hashicorp · manicminer · Aug 26, 2021 · Aug 26, 2021 · Aug 26, 2021 · Aug 26, 2021
@@ -61,7 +61,8 @@ resource "azuread_application" "example" {
     allowed_member_types = ["User", "Application"]
     description          = "Admins can manage roles and perform all task actions"
     display_name         = "Admin"
-    is_enabled           = true
+    enabled              = true
+    id                   = "1b19509b-32b1-4e9f-b71d-4992aa991967"
     value                = "admin"
   }
 
@@ -70,7 +71,7 @@ resource "azuread_application" "example" {
     description          = "ReadOnly roles have limited query access"
     display_name         = "ReadOnly"
     enabled              = true
-    id                   = "%[6]s"
+    id                   = "497406e4-012a-4267-bf18-45a1cb148a01"
     value                = "User"
   }
 

@@ -89,6 +89,9 @@ The following arguments are supported:
 * `mail_enabled` - (Optional) Whether the group is a mail enabled, with a shared group mailbox. At least one of `mail_enabled` or `security_enabled` must be specified. Only Microsoft 365 groups can be mail enabled (see the `types` property).
 * `mail_nickname` - (Optional) The mail alias for the group, unique in the organisation. Required for mail-enabled groups. Changing this forces a new resource to be created.
 * `members` - (Optional) A set of members who should be present in this group. Supported object types are Users, Groups or Service Principals.
+
+!> **Warning** Do not use the `azuread_group_member` resource at the same time as the `members` argument.
+
 * `owners` - (Optional) A set of object IDs of principals that will be granted ownership of the group. Supported object types are users or service principals. By default, the principal being used to execute Terraform is assigned as the sole owner. Groups cannot be created with no owners or have all their owners removed.
 
 -> **Group Ownership**  It's recommended to always specify one or more group owners, including the principal being used to execute Terraform, such as in the example above. When removing group owners, if a user principal has been assigned ownership, the last user cannot be removed as an owner. Microsoft 365 groups are required to always have at least one owner which _must be a user_ (i.e. not a service principal).
@@ -105,8 +108,6 @@ The following arguments are supported:
 
 -> **Group Name Uniqueness** Group names are not unique within Azure Active Directory. Use the `prevent_duplicate_names` argument to check for existing groups if you want to avoid name collisions.
 
-!> **Warning** Do not use the `azuread_group_member` resource at the same time as the `members` argument.
-
 ## Attributes Reference
 
 In addition to all arguments above, the following attributes are exported:

@@ -45,6 +45,12 @@ func (td TestData) ResourceTestIgnoreDangling(t *testing.T, _ types.TestResource
 }
 
 func (td TestData) runAcceptanceTest(t *testing.T, testCase resource.TestCase) {
+	testCase.ExternalProviders = map[string]resource.ExternalProvider{
+		"random": {
+			Source:            "hashicorp/random",
+			VersionConstraint: ">= 3.0.0",
+		},
+	}
 	testCase.ProviderFactories = map[string]func() (*schema.Provider, error){
 		"azuread": func() (*schema.Provider, error) {
 			return AzureADProvider, nil

@@ -146,6 +146,23 @@ func TestAccApplication_appRoles(t *testing.T) {
 	})
 }
 
+func TestAccApplication_duplicateAppRolesOauth2PermissionsIdsUnknown(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azuread_application", "test")
+	r := ApplicationResource{}
+
+	data.ResourceTest(t, r, []resource.TestStep{
+		{
+			Config: r.duplicateAppRolesOauth2PermissionsIdsUnknown(data),
+			Check: resource.ComposeTestCheckFunc(
+				check.That(data.ResourceName).Key("app_role.#").HasValue("1"),
+				check.That(data.ResourceName).Key("app_role_ids.%").HasValue("1"),
+				check.That(data.ResourceName).Key("api.0.oauth2_permission_scope.#").HasValue("1"),
+				check.That(data.ResourceName).Key("oauth2_permission_scope_ids.%").HasValue("1"),
+			),
+		},
+	})
+}
+
 func TestAccApplication_duplicateAppRolesOauth2PermissionsValues(t *testing.T) {
 	data := acceptance.BuildTestData(t, "azuread_application", "test")
 	r := ApplicationResource{}
@@ -877,6 +894,41 @@ resource "azuread_application" "test" {
 `, data.RandomInteger, uuids[0], uuids[1], uuids[2], uuids[3])
 }
 
+func (ApplicationResource) duplicateAppRolesOauth2PermissionsIdsUnknown(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+provider "azuread" {}
+provider "random" {}
+
+resource "random_uuid" "test" {
+  count = 2
+}
+
+resource "azuread_application" "test" {
+  display_name = "acctest-APP-%[1]d"
+
+  api {
+    oauth2_permission_scope {
+      admin_consent_description  = "Administer the application"
+      admin_consent_display_name = "Administer"
+      enabled                    = true
+      id                         = random_uuid.test[0].id
+      type                       = "Admin"
+      value                      = "administer"
+    }
+  }
+
+  app_role {
+    allowed_member_types = ["User"]
+    description          = "Admins can manage roles and perform all task actions"
+    display_name         = "Admin"
+    enabled              = true
+    id                   = random_uuid.test[1].id
+    value                = "administrate"
+  }
+}
+`, data.RandomInteger, data.UUID(), data.UUID())
+}
+
 func (ApplicationResource) duplicateAppRolesOauth2PermissionsValues(data acceptance.TestData) string {
 	return fmt.Sprintf(`
 provider "azuread" {}

@@ -311,20 +311,20 @@ func applicationValidateRolesScopes(appRoles, oauth2Permissions []interface{}) e
 
 	for _, roleRaw := range appRoles {
 		role := roleRaw.(map[string]interface{})
-		if id := role["id"].(string); id != "" {
+		if id := role["id"].(string); id != "" && id != tf.PluginSdkUnknownValue {
 			ids = append(ids, id)
 		}
-		if val := role["value"].(string); val != "" {
+		if val := role["value"].(string); val != "" && val != tf.PluginSdkUnknownValue {
 			values = append(values, val)
 		}
 	}
 
 	for _, scopeRaw := range oauth2Permissions {
 		scope := scopeRaw.(map[string]interface{})
-		if id := scope["id"].(string); id != "" {
+		if id := scope["id"].(string); id != "" && id != tf.PluginSdkUnknownValue {
 			ids = append(ids, id)
 		}
-		if val := scope["value"].(string); val != "" {
+		if val := scope["value"].(string); val != "" && val != tf.PluginSdkUnknownValue {
 			values = append(values, val)
 		}
 	}

@@ -0,0 +1,6 @@
+package tf
+
+// PluginSdkUnknownValue is a dummy value used/sent by the plugin SDK when a real value is not known at plan time,
+// e.g. during a CustomizeDiff function
+// See https://github.com/hashicorp/terraform-plugin-sdk/blob/main/internal/configs/hcl2shim/values.go#L16
+const PluginSdkUnknownValue = "74D93920-ED26-11E3-AC10-0800200C9A66"