azuread_application_password expiration_date uses long milliseconds in RFC3339 format

[nerddtvg]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

 ~  terraform version
Terraform v1.9.3
on windows_amd64
+ provider registry.terraform.io/hashicorp/azuread v3.0.2

Affected Resource(s)

• azuread_application_password

Terraform Configuration Files

resource "azurerm_key_vault" "app" {
  name = "removed"
}

resource "azuread_application" "app" {
  display_name = "Removed"
}

resource "azuread_application_password" "app" {
  application_id = azuread_application.app.id

  display_name = "App Secret"
}

resource "azurerm_key_vault_secret" "app_secret" {
  key_vault_id = azurerm_key_vault.app.id
  name         = "app-secret"
  value        = azuread_application_password.app.value

  expiration_date = azuread_application_password.app.end_date
}

Debug Output

Not applicable.

Panic Output

Not applicable.

Expected Behavior

The RFC3339 output of expiration_date should be formatted such as the documentation states: 2018-01-01T01:02:03Z

Actual Behavior

The output includes milliseconds which introduces constant changes which have no effective change in the state or infrastructure.

  # azurerm_key_vault_secret.dbw_secret["geno-dbw"] will be updated in-place
  ~ resource "azurerm_key_vault_secret" "app_secret" {
      ~ expiration_date         = "2026-10-23T17:36:39Z" -> "2026-10-23T17:36:39.4384728Z"
        id                      = "https://removed.vault.azure.net/secrets/app-secret/removed"
        name                    = "app-secret"
        tags                    = {}
        # (7 unchanged attributes hidden)
    }

Steps to Reproduce

1. terraform apply

Important Factoids

Not applicable.

References

https://github.com/hashicorp/terraform-provider-azuread/blob/main/docs/resources/application_password.md?plain=1#L58

The resource documentation states it will be RFC3339 compliant with 2-digits for the seconds.

[wuxu92]

The API response may contain milliseconds, and the provider sets it to state without formatting. It should be parsed in the provider to avoid this issue.

https://github.com/hashicorp/terraform-provider-azuread/blob/b98dda9b9ef40099293c49fa13b3358e9a407229/internal/services/applications/application_password_resource.go#L264