Cannot add resource_access argument of type "Role"

[phil-bevan]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform v0.13.1

• provider registry.terraform.io/hashicorp/azuread v1.0.0

Affected Resource(s)

• azuread_application

Terraform Configuration Files

resource "azuread_application" "myapp" {
  name = "myapp"
  available_to_other_tenants = true
  public_client = true
  homepage = "https://nothing"
  oauth2_allow_implicit_flow = true
    required_resource_access {
    resource_app_id = "00000003-0000-0000-c000-000000000000"
    resource_access {
      id   = "a154be20-db9c-4678-8ab7-66f6cc099a59" #User.Read.All
      type = "Scope"
    }
    resource_access {
      id   = "4e46008b-f24c-477d-8fff-7bb4ec7aafe0" #Group.ReadWrite.All
      type = "Scope"
    }
    resource_access {
      id   = "62a82d76-70ea-41e2-9197-370581804d09" #Group.ReadWrite.All
      type = "Role"
    }

  }
}

Debug Output

https://gist.github.com/phil-bevan/e065b6863e153eda53a8b52a99a7d794

Panic Output

Expected Behavior

Application should be created with both Delegated and Application API permissions

Actual Behavior

Terraform fails to create the application

Error: graphrbac.ApplicationsClient#Create: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="Unknown" Message="Unknown service error" Details=[{"odata.error":{"code":"Request_BadRequest","date":"2020-10-19T16:05:48","message":{"lang":"en","value":"Property requiredResourceAccess.resourceAccess is invalid."},"requestId":"45ead34f-3636-4a3c-84bb-54550d150b51","values":[{"item":"PropertyName","value":"requiredResourceAccess.resourceAccess"},{"item":"PropertyErrorCode","value":"GenericError"}]}}]

If you remove the final 'Role' permission the application will be created correctly with the other 2 Delegated permissions

Steps to Reproduce

1. terraform apply

Important Factoids

References

• #0000

[manicminer]

Hi @phil-bevan, thanks for reporting. I was able to reproduce the error and narrowed it down to the publicClient (public_client in the provider) setting. It looks like this cannot be true whilst also having non-delegated permissions assigned to the application. Since this is a deprecated field in Azure, and doesn't really exist any more except in the API (it's been replaced by redirect URIs with types), the behavior seems to be unspecified.

You should be able to verify this by commenting out the public_client property in your config, then applying and verifying the requiredResourceAccess property in the app manifest, then uncomment and try to apply again.

Unfortunately there isn't anything we can do about this until we have moved to the newer Microsoft Graph API, and by moving to the new API, this issue will resolve itself. I'd suggest maybe raising an issue upstream or opening an Azure support ticket for clarification.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.