ignore_changes does not ignore app_role block on azuread_application

[papanito]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform v1.7.5
on windows_amd64
+ provider registry.terraform.io/hashicorp/azuread v2.47.0
+ provider registry.terraform.io/hashicorp/azurerm v3.97.1
+ provider registry.terraform.io/hashicorp/random v3.6.0

Affected Resource(s)

• azuread_application

Terraform Configuration Files

We have a module with an app_roles.tf:

resource "random_uuid" "app_roles" {
  for_each = var.appRoles
  keepers  = {}
}

resource "azuread_application_app_role" "app_roles" {
  for_each             = var.appRoles
  application_id       = azuread_application.ar.id
  allowed_member_types = each.value.allowed_member_types
  description          = each.value.description
  display_name         = each.key
  role_id              = random_uuid.app_roles[each.key].result
  value                = each.key
}

And an ar.tf with ignore_changes for app_role

data "azuread_users" "users" {
  user_principal_names = var.owners.users
}

resource "azuread_application" "ar" {
  display_name = var.displayName

  owners = data.azuread_users.users.object_ids

  api {
    mapped_claims_enabled          = var.api.mapped_claims_enabled
    requested_access_token_version = var.api.requested_access_token_version
    known_client_applications      = var.api.known_client_applications
  }

  sign_in_audience = var.sign_in_audience
  group_membership_claims = var.group_membership_claims

  web {
    implicit_grant {
      access_token_issuance_enabled = var.implicit_grant.access_token_issuance_enabled
      id_token_issuance_enabled     = var.implicit_grant.id_token_issuance_enabled
    }
  }

  lifecycle {
    ignore_changes = [
      app_role,
      api[0].oauth2_permission_scope,
      required_resource_access,
      web,
      single_page_application,
      public_client,
      optional_claims,
      identifier_uris,
    ]
  }
}

Debug Output

N/A

Panic Output

Expected Behavior

tf plan should ignore difference on the app_role blocks on the azuread_application

Actual Behavior

Differences are shown

  # module.my_app.azuread_application.ar has changed
  ~ resource "azuread_application" "ar" {
        id                             = "/applications/xxxxxxx-xxxx-xxxx-xxxx-111111111111"
        # (16 unchanged attributes hidden)

      - app_role {
          - allowed_member_types = [
              - "User",
            ] -> null
          - description          = "Agent" -> null
          - display_name         = "Agent" -> null
          - enabled              = true -> null
          - id                   = "xxxxxxx-xxxx-xxxx-xxxx-111111111111" -> null
          - value                = "Agent" -> null
        }
      + app_role {
          + allowed_member_types = [
              + "User",
            ]
          + description          = "Agent Role"
          + display_name         = "Agent"
          + enabled              = true
          + id                   = "xxxxxxx-xxxx-xxxx-xxxx-111111111111"
          + value                = "Agent"
        }

        # (7 unchanged blocks hidden)
    }

Steps to Reproduce

N/A

Important Factoids

References

N/A