azuread_group_role_management_policy throws 400 about rules

[kenchan0130]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform Version: 1.9.5 Azuread Version: 2.53.1

Affected Resource(s)

• azuread_group_role_management_policy

Terraform Configuration Files

resource "azuread_group_role_management_policy" "this" {
  group_id = "xxxxxxxxxxxxxxxxxxx"
  role_id  = "member"

  eligible_assignment_rules {
    expiration_required = false
  }

  activation_rules {
    maximum_duration      = "PT9H"
    require_approval      = true
    require_ticket_info   = true
    require_justification = true
    approval_stage {
      primary_approver {
        object_id = "xxxxxxxxxxxxxxxxxxx"
        type      = "singleUser"
      }
    }
  }

  notification_rules {
    eligible_activations {
      admin_notifications {
        notification_level = "All"
        default_recipients = true
        additional_recipients = ["test@example.com"]
      }
      assignee_notifications {
            notification_level = "All"
            default_recipients = true
            additional_recipients = ["test@example.com"]
      }
    }
  }
}

Debug Output

N/A

Panic Output

N/A

Expected Behavior

I would have expected the policy rules to be updated if there was a difference in the rules.

Actual Behavior

│ Error: Could not create assignment schedule request, RoleDefinitionsClient.BaseClient.Patch(): unexpected status 400 with OData error: ActivationCustomApproversNotEmpty: The activation custom approvers should be empty.
│ 
│   with azuread_group_role_management_policy.exmaple,
│   on main.tf line 9, in resource "azuread_group_role_management_policy" "exmaple":
│    9: resource "azuread_group_role_management_policy" "exmaple" {
│ 
│ Could not create assignment schedule request,
│ RoleDefinitionsClient.BaseClient.Patch(): unexpected status 400 with OData
│ error: ActivationCustomApproversNotEmpty: The activation custom approvers
│ should be empty.
╵

Steps to Reproduce

1. terraform apply

2. Edit the rules

   resource "azuread_group_role_management_policy" "this" {
     group_id = "xxxxxxxxxxxxxxxxxxx"
     role_id  = "member"
   
     eligible_assignment_rules {
       expiration_required = false
     }
   
     activation_rules {
       maximum_duration      = "PT9H"
       require_approval      = true
       require_ticket_info   = true
       require_justification = true
       approval_stage {
         primary_approver {
           object_id = "xxxxxxxxxxxxxxxxxxx"
           type      = "singleUser"
         }
       }
     }
   
     notification_rules {
       eligible_activations {
         admin_notifications {
           notification_level = "All"
           default_recipients = true
           additional_recipients = ["test@example.com"]
         }          
         assignee_notifications {
           notification_level = "All"
           default_recipients = true
           additional_recipients = ["test@example.com"]
         }
         // add this block
         approver_notifications {
           notification_level = "All"
           default_recipients    = true
           additional_recipients = ["test2@example.com"]
         }
       }
     }
   }

3. terraform apply

Important Factoids

N/A

References

N/A

[kenchan0130]

When I check on the UI, in the approver's email notification settings field, it says

Only designated approvers can receive this email.

I think this is due to the fact that it is not possible to set the email settings for the approvers in the specifications.