Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Affected Resource(s)

Terraform v0.11.11

• provider.azuread v0.1.0
• provider.azurerm v1.22.0

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

Debug Output

Panic Output

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0x176c6a8]

goroutine 6110 [running]:
github.com/hashicorp/terraform/terraform.(*NodeRefreshableManagedResourceInstance).evalTreeManagedResourceNoState(0xc000308030, 0xa2176d0, 0xc0008480a0)
/private/tmp/terraform-20181217-80581-zpqwjg/terraform-0.11.11/src/github.com/hashicorp/terraform/terraform/node_resource_refresh.go:238 +0x328
github.com/hashicorp/terraform/terraform.(*NodeRefreshableManagedResourceInstance).EvalTree(0xc000308030, 0x3ae1700, 0xc000308030)
/private/tmp/terraform-20181217-80581-zpqwjg/terraform-0.11.11/src/github.com/hashicorp/terraform/terraform/node_resource_refresh.go:98 +0x6e
github.com/hashicorp/terraform/terraform.(*Graph).walk.func1(0x3ae1700, 0xc000308030, 0x0, 0x0)
/private/tmp/terraform-20181217-80581-zpqwjg/terraform-0.11.11/src/github.com/hashicorp/terraform/terraform/graph.go:113 +0x9a2
github.com/hashicorp/terraform/dag.(*Walker).walkVertex(0xc0009f8000, 0x3ae1700, 0xc000308030, 0xc0002fe2c0)
/private/tmp/terraform-20181217-80581-zpqwjg/terraform-0.11.11/src/github.com/hashicorp/terraform/dag/walk.go:387 +0x367
created by github.com/hashicorp/terraform/dag.(*Walker).Update
/private/tmp/terraform-20181217-80581-zpqwjg/terraform-0.11.11/src/github.com/hashicorp/terraform/dag/walk.go:310 +0x986

Expected Behavior

Terraform should have successfully run a plan.

Steps to Reproduce

1. az login
2. terraform init
3. terraform plan -->causes panic
4. terraform plan -->causes error locking state

Important Factoids

Below error when running terraform plan second time. When the tfstate state is leased in azure, it will lock again running a plan

Error: Error locking state: Error acquiring the state lock: storage: service returned error: StatusCode=409, ErrorCode=LeaseAlreadyPresent, ErrorMessage=There is already a lease present.
RequestId:b2592325-701e-004a-607e-c2a9a8000000
Time:2019-02-12T02:57:14.9888560Z, RequestInitiated=Tue, 12 Feb 2019 02:57:14 GMT, RequestId=b2592325-701e-004a-607e-c2a9a8000000, API Version=2016-05-31, QueryParameterName=, QueryParameterValue=
Lock Info:
ID: xxxxx
Path: xxxxxx
Operation: OperationTypePlan
Who: xxxxxx
Version: 0.11.11
Created: 2019-02-12 02:56:55.201233 +0000 UTC
Info:

Terraform acquires a state lock to protect the state from being written
by multiple users at the same time. Please resolve the issue above and try
again. For most commands, you can disable locking with the "-lock=false"
flag, but this is not recommended.

• #0000

This issue was originally opened by @kgopi05 as hashicorp/terraform#21608. It was migrated here as a result of the provider split. The original body of the issue is below.

Current Terraform Version

...

Use-cases

Attempted Solutions

Proposal

References

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

A way to manage Allowed or Denied guest organisations in the Azure AD external organisational relationship settings.

Would like to be able to use an azuread_guest type resource (#41) but wouldn't be able to in many Azure AD tenancies until we can also whitelist the the domain for the guests.

New or Affected Resource(s)

• azuread_guest_organization

Potential Terraform Configuration

locals {
    domains = ["domain1.com","domain2.com","..."]
}

# if whitelisting collaboration with specified external organisations
resource "azuread_guest_organization" "allow-entity" {
    count = "${length(local.domains)}"
    type = "Allow"
    domain = "${local.domains[count.index]}"
}

# if blacklisting collaboration with specified external organisations
resource "azuread_guest_organization" "deny-entity" {
    count = "${length(local.domains)}"
    type = "Deny"
    domain = "${local.domains[count.index]}"
}

Specifically separating management of individual guest organisations rather than treating it as a single collection set. Organisations may be added from elsewhere, managed under other processes.

An error would be given if specifying Allow in an AAD tenant with the Deny invitations ... setting, and the reverse, if specifying Deny in an AAD tenant with the Allow invitations only ... setting.

References

• #0000

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

When using resource "azurerm_azuread_service_principal_password" the password that you create is saved in plaintext when stored in the statefile. Since you never want to get that password out of the statefile to use it would be better to hash it to prevent people from getting sensitive information from the state.

New or Affected Resource(s)

• azurerm_azuread_service_principal_password

References

#2402 Would address and fix this problem

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

When referencing an existing azuread_application (data) in terraform script there is only two way to do it. By an "object_id" and "name". Or the main identifier provided by microsoft is the "appId".
I think the usage could be simplier with the use of this property.

New or Affected Resource(s)

• azuread_application

Potential Terraform Configuration

data "azuread_application" "default"{
  application_id = "the application id to find"
}

References

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Please add ability to create Azure AD Service Principal with certificate using azuread_service_principal_certificate or updated azuread_service_principal resources as it is described in below documentation reference

New or Affected Resource(s)

• azuread_service_principal_certificate
• azuread_service_principal

References

https://docs.microsoft.com/en-us/cli/azure/create-an-azure-service-principal-azure-cli?view=azure-cli-latest

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform v0.12.1
+ provider.azuread v0.4.0

Affected Resource(s)

N/A

Terraform Configuration Files

provider "azuread" {
  version = "=0.4.0"
}

Debug Output

Initializing provider plugins...
- Checking for available provider plugins...
2019/06/07 01:16:18 [DEBUG] fetching provider versions from "https://registry.terraform.io/v1/providers/-/azuread/versions"

Provider "azuread" v0.4.0 is not compatible with Terraform 0.12.1.

Provider version 0.3.1 is the latest compatible version. Select it with
the following constraint:

    version = "~> 0.3"

Terraform checked all of the plugin versions matching the given constraint:
    =0.4.0

Consult the documentation for this provider for more information on
compatibility between provider and Terraform versions.

Alternatively, upgrade to the latest version of Terraform for compatibility with newer provider releases.


Error: incompatible provider version

Panic Output

N/A

Expected Behavior

Provider version v0.4.0 should be compatible with Terraform v0.12

Actual Behavior

Terraform fetches versions from registry, but the information is incorrect ref. https://registry.terraform.io/v1/providers/-/azuread/versions

        {
            "version": "0.4.0",
            "protocols": [
                "4.0"
            ],

("5.0" is missing from list)

Steps to Reproduce

1. terraform init

Important Factoids

References

• #0000

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform v0.11.13

• provider.azuread v0.2.0

Affected Resource(s)

• azuread_service_principal_password

Terraform Configuration Files

provider "azuread" {
  version = "~> 0.2.0"
}

resource "azuread_application" "test" {
  name = "test"
  available_to_other_tenants = false
}

resource "azuread_service_principal" "test-service-principal" {
  application_id = "${azuread_application.test.application_id}"
}

resource "azuread_service_principal_password" "service-principal-password" {
  service_principal_id = "${azuread_service_principal.test-service-principal.id}"
  value                = "test123"
  end_date             = "2020-01-01T00:00:00Z"
}

Debug Output

Expected Behavior

The service principal is created, and the password for it is set.

Actual Behavior

This bug is the same as the one explained in the issue linked below, but because it was locked I created a new issue here.

Using az CLI, I discovered the following error:

az ad sp credential list --id $(terraform output service_principal)

Parameter 'application_object_id' can not be None.
Traceback (most recent call last):
  File "/opt/az/lib/python3.6/site-packages/knack/cli.py", line 206, in invoke
    cmd_result = self.invocation.execute(args)
  File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 328, in execute
    raise ex
  File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 386, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
  File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 377, in _run_job
    cmd_copy.exception_handler(ex)
  File "/opt/az/lib/python3.6/site-packages/azure/cli/command_modules/role/commands.py", line 69, in graph_err_handler
    raise ex
  File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 356, in _run_job
    result = cmd_copy(params)
  File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 171, in __call__
    return self.handler(*args, **kwargs)
  File "/opt/az/lib/python3.6/site-packages/azure/cli/core/__init__.py", line 452, in default_command_handler
    return op(**command_args)
  File "/opt/az/lib/python3.6/site-packages/azure/cli/command_modules/role/custom.py", line 1018, in list_service_principal_credentials
    return _get_service_principal_credentials(graph_client, app_object_id, cert)
  File "/opt/az/lib/python3.6/site-packages/azure/cli/command_modules/role/custom.py", line 1025, in _get_service_principal_credentials
    app_creds = list(graph_client.applications.list_password_credentials(app_object_id))
  File "/opt/az/lib/python3.6/site-packages/msrest/paging.py", line 143, in __next__
    self.advance_page()
  File "/opt/az/lib/python3.6/site-packages/msrest/paging.py", line 129, in advance_page
    self._response = self._get_next(self.next_link)
  File "/opt/az/lib/python3.6/site-packages/azure/graphrbac/operations/applications_operations.py", line 669, in internal_paging
    'applicationObjectId': self._serialize.url("application_object_id", application_object_id, 'str'),
  File "/opt/az/lib/python3.6/site-packages/msrest/serialization.py", line 592, in url
    data = self.validate(data, name, required=True, **kwargs)
  File "/opt/az/lib/python3.6/site-packages/msrest/serialization.py", line 662, in validate
    raise ValidationError("required", name, True)
msrest.exceptions.ValidationError: Parameter 'application_object_id' can not be None.

Steps to Reproduce

1. terraform apply
2. az ad sp credential list --id $(terraform output service_principal)

Important Factoids

References

• hashicorp/terraform-provider-azurerm#2084

Configuring a Service Principal for Azure Active Directory is.. kinda complicated.

Prior to releasing 0.2.0 we should write a "how to configure a service principal for AAD" guide similar to the other ones for e.g. authenticating as a service principal https://www.terraform.io/docs/providers/azurerm/auth/service_principal_client_secret.html

When cycling our AAD credentials earlier in the week I ended up using the following PowerShell script via CloudShell:

Connect-AzureAD -TenantID "00000000-0000-0000-0000-000000000000"

# Fetch User Account Administrator role instance
$role = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'User Account Administrator'}

# If role instance does not exist, instantiate it based on the role template
if ($role -eq $null) {
    # Instantiate an instance of the role template
    $roleTemplate = Get-AzureADDirectoryRoleTemplate | Where-Object {$_.displayName -eq 'User Account Administrator'}
    Enable-AzureADDirectoryRole -RoleTemplateId $roleTemplate.ObjectId

    # Fetch User Account Administrator role instance again
    $role = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'User Account Administrator'}
}

# Add user to role
Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $objectId

# Fetch role membership for role to confirm
Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId | Get-AzureADUser

# and then repeat this for the Company Administrator role
$role = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'Company Administrator'}

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

I would like to have some additional details from the application manifest, in particular the oauth2Permissions ID. I need it to delegate access to another application I am creating as part of Terraform, as described in the official guide for AKS integration with AD, in the section related to the client application, because it needs to delegate access to the server application created before.

The workaround I found is to query with az cli the necessary field, save it as an external data source. I think a more elegant solution would be to get the field directly in terraform.

New or Affected Resource(s)

• azuread_application

Potential Terraform Configuration

# AD server application
resource "azuread_application" "kubernetes-production-cluster-AADserver" {
  name                       = "kubernetes-production-cluster-AADserver"
  available_to_other_tenants = false

  # oauth2_allow_implicit_flow = true
  required_resource_access {
    resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph API

    # Necessary permissions
    resource_access {
      id   = "7ab1d382-f21e-4acd-a863-ba3e13f7da61" # Read directory data
      type = "Role"
    }

    resource_access {
      id   = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # Sign in and read user profile
      type = "Scope"
    }

    resource_access {
      id   = "06da0dbc-49e2-44d2-8312-53f166ab848a" # Read directory data permission
      type = "Scope"
    }
  }
}

# External data source to get information about the AADserver AD application
data "external" "AADserver_application" {
  program = ["bash", "azure_ad.sh"]

  query = {
    # arbitrary map from strings to strings, passed to the external program as the data query
    application_id = "${azuread_application.kubernetes-production-cluster-AADserver.application_id}"
  }

}

# AD client application
resource "azuread_application" "kubernetes-production-cluster-AADclient" {
  name                       = "kubernetes-production-cluster-AADclient"
  available_to_other_tenants = false

  oauth2_allow_implicit_flow = true

  # Set reply urls, or the login will fail
  reply_urls = ["https://kubernetes-production-cluster-AADclient"]

  # Setup access to the AAD server application
  required_resource_access {
    resource_app_id = "${azuread_application.kubernetes-production-cluster-AADserver.application_id}" # Server AAD application id

    # Necessary permissions
    resource_access {
      id   = "${data.external.AADserver_application.result["oauth2PermissionsID"]}" # OAUTH2 application ID
      type = "Scope"
    }
  }

}

References

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

The AzureRM provider enables you to define a managed Kubernetes cluster (AKS) on Azure.
There is a possibility to enable RBAC(Role Based Access Control) which tightly integrates Kubernetes' authentication and authorization with Azure Active Directory.

In order for that to be enabled you have to define the following block on the azurerm_kubernetes_cluster:

  role_based_access_control {
    enabled = true

    azure_active_directory {
      client_app_id = ""
      server_app_id = ""
      server_app_secret = ""
      tenant_id = ""
    }

After some documentation I realized that there is no possibility to set this feature up end to end by using plain terraform.

The following blog post depicts how you need to create a server application, update its manifest, create and assign a client application to be able to set RBAC up correctly:
https://blog.jcorioland.io/archives/2018/11/20/azure-aks-kubernetes-rbac-azure-active-directory-terraform.html

Also there is a GitHub repository automating most of the above from the same author:
https://github.com/jcorioland/aks-rbac-azure-ad

Is it possible to add support for the AD related steps from the above installation scenario?
Thanks.

New or Affected Resource(s)

TBD

Potential Terraform Configuration

TBD

References

• https://docs.microsoft.com/en-us/azure/aks/azure-ad-rbac

• https://kubernetes.io/docs/reference/access-authn-authz/rbac/

• https://github.com/jcorioland/aks-rbac-azure-ad

• https://blog.jcorioland.io/archives/2018/11/20/azure-aks-kubernetes-rbac-azure-active-directory-terraform.html

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Building on this comment, I would like to be able to add guest users to a group using AzureAD B2B.

My use case for this is a clean separation of concerns between user authentication (handled in a separate tenant) and authorization (RBAC on groups). There are Microsoft Graph APIs available for:

• Get User in Tenant
• Add user to tenant (via invitation)
• Delete user from tenant

The main part I can't get my head around is whether or not this would require an azuread_guest resource type or if we can infer it using the first snippet below.

If we don't need a new azuread_guest resource type, the side effect of extra guest users in this tenant is mitigated by the fact that once removed from all groups, the invited guest's permissions are effectively zero, though I'm aware that in Terraform we don't like things to be implicit 😄

New or Affected Resource(s)

• azuread_group
• (Optional) azuread_guest

Potential Terraform Configuration

resource "azuread_group" "mygroup" {
  name = "MyGroup"
  # owners = ["[email protected]"]
  # members = ["[email protected]"]
  guests = ["[email protected]"]
}

OR

resource "azuread_guest" "guest_invite" {
  email = "[email protected]"
}

resource "azuread_group" "mygroup" {
  name = "MyGroup"
  members = ["${azuread_guest.guest_invite.id}"]
}

References

• Depends on #8 (merged)
• Original comment on #36

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

When creating multiple AD Groups simultaneously, there are intermittent errors where the "id" property does not become available on the resource. This is easiest to reproduce when AD Groups are created within a module.

I'm currently working around this by adding dependencies to throttle the AD group creation, but this appears to be an issue unless I'm missing something.

Terraform (and AzureAD Provider) Version

Terraform v0.11.13
provider.azuread v0.2.0

Affected Resource(s)

• azuread_group

Terraform Configuration Files

##module/main.tf
variable "name" {}

resource "azuread_group" "one" {
  name = "foo-${var.name}1"
}

resource "azuread_group" "two" {
  name = "foo-${var.name}2"
}

resource "null_resource" "echo" {
  provisioner "local-exec" {
    command = "echo ${azuread_group.one.id} ${azuread_group.two.id}",
  }
}

##main.tf
module "bob" {
     source = "module"
     name   = "bob"
}

module "tom" {
    source = "module"
    name   = "tom"
}

module "frank" {
    source = "module"
    name   = "frank"
}

module "larry" {
    source = "module"
    name   = "larry"
}

Debug Output

https://gist.github.com/TonyLunt/9f30ebf4cbdd4c835c4757d9548b48d5

Expected Behavior

Two AD groups created for each instance of the module.

Actual Behavior

Intermittently errors on some AD Groups with an error of:
Resource 'azuread_group.two' does not have attribute 'id' for variable 'azuread_group.two.id'
or
Resource 'azuread_group.one' does not have attribute 'id' for variable 'azuread_group.one.id'.

Errors begin to appear when creating 8+ AD Groups simultaneously.

