From 731e4a6a97d499b52450393fc1d1da630f5ef762 Mon Sep 17 00:00:00 2001 From: Tom Bamford Date: Thu, 26 Aug 2021 17:03:49 +0100 Subject: [PATCH 1/3] Fix a bug where unknown role/scope IDs or values are incorrectly flagged as duplicates at plan time --- internal/acceptance/testcase.go | 6 +++ .../applications/application_resource_test.go | 52 +++++++++++++++++++ .../services/applications/applications.go | 8 +-- internal/tf/pluginsdk.go | 6 +++ 4 files changed, 68 insertions(+), 4 deletions(-) create mode 100644 internal/tf/pluginsdk.go diff --git a/internal/acceptance/testcase.go b/internal/acceptance/testcase.go index a510df9cd0..14b02371f6 100644 --- a/internal/acceptance/testcase.go +++ b/internal/acceptance/testcase.go @@ -45,6 +45,12 @@ func (td TestData) ResourceTestIgnoreDangling(t *testing.T, _ types.TestResource } func (td TestData) runAcceptanceTest(t *testing.T, testCase resource.TestCase) { + testCase.ExternalProviders = map[string]resource.ExternalProvider{ + "random": { + Source: "hashicorp/random", + VersionConstraint: ">= 3.0.0", + }, + } testCase.ProviderFactories = map[string]func() (*schema.Provider, error){ "azuread": func() (*schema.Provider, error) { return AzureADProvider, nil diff --git a/internal/services/applications/application_resource_test.go b/internal/services/applications/application_resource_test.go index 378851c33b..1c3c821ae5 100644 --- a/internal/services/applications/application_resource_test.go +++ b/internal/services/applications/application_resource_test.go @@ -146,6 +146,23 @@ func TestAccApplication_appRoles(t *testing.T) { }) } +func TestAccApplication_duplicateAppRolesOauth2PermissionsIdsUnknown(t *testing.T) { + data := acceptance.BuildTestData(t, "azuread_application", "test") + r := ApplicationResource{} + + data.ResourceTest(t, r, []resource.TestStep{ + { + Config: r.duplicateAppRolesOauth2PermissionsIdsUnknown(data), + Check: resource.ComposeTestCheckFunc( + check.That(data.ResourceName).Key("app_role.#").HasValue("1"), + check.That(data.ResourceName).Key("app_role_ids.%").HasValue("1"), + check.That(data.ResourceName).Key("api.0.oauth2_permission_scope.#").HasValue("1"), + check.That(data.ResourceName).Key("oauth2_permission_scope_ids.%").HasValue("1"), + ), + }, + }) +} + func TestAccApplication_duplicateAppRolesOauth2PermissionsValues(t *testing.T) { data := acceptance.BuildTestData(t, "azuread_application", "test") r := ApplicationResource{} @@ -877,6 +894,41 @@ resource "azuread_application" "test" { `, data.RandomInteger, uuids[0], uuids[1], uuids[2], uuids[3]) } +func (ApplicationResource) duplicateAppRolesOauth2PermissionsIdsUnknown(data acceptance.TestData) string { + return fmt.Sprintf(` +provider "azuread" {} +provider "random" {} + +resource "random_uuid" "test" { + count = 2 +} + +resource "azuread_application" "test" { + display_name = "acctest-APP-%[1]d" + + api { + oauth2_permission_scope { + admin_consent_description = "Administer the application" + admin_consent_display_name = "Administer" + enabled = true + id = random_uuid.test[0].id + type = "Admin" + value = "administer" + } + } + + app_role { + allowed_member_types = ["User"] + description = "Admins can manage roles and perform all task actions" + display_name = "Admin" + enabled = true + id = random_uuid.test[1].id + value = "administrate" + } +} +`, data.RandomInteger, data.UUID(), data.UUID()) +} + func (ApplicationResource) duplicateAppRolesOauth2PermissionsValues(data acceptance.TestData) string { return fmt.Sprintf(` provider "azuread" {} diff --git a/internal/services/applications/applications.go b/internal/services/applications/applications.go index 8ebfcf44fd..e599a134b4 100644 --- a/internal/services/applications/applications.go +++ b/internal/services/applications/applications.go @@ -311,20 +311,20 @@ func applicationValidateRolesScopes(appRoles, oauth2Permissions []interface{}) e for _, roleRaw := range appRoles { role := roleRaw.(map[string]interface{}) - if id := role["id"].(string); id != "" { + if id := role["id"].(string); id != "" && id != tf.PluginSdkUnknownValue { ids = append(ids, id) } - if val := role["value"].(string); val != "" { + if val := role["value"].(string); val != "" && val != tf.PluginSdkUnknownValue { values = append(values, val) } } for _, scopeRaw := range oauth2Permissions { scope := scopeRaw.(map[string]interface{}) - if id := scope["id"].(string); id != "" { + if id := scope["id"].(string); id != "" && id != tf.PluginSdkUnknownValue { ids = append(ids, id) } - if val := scope["value"].(string); val != "" { + if val := scope["value"].