-
Notifications
You must be signed in to change notification settings - Fork 301
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AzureAD creating an ID with applications/GUID instead just GUID with latest version v2.44.1 #1227
Comments
Hi @arun-bejjanki-kr, thanks for raising this issue. This is due to an ID migration that happened in the latest release (see #1214 and #1221), to accommodate some new application resources. If you're using the Please let me know if this resolves your issue, if not please post your config and I'll be happy to take a look and see whether there's a bug lurking in the latest version. Thanks! |
Is |
No, the |
@manicminer one thing I've noticed with the new id: However, the Id returned by azuread_application_registration is in the format application/00000000-0000-0000-0000-000000000000 which leads to constant changes in the plan. As a workaround to get a consistant plan I just prefixed my reference to the id with '/': resource "azuread_application_redirect_uris" "next_new" { redirect_uris = [ This could be a quick win to fix this |
@jgschwendswica Thanks for the insight. I wasn't able to reproduce that issue where the ID is missing the first character, would you be able to provide more details on the steps you took that led to that? Thanks! |
Looks like I missed the leading forward slash during the import of my azuread_application_registration. |
Thanks for the feedback! We should be catching that at import time 👍 |
I have a question on this too. Are you saying that the id of the resource in the Terraform state file is different then the id of the resource in Azure? It seems like the state file should contain exactly what Azure API returns for this value. |
Whilst we often use the same resource ID that's provided by Azure, we sometimes elect to augment them or otherwise change them. In the AzureRM provider we make a best effort to match a resource ID with its Resource Manager URI, with other providers like AzureAD it's not as straightforward as there often isn't a unique addressable ID provided by data plane APIs like MS Graph, and so we're moving to commoditize resource IDs in this provider such that they can be managed more easily using the same libraries using similar paradigms. This aids development of the provider going forward. It's also why we have for a long time exposed explicit attributes like |
@manicminer it looks like the Note that the latest docs for |
@stevehipwell Whilst the deprecated In the As such, whilst the documentation now reflects only the new properties, this isn't a breaking change as existing configurations will continue to work. |
@manicminer the issue here is that they won't continue to work, existing configurations break due to the addition of the |
@stevehipwell Sorry, I misread the context of your message, to which I was replying. I understand that some configurations may have broken as a result of incorrect usage of the There is a state migration in place to gracefully handle the changing of the |
@manicminer the headline documentation (first example for the resource) I linked in my first comment was using |
@stevehipwell Could you elaborate further on the breakage you have experienced? The The following configuration continues to work as expected? terraform {
required_providers {
azuread = {
source = "hashicorp/azuread"
version = "~>2.45.0"
}
}
}
provider "azuread" {}
resource "azuread_application" "test" {
display_name = "aaatest-appid"
}
resource "azuread_service_principal" "test" {
application_id = azuread_application.test.application_id
} |
Hello, resource "azuread_application_password" "owner" {
application_object_id = azuread_application.owner.object_id
end_date_relative = "24h"
display_name = "bootstrap secret vaild 24h, do not delete" which gets me the following warning: │ Warning: Argument is deprecated
│
│ with azuread_application_password.owner,
│ on iam.tf line 39, in resource "azuread_application_password" "owner":
│ 39: application_object_id = azuread_application.owner.object_id
│
│ The `application_object_id` property has been replaced with the `application_id` property and will be removed in version 3.0 of the AzureAD provider
│
│ (and 3 more similar warnings elsewhere) Fine, let's update this to: resource "azuread_application_password" "owner" {
application_id = azuread_application.owner.object_id
end_date_relative = "24h"
display_name = "bootstrap secret vaild 24h, do not delete" but then, I get: │ Error: parsing "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx": parsing the Application ID: the number of segments didn't match
│
│ Expected a Application ID that matched (containing 2 segments):
│
│ > /applications/00000000-0000-0000-0000-000000000000
│
│ However this value was provided (which was parsed into 0 segments):
│
│ > xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
│
│ The following Segments are expected:
│
│ * Segment 0 - this should be the literal value "applications"
│ * Segment 1 - this should be the user specified value for this applicationId [for example "00000000-0000-0000-0000-000000000000"]
│
│ The following Segments were parsed:
│
│ * Segment 0 - not found
│ * Segment 1 - not found
│
│
│ with azuread_application_password.owner,
│ on iam.tf line 39, in resource "azuread_application_password" "owner":
│ 39: application_id = azuread_application.owner.object_id So it appears Now, having looked at my state file, it appears that the
But there is no reference of the Could you please clarify? Thanks for your help! |
@nfrappart As per the docs, you'll need to consume the resource "azuread_application_password" "owner" {
application_id = azuread_application.owner.id
} To clarify my earlier point about the I do realise that all these IDs and complex values can get pretty confusing, that is actually one of the main reasons behind this refactoring. Another reason is to establish a convention within the provider for identifying resources, because at the moment we have a mix of object IDs (which is a real AAD primitive), UUIDs which are not object IDs, and complex concatenations unique to each resource. AAD does not offer a single commodity resource identifier across all APIs. Our documentation is the primary reference here, if you check the Examples for each of these resources you will find the latest recommended usage for each resource respectively. Hope this helps! |
thanks for the lightning fast feedback @manicminer Can I suggest however that the documentation for azuread_application gets updated to include the thanks again. |
Thanks for the suggestion, that's a good shout and we should be consistent here |
I have tried converting my federated identity credential to use application_id instead of application_object_id with the right hand side of the assignment using data.azuread_application.application.id, .object_id, .client_id, and .application_id and in each case I get the error referenced in @nfrappart's post 2 days ago. At this time, I cannot find any alternative than continuing to use the application_object_id property. This is creating new resources, not updating existing resources.
|
@stockmaj Thanks for reporting. The |
Thanks! |
@arun-bejjanki-kr Can you confirm if my earlier comment helps to resolve your issue? Thanks! |
Running into the same issue when using the client_id from azurerm_user_assigned_identity.
With future fixes what is the format we should be expecting in azuread_application_federated_identity_credential.application_id? ie. will it be just the GUID or will the two providers somehow sync on what to use for application_id |
@jayctran Due to historic ambiguous naming in Azure, the term "application ID" means different things depending on where you look. We are standardising on the term "client ID" for an application's GUID but to avoid issuing any breaking changes this means in the interim we have multiple attributes with borrowed naming. Please refer to the provider documentation for the best examples of which attributes to use, cross-referencing with the attribute descriptions if you need to brush up on what they mean. The azuread_application_federated_identity_credential resource doc shows the correct usage. |
Thanks @manicminer, yes I understand there'll be some differences. In my example I managed to get it working by prefixing "/applications/". What I meant to say was using the Managed Identity module from azurerm, both client_id or principal_id attributes are just GUIDS, and there's no attributes with a prefix of "/applications/". I did end up getting it working by hardcoding the prefix but thought I'd flag the difference between the two providers as part of this issue. EDIT: after looking into this more, please disregard everything I mentioned - there's actually azurerm_federated_identity_credential which is what I was after - has nothing to do with this particular issue. |
With v2.44.1 version of azuread provider id is creating with applications/GUID instead GUID.
Versions
terraform ">= 1.4.0, < 1.5.5"
azuread >= 2.20.0, < 2.44.0"
azurerm >= 3.11.0, < 4.0.0"
Expected Behavior
resource "azuread_application" "application" {
id = ""
. . .
. . .
Actual Behavior
resource "azuread_application" "application" {
id = "/applications/"
. . .
. . .
The text was updated successfully, but these errors were encountered: