Error: Deleting access package resource and catalog association

[cedrox]

Context

When we try to delete our access package

Terraform (and AzureAD Provider) Version

2.37

Affected Resource(s)

• azuread_access_package_resource_package_association

Terraform Configuration Files

resource "azuread_group" "membership_group" {
  display_name     = "TFMembershipGroup"
  security_enabled = true

  members = [
    data.azuread_user.user01.object_id,
    data.azuread_user.user02.object_id,
  ]
}

data "azuread_user" "user01" {
  mail_nickname = "AdeleV"
}

data "azuread_user" "user02" {
  mail_nickname = "AlexW"
}

resource "azuread_group" "elevated_approvers_group" {
  display_name     = "TFElevatedApproversGroup"
  security_enabled = true
}

data "azuread_groups" "security_groups" {
  display_names = ["DATALAKE_RO"]
}

resource "azuread_group" "security_created_group" {
  display_name     = "TFSecurityGroup01"
  security_enabled = true
  
}

# For existing group, spn needs to be owner of the group
data "azuread_group" "security_group" {
  display_name = "DATALAKE_RW"
}

data "azuread_group" "security_group_ro" {
  display_name = "DATALAKE_RO"
}

resource "azuread_access_package_catalog" "test_catalog" {
  display_name = "azuread_access_package_catalog"
  description  = "TestAcc Catalog %[1]d for access assignment policy"
}

resource "azuread_access_package" "test_access_package" {
  display_name = "azuread_access_package"
  description  = "TestAcc Access Package %[1]d for access assignment policy"
  catalog_id   = azuread_access_package_catalog.test_catalog.id
  # resource_role_scope_id = "/providers/Microsoft.Management/managementGroups/00000000-0000-0000-0000-000000000000"
}

resource "azuread_access_package_assignment_policy" "test_access_package_assignment_policy_3" {
  display_name      = "azuread_access_package_assignment_policy_3"
  description       = "TestAcc Access Package Assignnment Policy 3"
  duration_in_days  = 1
  access_package_id = azuread_access_package.test_access_package.id
  requestor_settings {
    scope_type      = "SpecificDirectorySubjects"
    requests_accepted = true
    requestor {
      object_id    = azuread_group.membership_group.object_id
      subject_type = "groupMembers"
    }
  }

  approval_settings {
    approval_required = true
    approval_stage {
      approval_timeout_in_days = 5
      primary_approver {
        object_id    = azuread_group.elevated_approvers_group.object_id
        subject_type = "groupMembers"
      }
    }
  }
}

# List of Approved resources 
resource "azuread_access_package_resource_catalog_association" "example" {
  catalog_id             = azuread_access_package_catalog.test_catalog.id
  resource_origin_id     = azuread_group.security_created_group.object_id
  resource_origin_system = "AadGroup"
  # subject_type           = "groupMembers"
}

resource "azuread_access_package_resource_catalog_association" "access_to_existing_group" {
  catalog_id             = azuread_access_package_catalog.test_catalog.id
  resource_origin_id     = data.azuread_group.security_group.object_id
  resource_origin_system = "AadGroup"
}

resource "azuread_access_package_resource_catalog_association" "access_to_existing_group_ro" {
  catalog_id             = azuread_access_package_catalog.test_catalog.id
  resource_origin_id     = data.azuread_group.security_group_ro.object_id
  resource_origin_system = "AadGroup"
}

resource "azuread_access_package_resource_package_association" "example" {
  access_package_id               = azuread_access_package.test_access_package.id
  catalog_resource_association_id = azuread_access_package_resource_catalog_association.example.id
}

Debug Output

│ Error: Deleting access package resource and catalog association with resource "GUID"@"AadGroup" and catalog id "GUID".
288│
289│ AccessPackageResourceRequestClient.BaseClient.Post(): unexpected status 400
290│ with OData error: InvalidDeleteResourceHasEntitlements: The resource:
291│ {ResourceName} can not be deleted because there are active
292│ entitlements.