(string); val != "" && val != tf.PluginSdkUnknownValue { values = append(values, val) } } diff --git a/internal/tf/pluginsdk.go b/internal/tf/pluginsdk.go new file mode 100644 index 0000000000..e46c5c3fa0 --- /dev/null +++ b/internal/tf/pluginsdk.go @@ -0,0 +1,6 @@ +package tf + +// PluginSdkUnknownValue is a dummy value used/sent by the plugin SDK when a real value is not known at plan time, +// e.g. during a CustomizeDiff function +// See https://github.com/hashicorp/terraform-plugin-sdk/blob/main/internal/configs/hcl2shim/values.go#L16 +const PluginSdkUnknownValue = "74D93920-ED26-11E3-AC10-0800200C9A66" From 0df6cc67367c08dda2d79ce621942aa50d084cf0 Mon Sep 17 00:00:00 2001 From: Tom Bamford Date: Thu, 26 Aug 2021 17:05:22 +0100 Subject: [PATCH 2/3] Docs fixups --- docs/resources/application.md | 5 +++-- docs/resources/group.md | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/docs/resources/application.md b/docs/resources/application.md index 1f1081d584..c2a8f900ad 100644 --- a/docs/resources/application.md +++ b/docs/resources/application.md @@ -61,7 +61,8 @@ resource "azuread_application" "example" { allowed_member_types = ["User", "Application"] description = "Admins can manage roles and perform all task actions" display_name = "Admin" - is_enabled = true + enabled = true + id = "1b19509b-32b1-4e9f-b71d-4992aa991967" value = "admin" } @@ -70,7 +71,7 @@ resource "azuread_application" "example" { description = "ReadOnly roles have limited query access" display_name = "ReadOnly" enabled = true - id = "%[6]s" + id = "497406e4-012a-4267-bf18-45a1cb148a01" value = "User" } diff --git a/docs/resources/group.md b/docs/resources/group.md index f7ce7a6ec4..25423cc695 100644 --- a/docs/resources/group.md +++ b/docs/resources/group.md @@ -89,6 +89,9 @@ The following arguments are supported: * `mail_enabled` - (Optional) Whether the group is a mail enabled, with a shared group mailbox. At least one of `mail_enabled` or `security_enabled` must be specified. Only Microsoft 365 groups can be mail enabled (see the `types` property). * `mail_nickname` - (Optional) The mail alias for the group, unique in the organisation. Required for mail-enabled groups. Changing this forces a new resource to be created. * `members` - (Optional) A set of members who should be present in this group. Supported object types are Users, Groups or Service Principals. + +!> **Warning** Do not use the `azuread_group_member` resource at the same time as the `members` argument. + * `owners` - (Optional) A set of object IDs of principals that will be granted ownership of the group. Supported object types are users or service principals. By default, the principal being used to execute Terraform is assigned as the sole owner. Groups cannot be created with no owners or have all their owners removed. -> **Group Ownership** It's recommended to always specify one or more group owners, including the principal being used to execute Terraform, such as in the example above. When removing group owners, if a user principal has been assigned ownership, the last user cannot be removed as an owner. Microsoft 365 groups are required to always have at least one owner which _must be a user_ (i.e. not a service principal). @@ -105,8 +108,6 @@ The following arguments are supported: -> **Group Name Uniqueness** Group names are not unique within Azure Active Directory. Use the `prevent_duplicate_names` argument to check for existing groups if you want to avoid name collisions. -!> **Warning** Do not use the `azuread_group_member` resource at the same time as the `members` argument. - ## Attributes Reference In addition to all arguments above, the following attributes are exported: From 0f72d26f2f280615b32804f6d625d892187e566e Mon Sep 17 00:00:00 2001 From: Tom Bamford Date: Thu, 26 Aug 2021 17:23:18 +0100 Subject: [PATCH 3/3] Clarify exclusivity of group_member resource and group.members property --- docs/resources/group.md | 2 +- docs/resources/group_member.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/resources/group.md b/docs/resources/group.md index 25423cc695..919f6a9ed3 100644 --- a/docs/resources/group.md +++ b/docs/resources/group.md @@ -90,7 +90,7 @@ The following arguments are supported: * `mail_nickname` - (Optional) The mail alias for the group, unique in the organisation. Required for mail-enabled groups. Changing this forces a new resource to be created. * `members` - (Optional) A set of members who should be present in this group. Supported object types are Users, Groups or Service Principals. -!> **Warning** Do not use the `azuread_group_member` resource at the same time as the `members` argument. +!> **Warning** Do not use the `members` property at the same time as the [azuread_group_member](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group_member) resource for the same group. Doing so will cause a conflict and group members will be removed. * `owners` - (Optional) A set of object IDs of principals that will be granted ownership of the group. Supported object types are users or service principals. By default, the principal being used to execute Terraform is assigned as the sole owner. Groups cannot be created with no owners or have all their owners removed. diff --git a/docs/resources/group_member.md b/docs/resources/group_member.md index 2a655ebe48..e33832a927 100644 --- a/docs/resources/group_member.md +++ b/docs/resources/group_member.md @@ -6,7 +6,7 @@ subcategory: "Groups" Manages a single group membership within Azure Active Directory. --> **Warning** Do not use this resource at the same time as the `members` property of the `azuread_group` resource. +~> **Warning** Do not use this resource at the same time as the `members` property of the `azuread_group` resource for the same group. Doing so will cause a conflict and group members will be removed. ## API Permissions