Terraform azuread_application oauth2_permissions issue on second apply only

[ghost]

This issue was originally opened by @scott-doyland-burrows as hashicorp/terraform#26672. It was migrated here as a result of the provider split. The original body of the issue is below.

---

Terraform Version

Terraform v0.13.5
+ provider registry.terraform.io/hashicorp/azuread v1.0.0

Terraform Configuration Files

provider "azuread" {
}

resource "azuread_application" "example" {
  name = "example"
  oauth2_permissions = []
}

Expected Behaviour

The application is created as expected on the first apply.

terraform apply

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # azuread_application.example will be created
  + resource "azuread_application" "example" {
      + application_id          = (known after apply)
      + homepage                = (known after apply)
      + id                      = (known after apply)
      + identifier_uris         = (known after apply)
      + name                    = "example"
      + oauth2_permissions      = []
      + object_id               = (known after apply)
      + owners                  = (known after apply)
      + prevent_duplicate_names = false
      + public_client           = (known after apply)
      + reply_urls              = (known after apply)
      + type                    = "webapp/api"

      + app_role {
          + allowed_member_types = (known after apply)
          + description          = (known after apply)
          + display_name         = (known after apply)
          + id                   = (known after apply)
          + is_enabled           = (known after apply)
          + value                = (known after apply)
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

azuread_application.example: Creating...
azuread_application.example: Still creating... [10s elapsed]
azuread_application.example: Creation complete after 10s [id=57f92ff0-030e-4c75-99cc-66969440a56f]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

The state file shows a line as expected.

oauth2_permissions": [],

A second apply of the same code should not cause any changes.

Actual Behaviour

A second apply of the same code causes terraform to apply a change but the statefile is not altered.
Note the oauth2_permissions looks different from the first apply, even though the code is the same.

As a side note - the apply output is that which happens if the oauth2_permssions is omitted completely in the code.

terraform apply
azuread_application.example: Refreshing state... [id=f08c2e4f-15c7-4e99-b7e9-4adb19787c42]

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # azuread_application.example will be updated in-place
  ~ resource "azuread_application" "example" {
        application_id             = "324d3b09-40d4-4d51-8461-dbeadec7cfa1"
        available_to_other_tenants = false
        homepage                   = "https://example"
        id                         = "f08c2e4f-15c7-4e99-b7e9-4adb19787c42"
        identifier_uris            = []
        name                       = "example"
        oauth2_allow_implicit_flow = false
      ~ oauth2_permissions         = [
          - {
              - admin_consent_description  = "Allow the application to access example on behalf of the signed-in user."
              - admin_consent_display_name = "Access example"
              - id                         = "efd9b4a6-38a1-4466-9ffc-6c79790de498"
              - is_enabled                 = true
              - type                       = "User"
              - user_consent_description   = "Allow the application to access example on your behalf."
              - user_consent_display_name  = "Access example"
              - value                      = "user_impersonation"
            },
        ]
        object_id                  = "f08c2e4f-15c7-4e99-b7e9-4adb19787c42"
        owners                     = []
        prevent_duplicate_names    = false
        public_client              = false
        reply_urls                 = []
        type                       = "webapp/api"
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

azuread_application.example: Modifying... [id=f08c2e4f-15c7-4e99-b7e9-4adb19787c42]
azuread_application.example: Modifications complete after 0s [id=f08c2e4f-15c7-4e99-b7e9-4adb19787c42]

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

Further apply's do not cause any "changes" to happen, the apply says there are no changes.

Steps to Reproduce

1. terraform init
2. terraform apply

[manicminer]

Thanks for reporting this @scott-doyland-burrows

I believe this may be related to #328 and I'm tentatively calling this as an SDK issue because I think it's due to improper handling of optional+computed blocks.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.