-
Notifications
You must be signed in to change notification settings - Fork 301
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add in second app_role to existing azuread_application
fails
#721
Comments
Hi @StefanSchoof, thanks for reporting this issue. Looking through the debug log, the API is indeed reporting an error for the Unfortunately I could not reproduce this error. Looking at the HTTP traces, my testing performs the same actions as in your failed apply operation - that is, both of them appear to be doing the right thing. At this time I believe this is quite likely to be an API bug. Are you able to consistently reproduce this error or does the same operation now work as expected? |
Thanks @manicminer to look into this. I figured it out. The problem is that the azure ad does not allow a Value named Having app_role {
allowed_member_types = ["User"]
description = "Standard User"
display_name = "Standard User"
enabled = true
id = "eebd0ddb-ff52-4a3f-890b-6f97a6cafd50"
value = "Standard.User"
} is working (and app_role {
allowed_member_types = ["User"]
description = "User"
display_name = "User"
enabled = true
id = "eebd0ddb-ff52-4a3f-890b-6f97a6cafd50"
value = "User"
} not) Not sure if it makes sense to add a check in tf to prevent this name or just close this issue. |
This restriction is not document at https://docs.microsoft.com/en-us/graph/api/resources/approle?view=graph-rest-beta |
@StefanSchoof That's great, thanks for testing and coming back to this. We can validate this in the provider to provide a more meaningful error message to aid other users in future. |
This functionality has been released in v2.19.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you! |
I think I found the real cause. The app_role {
allowed_member_types = [
"User",
"Application",
]
description = "User"
display_name = "User"
enabled = true
id = "<gui>"
value = "User"
}
api {
requested_access_token_version = 2
oauth2_permission_scope {
admin_consent_description = "User access ${local.ad_application_name} application"
admin_consent_display_name = "User access ${local.ad_application_name} application"
enabled = true
id = "<guid>"
type = "User"
user_consent_description = "Access ${local.ad_application_name} application"
user_consent_display_name = "Access ${local.ad_application_name} application"
value = "user"
}
} result into this error, when creating a role with the same name. |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Community Note
Terraform (and AzureAD Provider) Version
Terraform v1.1.4
on windows_amd64
Affected Resource(s)
azuread_application
Terraform Configuration Files
old:
updated with second app_role
Debug Output
https://gist.github.com/StefanSchoof/6c4a050558ad644b672781375ff2d0aa
Panic Output
n/a
Expected Behavior
Adding a new
app_role
to an existing app, will update the app and afterwards the app has two app_roles.Actual Behavior
I get an error on apply:
Steps to Reproduce
Important Factoids
A apply that updates the one app_role is successful.
References
The text was updated successfully, but these errors were encountered: