search

pulumi / pulumi-azuread

A Microsoft Azure Active Directory (Azure AD) Pulumi resource package, providing multi-language access to Azure AD
Apache License 2.0
18 stars 8 forks source link

Inconsistent behavior when configuring Owners of an Application through ApplicationOwner #865

Closed michizubi-SRF closed 3 weeks ago

michizubi-SRF commented 9 months ago

What happened?

We are managing an AAD App Registration via Pulumi to configure things like callback URLs, permissions etc. When changing for example the callback URL, it can happen that for some reason the owners of the app have a diff even though nothing changed in the code.

The following describes a sample workflow: 1) Callback URL is changed and pulumi up is run update [diff: ~web] 2) Callback URL is changed again, because of a typo and again pulumi up is run: update [diff: ~owners,web]

Even though the owners haven't changed, pulumi sees a diff. If I run the pulumi up now, the owners get deleted from the app, but the ApplicationOwner resources remain but are not "linked" to the app anymore.

The owners can again be added using the following workflow: 1) Delete ApplicationOwners in code and run pulumi up (ApplicationOwner resources are deleted) 2) Add ApplicationOwners in code again and run pulumi up (ApplicationOwner resources are created)

Example

Some code snippets:

app = azuread.Application(
            appName,
            owners=[currentClient.object_id],
            display_name=appName,
            web=web,
            tags=["monitored"],
            optional_claims=azuread.ApplicationOptionalClaimsArgs(
                access_tokens=access_tokens,
                id_tokens=id_tokens,
                saml2_tokens=saml2_tokens,
            ),
            group_membership_claims=group_claims
        )
for owner in self.owners:
            azuread.ApplicationOwner(
                f"{appName}-{owner}",
                application_id=app.id,
                owner_object_id=owner
            )

Output of pulumi about

CLI
Version 3.107.0 Go Version go1.22.0 Go Compiler gc

Plugins NAME VERSION aws 6.22.2 aws-native 0.96.0 azuread 5.47.1 python unknown

Host
OS darwin Version 14.3.1 Arch x86_64

This project is written in python: executable='/usr/local/bin/python3' version='3.12.2'

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

iwahbe commented 9 months ago

Hi @michizubi-SRF. I'm sorry this is happening to you.

When changing for example the callback URL, it can happen that for some reason the owners of the app have a diff even though nothing changed in the code.

To clarify, are you saying that owners always changes on the pulumi up after you edit web, or that it sometimes (randomly) changes after you edit web?

mms-bruno commented 9 months ago

Hi @michizubi-SRF. I'm sorry this is happening to you.

When changing for example the callback URL, it can happen that for some reason the owners of the app have a diff even though nothing changed in the code.

To clarify, are you saying that owners always changes on the pulumi up after you edit web, or that it sometimes (randomly) changes after you edit web?

Hi @iwahbe I can confirm that this always happens.

lukehoban commented 3 weeks ago

I believe this is a known part of the design of these resources that they can't be used together, since they manage parts of each others' state. See the note at the top of https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application_owner about these resources being incompatible. You can use azuread.ApplicationRegistration instead.

Opened https://github.com/pulumi/pulumi-azuread/issues/1504 to track the docs warning not being surfaced correctly in the Pulumi docs.