Expected Behavior

terraform destroy all the resources

Actual Behavior

When resources are deleted, we have a 400 on the delation of the object azuread_access_package_resource_package_association

Steps to Reproduce

with code below do :

1. terraform apply
2. terraform destroy

Important Factoids

Azure public cloud
Proper permission with role and permission

References

#903

[cedrox]

Hello @manicminer, @alexwilcox9
Did you repro this bug ? Do you know if this is going to be tackle in the next release ?
Thanks

[alexwilcox9]

291│ {ResourceName} can not be deleted because there are active
292│ entitlements.

I have had this error myself but I don't believe it's a bug in the provider. I was unable to delete the resource because there were users with active entitlements on those access packages. Mine was a bit weird though because the portal did not show any active assignments.
It turned out that it was due to a recent deleted user that was still in the deleted users section of AAD. I restored the user, the assignment re-appeared in the portal allowing me to remove it and then I was able to delete the AP

Hope that helps

[cedrox]

Having all deployment failing because of 1 manual assignement makes using these features a bit perilous.
Is it possible to check this assignement before deleting it and do a force delete before removing it ?
Thanks

[cedrox]

Hello I am also able to confirm that the access package resource and catalog association throw an error without active entitlements when trying to delete a brand new / never used access package...
The error is the same : can not be deleted because there are active entitlements

For information, I am using the version 2.37.0 of the provider. Do you think the 2.39.0 would be more stable on that field ?

[alexwilcox9]

Always worth using the latest version, although I don't see anything in the changelog that would suggest any changes to this behaviour.

The message about active entitlements come from Azure and Terraform is just presenting them to you. Are you able to delete the unused access package/catalog from the poral or do you get the same error?

[cedrox]

I have updated the provider to 2.39. remove the local state. Clean all resource on the portal. Apply / Destroy and same error.
If you have the demo tenant available, I encourage you to apply / destroy this simple code. You will see that this is not working
I have a 403 but my spn is global Admin...

I have 2 errors

╷
│ Error: Deleting access package resource and catalog association with resource "2568976e-31b9-453b-bbb7-4af8ffe90367"@"AadGroup" and catalog id "d712afef-0b20-4fa7-aaa9-21ded87ef45d".
│
│ AccessPackageResourceRequestClient.BaseClient.Post(): unexpected status 400 with OData error: InvalidDeleteResourceHasEntitlements: The resource: TFSecurityGroup01 can not be deleted because there are
│ active entitlements.
╵
╷
│ Error: Waiting for deletion of access package assignment policy with object ID "67ade50d-dc99-41fe-8d71-1ff90dc1031c"
│
│ retrieving resource: AccessPackageAssignmentPolicyClient.BaseClient.Get(): unexpected status 403 with OData error: UnAuthorized: User is not authorized to perform the operation. Reason: Unauthorized
╵

[pmatthews05]

I too am having this problem. When developing it's a bit annoying as I'm having to manually remove the entries in the state file, and manually remove in the portal before deploying again.

I know this isn't a helpful comment, I can supply logs if you like, but it's been covered above.

I'm using Service Principal with "EntitlementManagement.ReadWrite.All".

It seems to be a problem in the order the resources are deleted in.

[gittyNico]

The order of the resource deletion seems correct unfortunately. The issue is a missing msgraph API Endpoint for access_package_resource_package_association_resource "DELETE". That's why only the state is being/can be removed.

As you cannot remove a resource catalog association when it is still associated with an access package, terraform fails...

There is a hint in the go provider resource

@pmatthews05 It is enough to delete the resource association to the access package and run terraform afterwards.

We'll have to wait for Microsoft to update the MSGraph beta i think or someone finds a workaround utilizing the API triggered when manually deleting associations in the portal to be used within a null resource. https://elm.iga.azure.com/api/v1/accessPackages('xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx')/accessPackageResourceRoleScopes

[manicminer]

Thanks all, since this is surfacing these errors I think we'll look to add a warning note to the provider docs in the meantime.

