Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

group_membership_claims shouldn't be a string #375

Closed
sioakim opened this issue Dec 22, 2020 · 4 comments · Fixed by #461
Closed

group_membership_claims shouldn't be a string #375

sioakim opened this issue Dec 22, 2020 · 4 comments · Fixed by #461
Labels
feature/applications upstream-microsoft
Milestone
v2.0.0

Comments

@sioakim
Copy link

sioakim commented Dec 22, 2020

According to the TF documentation:
group_membership_claims - (Optional) Configures the groups claim issued in a user or OAuth 2.0 access token that the app expects. Defaults to SecurityGroup. Possible values are None, SecurityGroup, DirectoryRole, ApplicationGroup or All.

But it is not a string - it can have multiple values:
From Terraform plan for a resource I imported:
group_membership_claims = "SecurityGroup, DirectoryRole" -> "SecurityGroup"

Looking at the MS documentation we can see that through the Enterprise Applications settings the option is actually a Radio button which would make sense for the current Terraform implementation.

image

But through App Registrations the same option is actually multiple choice:

image

Hence I think this setting should be a different type in Terraform.
@manicminer
Copy link
Contributor

Hi @sioakim, thanks for opening this issue. The API accepts this property as a string value, which is why it's represented as such in the provider. Have you tried specifying a comma-delimited string?

@sioakim
Copy link
Author

sioakim commented Dec 22, 2020

Yes when I use the comma separated I get:

Error: expected group_membership_claims to be one of [All None SecurityGroup DirectoryRole ApplicationGroup], got SecurityGroup, DirectoryRole

BUT when I import from state it comes in as mentioned above as:
group_membership_claims = "SecurityGroup, DirectoryRole" (comma seperated)

@manicminer
Copy link
Contributor

@sioakim Ah yes, replying in haste I forgot about the validation for that property, sorry about that.

Unfortunately the current SDK doesn't support setting combinations like this, and it appears that both the current API and the upcoming MS Graph API have the same limitation. This means we'll need API support before we'll be able to support different combinations of security/non-security groups, inferred groups and directory roles.

It's interesting though that multiple membership claim types are read back if you set them in the portal, I'll look into this further.

@manicminer manicminer added this to the v2.0.0 milestone May 27, 2021
@manicminer manicminer mentioned this issue Jun 30, 2021
Merged
10 tasks
@github-actions
Copy link

github-actions bot commented Aug 2, 2021

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 2, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
feature/applications upstream-microsoft
Projects
None yet
Milestone
v2.0.0
Development

Successfully merging a pull request may close this issue.

Initial v2.0 changes hashicorp/terraform-provider-azuread
2 participants
@manicminer @sioakim