Unable to import ApplicationCertificate

[thecodetinker]

Hello!

• Vote on this issue by adding a 👍 reaction
• To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already)

Issue details

I have an existing infrastructure created with Terraform that I'm trying to import into a Pulumi stack. Pulumi is very picky that the resource matches exactly, but I am usually able to get around any small differences by setting some 'IgnoreChanges'. With the ApplicationCertificate resource, however, I have come unstuck.

It may or may not be relevant that the query for an App Registration doesn't return the value of the certificate in the keyCredentials fields. See e.g. https://docs.microsoft.com/en-us/graph/api/resources/keycredential?view=graph-rest-1.0 .

So when I try the import, this is the error I get:

warning: inputs to import do not match the existing resource; importing this resource will fail
        = azuread:index/applicationCertificate:ApplicationCertificate: (import)
            [id=36be950f-aef0-4326-blahblah/certificate/696903b3-ec41-blahblah]
            [urn=urn:pulumi:PHX001-None-Common::IglooCloudDeployment::IglooCloud$azuread:index/applicationCertificate:ApplicationCertificate::AgentAppRegistration-BatchCertificate]
fc-e081-4a70-9c4a-72a320df08e7]
          + encoding: "base64"
          + value   : "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZYRENDQTBT..."

You can see that Pulumi thinks the "value" is new. Ditto "encoding". If I tell Pulumi to ignore those properties by setting CustomResourceOptions.IgnoreChanges, then I get the following error on import:

stderr: error: azuread:index/applicationCertificate:ApplicationCertificate resource 'AgentAppRegistration-BatchCertificate' has a problem: Missing required argument: The argument "value" is required, but no definition was found.. Examine values at 'ApplicationCertificate.Value'.

So in summary, I can't set the value because Pulumi doesn't think it matches what's already in Azure, and I can't ignore it (or not set the value at all) because it's required.

My only workaround now is to not import it at all, in which case Pulumi will simply add the certificate again to the App Registration. That seems to work and isn't terrible, but it would be nice to import it properly if possible.

Steps to reproduce

1. Set up an App Registration in Azure Portal
2. Under 'Certificates and Secrets' upload a certificate
3. Run pulumi and attempt to import the App Registration and its Certificate

var appCertificate = new ApplicationCertificate("AppCertificate", new ApplicationCertificateArgs
{
    ApplicationObjectId = "00000000-0000-0000-0000-000000000000",
    Type = "AsymmetricX509Cert",
    Encoding = "base64",
    Value = "VFzRkFEQXIKTVNrd0p3WURWUVFERXlCSldGTXRTV2RzYjI5RGJH...",
    EndDate = "2023-03-04T09:31:05Z"
}, new CustomResourceOptions { ImportId = "00000000-0000-0000-0000-000000000000/certificate/11111111-1111-1111-1111-111111111111" });

Expected:
The certificate is imported into the stack.

Actual:
The import fails because the existing 'Value' is not recognised (along with 'Encoding').