AzureAD Application fails when using Snowflake application template due to not being able to disable app_roles

[froblesmartin]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

terraform -v: v1.3.4
hashicorp/azuread: latest (2.31.0)

Affected Resource(s)

• azuread_application_template
• azuread_application

Terraform Configuration Files

data "azuread_application_template" "snowflake" {
  # https://azuremarketplace.microsoft.com/en-us/marketplace/apps/aad.snowflake?tab=Overview
  display_name = "Snowflake for AAD"
}

resource "azuread_application" "app" {
  display_name            = "Snowflake"
  identifier_uris         = "Our own URL"
  template_id             = data.azuread_application_template.snowflake.template_id
  ...
}

Debug Output

None (for now)

Panic Output

None

Expected Behavior

Configure the Azure AD Application Registration and the Azure AD Enterprise Application based on the Snowflake application template from the marketplace.

Actual Behavior

Tha apply fails when trying to disable the App Roles (which I think come by default due to using the Snowflake application template from the marketplace. Terraform tries to disable the App Roles (step that it shouldn't do maybe?) and fails because it can not find the Azure AD Application which it is creating in the same resource itself.

I tried defining the App Roles that are automatically configured to try to avoid Terraform disabling them, but that does not change anything.

Terraform plan (after the previous failure, but basically deletes the previous Azure AD Application Registration and creates a new one, which fails again):

Expand ...

Terraform will perform the following actions:

  # azuread_application.app["snowflake_sso"] is tainted, so must be replaced
-/+ resource "azuread_application" "app" {
      ~ app_role_ids                   = {} -> (known after apply)
      ~ application_id                 = "3fe476fb-c60f-497e-9847-261e948974ae" -> (known after apply)
      - device_only_auth_enabled       = false -> null
      ~ disabled_by_microsoft          = "<nil>" -> (known after apply)
      - fallback_public_client_enabled = false -> null
      ~ group_membership_claims        = [
          + "All",
        ]
      ~ id                             = "5a406d64-b496-4c7c-be97-ab72c2f715ba" -> (known after apply)
      ~ identifier_uris                = [
          + "https://***.snowflakecomputing.com",
        ]
      + logo_url                       = (known after apply)
      ~ oauth2_permission_scope_ids    = {
          - "user_impersonation" = "b974441e-4e41-46e6-9707-446b679136af"
        } -> (known after apply)
      - oauth2_post_response_required  = false -> null
      ~ object_id                      = "5a406d64-b496-4c7c-be97-ab72c2f715ba" -> (known after apply)
      - owners                         = [] -> null
      ~ publisher_domain               = "***" -> (known after apply)
      ~ tags                           = [] -> (known after apply)
        # (4 unchanged attributes hidden)

      ~ api {
          - known_client_applications      = [] -> null
          - mapped_claims_enabled          = false -> null
            # (1 unchanged attribute hidden)

          + oauth2_permission_scope {
              + admin_consent_description  = "..."
              + admin_consent_display_name = "..."
              + enabled                    = true
              + id                         = "a49110ff-81f8-4502-bc09-0ca236a44aeb"
              + type                       = "User"
              + user_consent_description   = "..."
              + user_consent_display_name  = "..."
              + value                      = "user_impersonation"
            }
          - oauth2_permission_scope {
              - admin_consent_description  = "Allow the application to access appreg-snowflake on behalf of the signed-in user." -> null
              - admin_consent_display_name = "Access appreg-snowflake" -> null
              - enabled                    = true -> null
              - id                         = "b974441e-4e41-46e6-9707-446b679136af" -> null
              - type                       = "User" -> null
              - user_consent_description   = "Allow the application to access appreg-snowflake on your behalf." -> null
              - user_consent_display_name  = "Access appreg-snowflake" -> null
              - value                      = "user_impersonation" -> null
            }
        }

      ~ feature_tags {
          - custom_single_sign_on = false -> null
          - enterprise            = false -> null
          - gallery               = false -> null
          - hide                  = false -> null
        }

      - public_client {
          - redirect_uris = [] -> null
        }

      + required_resource_access {
          + resource_app_id = "00000003-0000-0000-c000-000000000000"

          + resource_access {
              + id   = "06da0dbc-49e2-44d2-8312-53f166ab848a"
              + type = "Scope"
            }
          + resource_access {
              + id   = "e1fe6dd8-ba31-4d61-89e7-88639da4683d"
              + type = "Scope"
            }
        }

      - single_page_application {
          - redirect_uris = [] -> null
        }

      ~ web {
          + logout_url    = "https://***.snowflakecomputing.com/fed/logout"
          ~ redirect_uris = [
              - "https://***.snowflakecomputing.com/*",
              + "https://***.privatelink.snowflakecomputing.com/fed/login",
              + "https://***.snowflakecomputing.com/fed/login",
              + "https://***.privatelink.snowflakecomputing.com/fed/login",
            ]
            # (1 unchanged attribute hidden)

          - implicit_grant {
              - access_token_issuance_enabled = false -> null
              - id_token_issuance_enabled     = true -> null
            }
        }

        # (2 unchanged blocks hidden)
    }

Terraform apply:

azuread_application.app["snowflake_sso"]: Destroying... [id=5a406d64-b496-4c7c-be97-ab72c2f715ba]
azuread_application.app["snowflake_sso"]: Still destroying... [id=5a406d64-b496-4c7c-be97-ab72c2f715ba, 10s elapsed]
azuread_application.app["snowflake_sso"]: Still destroying... [id=5a406d64-b496-4c7c-be97-ab72c2f715ba, 20s elapsed]
azuread_application.app["snowflake_sso"]: Destruction complete after 20s
azuread_application.app["snowflake_sso"]: Creating...
╷
│ Error: Could not disable App Roles for application with object ID "61b814b6-c176-4a21-ac97-5c03def92122"
│ 
│   with azuread_application.app["snowflake_sso"],
│   on azuread_application.tf line 8, in resource "azuread_application" "app":
│    8: resource "azuread_application" "app" {
│ 
│ application with ID "61b814b6-c176-4a21-ac97-5c03def92122" was not found

[manicminer]

Hi @froblesmartin, thanks for reporting this. When you tried to add the app roles to your configuration, did you ensure the individual role IDs were identical? Unfortunately with our current implementation, the provider will always try to set the app roles per your configuration and so in the case of marketplace apps where the app is homed in a tenant you cannot access, this will fail unless you match the configuration exactly.

If you can post the diff and your config, perhaps it will offer some more clues as to how you can proceed. Please be aware though, that it may not be possible to support a particular application due to this constraint within the provider.

We are planning to address this in the next major version of the provider as it will require some other potentially breaking changes.

[froblesmartin]

When you tried to add the app roles to your configuration, did you ensure the individual role IDs were identical?

Yes, I used the same IDs as the existing ones from the template.

If you can post the diff and your config, perhaps it will offer some more clues as to how you can proceed.

For now, I am just creating the Azure AD App manually as it is just a once time configuration.

We are planning to address this in the next major version of the provider as it will require some other potentially breaking changes.

Cool! Thanks for letting me know. :)

[manicminer]

We are working on a new resource azuread_application_from_template along with a host of additional resources for managing individual components of applications, which I believe will resolve this issue of conflicting with application properties that were inherited from the gallery application template and which may be locked. These resources are in flight in #1214 and will land in the next provider release.

Our recommendation will be to adopt this new resource for launching applications from gallery templates, particularly in cases where the existing azuread_application scrambles or otherwise trips over these predefined properties. Accordingly, I've marked this issue for closure with #1214.