azuread_application_password.end_date_relative is ignored

[mhyllander]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform v1.8.5
on linux_amd64

• provider registry.terraform.io/hashicorp/azuread v2.53.1
• provider registry.terraform.io/hashicorp/azurerm v3.110.0
• provider registry.terraform.io/hashicorp/time v0.11.2
• provider registry.terraform.io/microsoft/azuredevops v1.1.1

Affected Resource(s)

• azuread_application_password

Terraform Configuration Files

resource "azuread_application_password" "app" {
  application_id    = azuread_application.app.id
  display_name      = "service connection"
  end_date_relative = "9504h" # 13 months
  rotate_when_changed = {
    rotation = time_rotating.rotation_period.id
  }
}

Debug Output

Panic Output

Expected Behavior

The rotated password should have been created with an expiration date of 13 months.

Actual Behavior

The rotated password was created with an expiration date of 24 months.

Steps to Reproduce

1. terraform apply

Important Factoids

References

applicationPasswordResourceCreate calls
PasswordCredentialForResource, which parses end_date_relative, then calls
PasswordCredential, which doesn't use end_date_relative, resulting in a default end_date of 24 months.

Compare with the end date calculations done in KeyCredentialForResource.

• #0000

[mhyllander]

This appears to be a regression caused by #1389.

[fgarcia-cnb]

you can work around it with something similar to this:

resource "time_static" "azuread_pass" {
  triggers = {
    # Save the time each switch of vm_count
    resource_count = var.resource_count
  }
}

resource "azuread_application_password" "chef_infra_spn" {
  count                 = var.resource_count > 0 ? 1 : 0
  application_id        = var.infra_spn_object_id["application_id"]
  display_name          = var.workspace
  #end_date_relative     = "2h"
  end_date              = timeadd(time_static.azuread_pass.rfc3339, "2h")

[fgarcia-cnb]

damn it, the above code works, but if someone delets the password outside of terraform, terraform will try recreating the password with an end date older than start date, which is not allowed. we really need the end_relative parameter fixed

[fgarcia-cnb]

a better solution for my previous example. the password will only rotate on count change... end date is ignored so that its not recreated on every tf run

resource "azuread_application_password" "chef_infra_spn" {
  count          = var.resource_count > 0 ? 1 : 0
  application_id = var.infra_spn_object_id["application_id"]
  display_name   = var.workspace
  end_date       = timeadd(timestamp(), "2h")

  rotate_when_changed = {
    resource_count = var.resource_count
  }

  lifecycle {
    ignore_changes = [end_date]
  }
}

[nickdala]

Here is the latest warning message with version 3.0.2 of azuread. From the message, end_date_relative is deprecated.

╷
│ Warning: Argument is deprecated
│
│ with azuread_application_password.application_password,
│ on main.tf line 10, in resource "azuread_application_password" "application_password":
│ 10: end_date_relative = "360h" # 15 days
│
│ The end_date_relative property is deprecated and will be removed in a future
│ version of the AzureAD provider. Please instead use the Terraform timeadd()
│ function to calculate a value for the end_date property.
╵