/applications/ is appended to application_object_id, forcing replacement

[gpatounas]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform v1.6.2
hashicorp/azuread v2.44.0

Affected Resource(s)

observed:
azuread_application_password
azuread_application_certificate

potentially any resource with the application_object_id argument

Terraform Configuration Files

resource "azuread_application_password" "sample" {
  application_object_id = azuread_application.sample.id
  ...
}

Expected Behavior

No changes were expected in the plan which was triggered as part of automatically upgrading the azuread provider from v2.43.0 to v2.44.0

Actual Behavior

The given plan would replace all azuread_application_password and azuread_application_certificate resources due to the changes observed in the application_object_id argument e.g.:

application_object_id = "00000000-0000-0000-0000-000000000000" -> "/applications/00000000-0000-0000-0000-000000000000"

Steps to Reproduce

Upgrade existing configuration which includes resources with the application_object_id argument to azuread v2.44.0

[beyondbill]

Try

resource "azuread_application_password" "sample" {
  application_object_id = azuread_application.sample.object_id
  ...
}

or preferrably

resource "azuread_application_password" "sample" {
  application_id = azuread_application.sample.id
  ...
}

[manicminer]

Hi @gpatounas, thanks for reporting this issue. As @beyondbill mentioned, the id attribute of azuread_application was not the supported attribute for referencing, the correct attribute to use here is object_id.

However, I have noticed that in the documentation for azuread_application_certificate, we incorrectly used the id attribute in the example configuration. This was an unfortunate documentation bug and, in the interest of avoiding breaking configurations where this confusion has led to configurations using id in place of object_id, we'll issue a fix for both these resources shortly.

Going forward, the application_object_id property has been deprecated and we'd therefore recommend updating your configuration, as soon as you are able, to use the following properties/attributes with provider versions 2.44 or later:

resource "azuread_application_certificate" "example" {
  application_id = azuread_application.example.id
}

resource "azuread_application_password" "example" {
  application_id = azuread_application.example.id
}

[manicminer]

A fix for this has been released in v2.44.1, please upgrade!