Merge pull request #528 from hashicorp/bugfixes/2.0.0

azuread_application: unknown scope/role IDs and values are flagged as duplicates

docs/resources/application.md

@@ -61,7 +61,8 @@ resource "azuread_application" "example" {
     allowed_member_types = ["User", "Application"]
     description          = "Admins can manage roles and perform all task actions"
     display_name         = "Admin"
-    is_enabled           = true
+    enabled              = true
+    id                   = "1b19509b-32b1-4e9f-b71d-4992aa991967"
     value                = "admin"
   }
 
@@ -70,7 +71,7 @@ resource "azuread_application" "example" {
     description          = "ReadOnly roles have limited query access"
     display_name         = "ReadOnly"
     enabled              = true
-    id                   = "%[6]s"
+    id                   = "497406e4-012a-4267-bf18-45a1cb148a01"
     value                = "User"
   }
 

docs/resources/group.md

@@ -89,6 +89,9 @@ The following arguments are supported:
 * `mail_enabled` - (Optional) Whether the group is a mail enabled, with a shared group mailbox. At least one of `mail_enabled` or `security_enabled` must be specified. Only Microsoft 365 groups can be mail enabled (see the `types` property).
 * `mail_nickname` - (Optional) The mail alias for the group, unique in the organisation. Required for mail-enabled groups. Changing this forces a new resource to be created.
 * `members` - (Optional) A set of members who should be present in this group. Supported object types are Users, Groups or Service Principals.
+
+!> **Warning** Do not use the `members` property at the same time as the [azuread_group_member](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group_member) resource for the same group. Doing so will cause a conflict and group members will be removed.
+
 * `owners` - (Optional) A set of object IDs of principals that will be granted ownership of the group. Supported object types are users or service principals. By default, the principal being used to execute Terraform is assigned as the sole owner. Groups cannot be created with no owners or have all their owners removed.
 
 -> **Group Ownership**  It's recommended to always specify one or more group owners, including the principal being used to execute Terraform, such as in the example above. When removing group owners, if a user principal has been assigned ownership, the last user cannot be removed as an owner. Microsoft 365 groups are required to always have at least one owner which _must be a user_ (i.e. not a service principal).
@@ -105,8 +108,6 @@ The following arguments are supported:
 
 -> **Group Name Uniqueness** Group names are not unique within Azure Active Directory. Use the `prevent_duplicate_names` argument to check for existing groups if you want to avoid name collisions.
 
-!> **Warning** Do not use the `azuread_group_member` resource at the same time as the `members` argument.
-
 ## Attributes Reference
 
 In addition to all arguments above, the following attributes are exported:

docs/resources/group_member.md

@@ -6,7 +6,7 @@ subcategory: "Groups"
 
 Manages a single group membership within Azure Active Directory.
 
--> **Warning** Do not use this resource at the same time as the `members` property of the `azuread_group` resource.
+~> **Warning** Do not use this resource at the same time as the `members` property of the `azuread_group` resource for the same group. Doing so will cause a conflict and group members will be removed.
 
 ## API Permissions
 

internal/acceptance/testcase.go

@@ -45,6 +45,12 @@ func (td TestData) ResourceTestIgnoreDangling(t *testing.T, _ types.TestResource
 }
 
 func (td TestData) runAcceptanceTest(t *testing.T, testCase resource.TestCase) {
+	testCase.ExternalProviders = map[string]resource.ExternalProvider{
+		"random": {
+			Source:            "hashicorp/random",
+			VersionConstraint: ">= 3.0.0",
+		},
+	}
 	testCase.ProviderFactories = map[string]func() (*schema.Provider, error){
 		"azuread": func() (*schema.Provider, error) {
 			return AzureADProvider, nil

