============================ Begin AzureAD Response ===========================
POST https://graph.microsoft.us/v1.0/servicePrincipals/ad81c254-7034-4c0a-b008-16db79e1815f/addTokenSigningCertificate
Request ID: 8d3e059a-5127-c899-377f-6a1383fffc46

HTTP/2.0 400 Bad Request
Cache-Control: no-cache
Client-Request-Id: 10189254-e16b-4c6e-9708-1ff43b45cbef
Content-Type: application/json
Date: Wed, 31 Jul 2024 20:38:09 GMT
Request-Id: 10189254-e16b-4c6e-9708-1ff43b45cbef
Strict-Transport-Security: max-age=31536000
Vary: Accept-Encoding
X-Ms-Ags-Diagnostic: {"ServerInfo":{"DataCenter":"USGov Virginia","Slice":"E","Ring":"6","ScaleUnit":"000","RoleInstance":"BN1NEPF0000ACFD"}}

{"error":{"code":"Request_BadRequest","message":"The parameter 'type' in the request payload is not a valid parameter for the operation 'addTokenSigningCertificate'.","innerError":{"date":"2024-07-31T20:38:10","request-id":"10189254-e16b-4c6e-9708-1ff43b45cbef","client-request-id":"10189254-e16b-4c6e-9708-1ff43b45cbef"}}}

Steps to Reproduce

terraform apply -auto-approve

Important Factoids

This is in GCC High / USGov L4. I have tried this with TF for Windows and TF for Ubuntu. I manually used the API with the Graph CLI and it worked as expected with the same credentials in the same tenant.

mgc service-principals add-token-signing-certificate post --service-principal-id $ServicePrincipalCreatedByTF --body '{"displayName":"CN=IDidIt"}'

I have tried using older versions of azuread provider and terraform, but no change

References

0000

nbaju1 commented 3 months ago

From the provider docs: "The Azure Provider can be used to configure infrastructure in Azure Active Directory using the Microsoft Graph API." If the official API docs says that this endpoint isn't available in GCC High then the provider is working as expected.

offlineadmin commented 3 months ago

The Microsoft documentation must be out of date. The endpoint is available as verified by using the Graph CLI which is a wrapper for the Graph API (https://learn.microsoft.com/en-us/graph/cli/overview).

nbaju1 commented 3 months ago

Seems like a malformed payload as the body only contains type and usage. Not sure if that is related to the region. Could you try setting the display_name argument on the resource to see if that changes the behavior and/or output?

offlineadmin commented 3 months ago

Here is the new TF resource:

resource "azuread_service_principal_token_signing_certificate" "nexusdev" {
  service_principal_id = azuread_service_principal.nexusdev.object_id
  display_name = "CN=NexusDevCert"
}

And this is the API request from the debug. Same error but display_name is shown:

Request ID: 0cdf9f4e-62df-33f3-a4ed-ac8e60cfeabe

POST /v1.0/servicePrincipals/ad81c254-7034-4c0a-b008-16db79e1815f/addTokenSigningCertificate HTTP/1.1
Host: graph.microsoft.us
User-Agent: HashiCorp Terraform/1.9.3 (+https://www.terraform.io) Terraform Plugin SDK/2.10.1 terraform-provider-azuread/2.53.1 Hamilton (Go-http-client/1.1) pid-222c6c49-1b0a-5959-a213-6608f9eb8820
Content-Length: 54
Accept: application/json; charset=utf-8; IEEE754Compatible=false
Content-Type: application/json; charset=utf-8
Odata-Maxversion: 4.0
Odata-Version: 4.0
Accept-Encoding: gzip

{"displayName":"CN=NexusDevCert","type":"","usage":""}

hashicorp / terraform-provider-azuread