empty client ID sent via Graph API to update oAuth2PermissionGrant

[Matioski]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform v1.9.7 on darwin_arm64

• provider registry.terraform.io/hashicorp/azuread v3.0.2

Affected Resource(s)

• azuread_service_principal_delegated_permission_grant

Terraform Configuration Files

resource "azuread_service_principal_delegated_permission_grant" "delegated_grant" {
    for_each =local.sps_map

  service_principal_object_id          = azuread_service_principal.sp[each.key].object_id
  resource_service_principal_object_id = azuread_service_principal.msgraph.object_id
  claim_values                         = each.value.roles

}

Debug Output

https://gist.github.com/Matioski/acd96ab3f722667f0be8fed402c06782

Panic Output

Expected Behavior

The azuread_service_principal_delegated_permission_grant should be updated and the clientId should not be sent in the body as per: https://learn.microsoft.com/en-us/graph/api/oauth2permissiongrant-update?view=graph-rest-1.0&tabs=http

Actual Behavior

│ unexpected status 400 (400 Bad Request) with error: Request_BadRequest: Property cannot be updated: clientId

as the request that is sent has this body: {"@odata.type":"#microsoft.graph.oAuth2PermissionGrant","clientId":"","scope":"Directory.ReadWrite.All Application.ReadWrite.All Policy.Read.All Policy.ReadWrite.ApplicationConfiguration Synchronization.ReadWrite.All User.Read.All Group.ReadWrite.All"}

Steps to Reproduce

Create a azuread_service_principal_delegated_permission_grant and try tu update the claim_values.

1. terraform apply

Important Factoids

References

* #1511

[joelp172]

Thats interesting, I have recently just configured a module to use the azuread_service_principal_delegated_permission_grant resoruce.

I applied a first run and it added the User.Read successfully, I then needed to update that and add another claim value but on Terraform apply I also get:

│ Property cannot be updated: clientId

Here is a snippet of the resource I am using

resource "azuread_service_principal_delegated_permission_grant" "this" {
  service_principal_object_id          = azuread_service_principal.this.object_id
  resource_service_principal_object_id = azuread_service_principal.msgraph.object_id
  claim_values                         = flatten([for resource in var.required_resource_access : resource.resource_access[*].id])
}

hashicorp/azurerm provider: 4.4.0