Support for audience in azurerm_web_pubsub_hub handlers

[rafaelpadovezi]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Description

When configuring an event handler for Azure Web PubSub using the portal I can specify the issued token audience using a value like api://AzureADTokenExchange. This is accepted and the pubsub service is able to generate Entra Id tokens with this audience.

It is also possible to accomplish the same results using the az cli

az webpubsub hub create \
 --hub-name TestHub \
 --name my-test-pubsub \
 --resource-group test-rg \
 --allow-anonymous false \
 --event-handler \
   url-template="https://example/v1/test/eventhandler/{event}" \
   system-event="connect" \
   auth-type="ManagedIdentity" \
   auth-resource="api://AzureADTokenExchange"

But when using terraform I only have the option auth.managed_identity_id. Trying to use this attribute returns an error:

resource "azurerm_web_pubsub_hub" "my_hub" {
  ...  
  event_handler {
   ....
    auth {
      managed_identity_id = "api://AzureADTokenExchange"
    }
  }
} 

The error:

Error: expected "event_handler.0.auth.0.managed_identity_id" to be a valid UUID, got api://AzureADTokenExchange
Error: parsing "api://AzureADTokenExchange": parsing the UserAssignedIdentity ID: the number of segments didn't match

New or Affected Resource(s)/Data Source(s)

azurerm_web_pubsub_hub

Potential Terraform Configuration

resource "azurerm_web_pubsub_hub" "example" {
  ...

  event_handler {
    ...
    auth {
      auth_resource = "uri://myUri"
    }
  }

References

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/web_pubsub_hub https://learn.microsoft.com/en-us/cli/azure/webpubsub/hub?view=azure-cli-latest#az-webpubsub-hub-create-optional-parameters

[rafaelpadovezi]

I was removing the event handler and got to see this behavior:

# azurerm_web_pubsub_hub.web_pubsub_hub_orderhub will be updated in-place
  ~ resource "azurerm_web_pubsub_hub" "myhub" {
        id                            = "/subscriptions/XXX/resourceGroups/pubsub-cross-qa-rg/providers/Microsoft.SignalRService/webPubSub/YYY/ZZZ"
        name                          = "myhub"
        # (2 unchanged attributes hidden)

      - event_handler {
          - system_events      = [
              - "connect",
              - "connected",
              - "disconnected",
            ] -> null
          - url_template       = "https://example/v1/{event}/" -> null
          - user_event_pattern = "*" -> null

          - auth {
              - managed_identity_id = "api://AzureADTokenExchange" -> null
            }
        }
    }

It looks like it's about the validation. Maybe the underlying client works as expected