[cedrox]

Hello and thanks @gittyNico,
For me, you should have a force delete in the API. You cannot fail a complete deployment because there is somebody using the package. You should first delete assignment and then delete the package ?
Thanks

[cedrox]

Hello, here's the answer of Microsoft support on the ticket I open few hours ago :

• Indeed, for you to be able to Delete an Access Package you need first to guarantee that there are no active assignments.
• Now, to delete the Access Package Assignments it is true that we do not have a DELETE endpoint for that matter. Instead, you will be able to Delete the Access Package Assignment by adapting the CREATE Access Package Assignment Request to perform an "adminRemove" operation.
o To get the list of AssignmentIds you can run the GET ListAssignments.
Although I understand the solution is a bit confusing in the docs, I personally tested the actions described on the bullet points above and I'm very confident that they will be of good help for you!

Thanks

[gittyNico]

@cedrox The issue is about associations not about assignments.

There is a method already implemented to Delete "Catalog Resource Associations", but this does not exist for Access Package Resource Associations:
Provider Resource
Hamiltion msgraph API

[cedrox]

@manicminer, it seems that this is not be a limitation of graph API.
@gittyNico, If I try to destroy the access package by api code, I have a successful 204
https://graph.microsoft.com/v1.0/identityGovernance/entitlementManagement/accessPackages/{{AccessPackageID}}

If we delete access package, maybe we don't need to delete the association that come with it ?
If we refer to Microsoft official documentation and what I could test, the only method that we can use is:
https://learn.microsoft.com/en-us/graph/api/accesspackage-delete?view=graph-rest-1.0&tabs=http
Also maybe we need to mention that there is no active assignement when we try to delete.

Thanks

[gittyNico]

@cedrox that is correct, removing the access package does not require the associations being removed. But breaking the order of terraform resource creating and deletion is not really what you want to have in your code.
Furthermore the or at least our normal workflow is to have access packages per team, service or resources that access should be given to. So we do not want to delete the whole access package just because we remove one resource role association.

[cedrox]

Thanks for you answer. Can you clarify ? Do you mean that we cannot do full CRUD operations on access package ? You accept that the delete operation is not supported ? Then the workaround is the only way to delete my access package ?

[gittyNico]

Sorry if I may have confused you. I do not accept the not working CRUD operation on access packages including resource associations, neither am I working at MS or hashicorp. I am just adding details to this issue, so that when MS brings in an update to their msgraph beta API, this can quickly be implemented in the provider.

Maybe you can update your support request and ask for associations not assignments, but other than that I have no workaround apart from manually deleting the associations or maybe hijacking the GUI API:

We'll have to wait for Microsoft to update the MSGraph beta i think or someone finds a workaround utilizing the API triggered when manually deleting associations in the portal to be used within a null resource. https://elm.iga.azure.com/api/v1/accessPackages('xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx')/accessPackageResourceRoleScopes

[cedrox]

Hello @gittyNico, I ask the support to understand why this method is not in the graph: https://elm.iga.azure.com/api/v1/accessPackages('xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx')/accessPackageResourceRoleScopes
In the meantime if you have a working exemple of the workaround, it would be great.
Thanks

[cedrox]

Hello, here's the answer of the MS support regarding this endpoint that could confirm that we have MSGraph endpoints available to remove resources from catalogs.

To get to these endpoints we can first check the relationship that exists between “AccessPackageCatalog” and “AccessPackageResource”.
With this relationship in mind, to successfully remove Resources from an Access Package Catalog, we need to perform the following:
• First, you need to List the Access Package Catalog Resources (ObjectId of catalog can be obtained by running this call):

• Afterwards you can successfully remove the intended resource:

[cedrox]

Additionally, to be able to Delete an Access Package you need first to guarantee that there are no active assignments.
Now, to delete the Access Package Assignments it is true that we do not have a DELETE endpoint for that matter. Instead, you will be able to Delete the Access Package Assignment by adapting the CREATE Access Package Assignment Request to perform an "adminRemove" operation.
To get the list of AssignmentIds you can run the GET ListAssignments.

It would be a great improvement for the future

Hope that help

[alexwilcox9]

Hey, would any of you be able to see if the solution in my draft PR works for you?

I've given it a go in my environment and seem to be able delete pretty reliably
#1124

[gittyNico]

Hi @alexwilcox9,

I was able to test it in our environment and successfully deleted access package and catalog associations without assignments! Thank you for your contribution!
Let's hope this finds its way into the provider quickly :)

[github-actions]

This functionality has been released in v2.41.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!