internal/services/applications/application_resource_test.go

@@ -146,6 +146,23 @@ func TestAccApplication_appRoles(t *testing.T) {
 	})
 }
 
+func TestAccApplication_duplicateAppRolesOauth2PermissionsIdsUnknown(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azuread_application", "test")
+	r := ApplicationResource{}
+
+	data.ResourceTest(t, r, []resource.TestStep{
+		{
+			Config: r.duplicateAppRolesOauth2PermissionsIdsUnknown(data),
+			Check: resource.ComposeTestCheckFunc(
+				check.That(data.ResourceName).Key("app_role.#").HasValue("1"),
+				check.That(data.ResourceName).Key("app_role_ids.%").HasValue("1"),
+				check.That(data.ResourceName).Key("api.0.oauth2_permission_scope.#").HasValue("1"),
+				check.That(data.ResourceName).Key("oauth2_permission_scope_ids.%").HasValue("1"),
+			),
+		},
+	})
+}
+
 func TestAccApplication_duplicateAppRolesOauth2PermissionsValues(t *testing.T) {
 	data := acceptance.BuildTestData(t, "azuread_application", "test")
 	r := ApplicationResource{}
@@ -877,6 +894,41 @@ resource "azuread_application" "test" {
 `, data.RandomInteger, uuids[0], uuids[1], uuids[2], uuids[3])
 }
 
+func (ApplicationResource) duplicateAppRolesOauth2PermissionsIdsUnknown(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+provider "azuread" {}
+provider "random" {}
+
+resource "random_uuid" "test" {
+  count = 2
+}
+
+resource "azuread_application" "test" {
+  display_name = "acctest-APP-%[1]d"
+
+  api {
+    oauth2_permission_scope {
+      admin_consent_description  = "Administer the application"
+      admin_consent_display_name = "Administer"
+      enabled                    = true
+      id                         = random_uuid.test[0].id
+      type                       = "Admin"
+      value                      = "administer"
+    }
+  }
+
+  app_role {
+    allowed_member_types = ["User"]
+    description          = "Admins can manage roles and perform all task actions"
+    display_name         = "Admin"
+    enabled              = true
+    id                   = random_uuid.test[1].id
+    value                = "administrate"
+  }
+}
+`, data.RandomInteger, data.UUID(), data.UUID())
+}
+
 func (ApplicationResource) duplicateAppRolesOauth2PermissionsValues(data acceptance.TestData) string {
 	return fmt.Sprintf(`
 provider "azuread" {}

internal/services/applications/applications.go

@@ -311,20 +311,20 @@ func applicationValidateRolesScopes(appRoles, oauth2Permissions []interface{}) e
 
 	for _, roleRaw := range appRoles {
 		role := roleRaw.(map[string]interface{})
-		if id := role["id"].(string); id != "" {
+		if id := role["id"].(string); id != "" && id != tf.PluginSdkUnknownValue {
 			ids = append(ids, id)
 		}
-		if val := role["value"].(string); val != "" {
+		if val := role["value"].(string); val != "" && val != tf.PluginSdkUnknownValue {
 			values = append(values, val)
 		}
 	}
 
 	for _, scopeRaw := range oauth2Permissions {
 		scope := scopeRaw.(map[string]interface{})
-		if id := scope["id"].(string); id != "" {
+		if id := scope["id"].(string); id != "" && id != tf.PluginSdkUnknownValue {
 			ids = append(ids, id)
 		}
-		if val := scope["value"].(string); val != "" {
+		if val := scope["value"].(string); val != "" && val != tf.PluginSdkUnknownValue {
 			values = append(values, val)
 		}
 	}

internal/tf/pluginsdk.go

@@ -0,0 +1,6 @@
+package tf
+
+// PluginSdkUnknownValue is a dummy value used/sent by the plugin SDK when a real value is not known at plan time,
+// e.g. during a CustomizeDiff function
+// See https://github.com/hashicorp/terraform-plugin-sdk/blob/main/internal/configs/hcl2shim/values.go#L16
+const PluginSdkUnknownValue = "74D93920-ED26-11E3-AC10-0800200C9A66"