search

hashicorp / terraform-provider-azuread

Terraform provider for Azure Active Directory
https://registry.terraform.io/providers/hashicorp/azuread/latest/docs
Mozilla Public License 2.0
423 stars 289 forks source link

Ignore_changes - Nested Block #363

Open ghost opened 3 years ago

ghost commented 3 years ago

This issue was originally opened by @chchadha as hashicorp/terraform#27028. It was migrated here as a result of the provider split. The original body of the issue is below.

I have the following configuration: 


resource "azuread_application" "app_registration" {
  name = var.app_service_name

  oauth2_allow_implicit_flow = true

  dynamic "required_resource_access" {
    for_each = var.required_resource_access

    content {
      resource_app_id = required_resource_access.value["app_id"]
      resource_access {
        id   = required_resource_access.value["resource_access"].id
        type = required_resource_access.value["resource_access"].type
      }
    }
  }

  owners = var.azuread_app_owners

  optional_claims {

    access_token {
      name = "onprem_sid"
    }

    id_token {
      name = "onprem_sid"
    }
  }

  group_membership_claims = "None"

  oauth2_permissions = []

  lifecycle {
    ignore_changes = [
      reply_urls,
      required_resource_access
    ]
  }
}

Terraform is not ignoring the required_resource_access. Everytime a Terraoform plan / apply is done, the permissions set in Azure are reset by Terraform. I have also tried by changing the field from dynamic to non-dynamic. Is there a limitation with block attributes?

I have two app registrations and wanted to manage an exposed scope from my API app registration as a required resource to my client app registration, however due to some limitations (Github Issue: https://github.com/terraform-providers/terraform-provider-azuread/issues/362)

manicminer commented 3 years ago

@chchadha I moved this issue here because I think it might be a provider issue. I will test it out and try to reproduce.

manicminer commented 3 years ago

@chchadha I wasn't able to reproduce this with Terraform 0.12 or 0.13. Can you provide the exact variable values you are using?

chchadha commented 3 years ago

Thanks for taking a look into this! The azuread_application resource is in a child module. We pass the following variable from the parent module. I am working with Terraform 0.14-Beta2

Parent Module:

module "app_service" {
  source = "./az_appservice"

  app_service_name     = var.app_service_name
  environment          = var.environment
  deployment_location  = var.deployment_location
  resource_group_name  = var.resource_group_name
  app_service_plan_sku = var.app_service_plan_sku
  app_settings         = var.app_settings
  app_service_slots    = var.app_service_slots
  azuread_app_owners   = var.azuread_app_owners

  required_resource_access = [{  //Microsoft Graph User.Read Delegated permissions
    app_id = "00000003-0000-0000-c000-000000000000"
    resource_access = {
      id   = "e1fe6dd8-ba31-4d61-89e7-88639da4683d"
      type = "Scope"
    }
  }]

  tags = var.tags
}

Child Module:

resource "azuread_application" "app_registration" {
  name = var.app_service_name

  oauth2_allow_implicit_flow = true

  dynamic "required_resource_access" {
    for_each = var.required_resource_access

    content {
      resource_app_id = required_resource_access.value["app_id"]
      resource_access {
        id   = required_resource_access.value["resource_access"].id
        type = required_resource_access.value["resource_access"].type
      }
    }
  }

  owners = var.azuread_app_owners

  optional_claims {

    access_token {
      name = "onprem_sid"
    }

    id_token {
      name = "onprem_sid"
    }
  }

  group_membership_claims = "None"

  oauth2_permissions = []

  lifecycle {
    ignore_changes = [
      reply_urls,
      required_resource_access
    ]
  }
}
manicminer commented 3 years ago

No problem, that's exactly what I had put together to try and reproduce earlier. I've tried again with Terraform 0.14.0-beta2 and 0.14.0-rc1 but unfortunately still cannot reproduce.

15:13:42 [:~/tmp/azuread-issue-363]↥ % terraform apply
azuread_application.app_registration: Refreshing state... [id=e335431c-6b90-4edf-8cc4-8d8df669754f]

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

It's the same whether I include the lifecycle block or not.

A related suggestion I have is that your configuration at present won't be able to add more than one permission per API - because it'll build a new required_resource_access block for each permissions (rather than each API) and you'll get a duplication error.

chchadha commented 3 years ago

Thank you. I went ahead and hardcoded the required resource access removing the dynamic reference and still am facing the issue that Terraform will revert any changes made outside the code. The ignore_changes is not being applied when releasing through the release pipeline

For additional context this is the tree of the module structure:

main.tf variables.tf

modules backend -main.tf -outputs.tf -variables.tf

dependencies -main.tf -outputs.tf -variables.tf

frontend -main.tf -outputs.tf -variables.tf

shared appservice -main.tf -outputs.tf -variables.tf database -main.tf -outputs.tf -variables.tf Functions -main.tf -outputs.tf -variables.tf