Open ghost opened 3 years ago
@chchadha I moved this issue here because I think it might be a provider issue. I will test it out and try to reproduce.
@chchadha I wasn't able to reproduce this with Terraform 0.12 or 0.13. Can you provide the exact variable values you are using?
Thanks for taking a look into this! The azuread_application resource is in a child module. We pass the following variable from the parent module. I am working with Terraform 0.14-Beta2
Parent Module:
module "app_service" {
source = "./az_appservice"
app_service_name = var.app_service_name
environment = var.environment
deployment_location = var.deployment_location
resource_group_name = var.resource_group_name
app_service_plan_sku = var.app_service_plan_sku
app_settings = var.app_settings
app_service_slots = var.app_service_slots
azuread_app_owners = var.azuread_app_owners
required_resource_access = [{ //Microsoft Graph User.Read Delegated permissions
app_id = "00000003-0000-0000-c000-000000000000"
resource_access = {
id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d"
type = "Scope"
}
}]
tags = var.tags
}
Child Module:
resource "azuread_application" "app_registration" {
name = var.app_service_name
oauth2_allow_implicit_flow = true
dynamic "required_resource_access" {
for_each = var.required_resource_access
content {
resource_app_id = required_resource_access.value["app_id"]
resource_access {
id = required_resource_access.value["resource_access"].id
type = required_resource_access.value["resource_access"].type
}
}
}
owners = var.azuread_app_owners
optional_claims {
access_token {
name = "onprem_sid"
}
id_token {
name = "onprem_sid"
}
}
group_membership_claims = "None"
oauth2_permissions = []
lifecycle {
ignore_changes = [
reply_urls,
required_resource_access
]
}
}
No problem, that's exactly what I had put together to try and reproduce earlier. I've tried again with Terraform 0.14.0-beta2 and 0.14.0-rc1 but unfortunately still cannot reproduce.
15:13:42 [:~/tmp/azuread-issue-363]↥ % terraform apply
azuread_application.app_registration: Refreshing state... [id=e335431c-6b90-4edf-8cc4-8d8df669754f]
Apply complete! Resources: 0 added, 0 changed, 0 destroyed.
It's the same whether I include the lifecycle
block or not.
A related suggestion I have is that your configuration at present won't be able to add more than one permission per API - because it'll build a new required_resource_access
block for each permissions (rather than each API) and you'll get a duplication error.
Thank you. I went ahead and hardcoded the required resource access removing the dynamic reference and still am facing the issue that Terraform will revert any changes made outside the code. The ignore_changes is not being applied when releasing through the release pipeline
For additional context this is the tree of the module structure:
main.tf variables.tf
modules backend -main.tf -outputs.tf -variables.tf
dependencies -main.tf -outputs.tf -variables.tf
frontend -main.tf -outputs.tf -variables.tf
shared appservice -main.tf -outputs.tf -variables.tf database -main.tf -outputs.tf -variables.tf Functions -main.tf -outputs.tf -variables.tf
This issue was originally opened by @chchadha as hashicorp/terraform#27028. It was migrated here as a result of the provider split. The original body of the issue is below.
I have the following configuration:
Terraform is not ignoring the required_resource_access. Everytime a Terraoform plan / apply is done, the permissions set in Azure are reset by Terraform. I have also tried by changing the field from dynamic to non-dynamic. Is there a limitation with block attributes?
I have two app registrations and wanted to manage an exposed scope from my API app registration as a required resource to my client app registration, however due to some limitations (Github Issue: https://github.com/terraform-providers/terraform-provider-azuread/issues/362)