Steps to Reproduce

1. Create an empty directory
2. Place the module code above into /module/main.tf
3. Place the main.tf code at the root directory
4. terraform init
5. terraform apply

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform v0.11.11

• provider.azuread (unversioned) master/83d4ab7

Affected Resource(s)

• azuread_group

Terraform Configuration Files

resource "azuread_group" "test" {
  name = "Test Security Group"
}

Exception Output

Invalid value specified for property 'mailNickname' of resource 'Group'.
{"item":"PropertyName","value":"mailNickname"},
{"item":"PropertyErrorCode","value":"InvalidValue"}

Expected Behaviour

I would expect to be allowed to create groups with spaces in the name, but currently the provider just passes the exact same value as group name to the mailNickname field, which doesn't support spaces:

properties := graphrbac.GroupCreateParameters{
	DisplayName:     &name,
	MailEnabled:     p.Bool(false), //we're defaulting to false, as the API currently only supports the creation of non-mail enabled security groups.
	MailNickname:    &name,
	SecurityEnabled: p.Bool(true), //we're defaulting to true, as the API currently only supports the creation of non-mail enabled security groups.
}

Actual Behaviour

Failed to create group because having spaces in the mailNickname is unsupported.

Steps to Reproduce

1. terraform apply

Suggested Fix

Can we just set the MailNickname to a generated GUID instead of the name field? That is what the Azure Portal does if creating a non-MailEnabled group from the UI.

Affected Resource(s)

• azuread_application data source
• azurerm provider version is 1.22.1 and azuread provider is 0.1.0

Terraform Configuration Files

data "azuread_application" "client" {
  name = "k8s-auth-client"
}

data "azuread_application" "server" {
  name = "k8s-auth-server"
}

resource "azurerm_kubernetes_cluster" "main" {
...
role_based_access_control {
    enabled = "true"
    azure_active_directory {
      client_app_id     = "${data.azuread_application.client.id}"
      server_app_id     = "${data.azuread_application.server.id}"
      tenant_id         = "${var.arm_tenant_id}"
      server_app_secret = "mycoolsecret"
    }
  }
...
}

Expected Behavior

Would be the correct application IDs to be returned.

Actual Behavior

When I run terraform plan as usual and I get this in the kubernetes resource:

...
role_based_access_control.0.azure_active_directory.0.client_app_id:    "" => "a825ecdb-XXXXXXXXX" (forces new resource)
role_based_access_control.0.azure_active_directory.0.server_app_id:    "" => "4be403f1-XXXXXXXXX" (forces new resource)
...

Incorrect IDs are returned. Both returned IDs are not relative to k8s-auth-client and k8s-auth-server applications. I have no idea what they are and I can't find them anywhere in my account.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

terraform -v
Terraform v0.11.7

• provider.azurerm v1.10.0

Affected Resource(s)

• terraform-provider-azurerm_v1.10.0_x4

Terraform Configuration Files

provider "azurerm" {
    version = "1.10.0"
 }

resource "azurerm_azuread_application" "test" {
  name                       = "exampleTFapplication"
  available_to_other_tenants = false
  oauth2_allow_implicit_flow = false
}

resource "azurerm_azuread_service_principal" "test" {
  application_id = "${azurerm_azuread_application.test.application_id}"
}

resource "azurerm_azuread_service_principal_password" "test" {
  service_principal_id = "${azurerm_azuread_service_principal.test.id}"
  value                = "BVcKK237/&&)hyz@%nsadasdsa(*&^CC#Nd3"
  end_date             = "2020-01-01T01:02:03Z"
}

resource "azurerm_resource_group" "test" {
  name     = "testResourceGroup1"
  location = "West US"
}

resource "azurerm_role_assignment" "test" {
    depends_on = ["azurerm_azuread_service_principal.test"]
  scope                = "${azurerm_resource_group.test.id}"
  role_definition_name = "Reader"
  principal_id         = "${azurerm_azuread_service_principal.test.id}"
}

Panic Output

Error: Error applying plan:

1 error(s) occurred:

• azurerm_role_assignment.test: 1 error(s) occurred:

• azurerm_role_assignment.test: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="PrincipalNotFound" Message="Principal ######################## does not exist in the directory #######-#####-######-#########."

(sensitive details have been hashed out).

Expected Behavior

Here is a config that first creates the AzureAD application and the Service Principal. It then creates an RG followed by a role assignment. The logic here is we could have a single TF module that would allow us to on board new groups into an Azure subscription and generate them each their own SP.

Actual Behavior

When the azurerm_azuread_service_principal.test resource is created there looks to be a delay between creation and the ability to assign it it to a role and even with a depends_on that i've included in the sample code above that doesn't help. When I re-run the second time it always applies without issue as all other resources already exist.

Steps to Reproduce

1. terraform apply

• #0000

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

This is slightly different than the existing requests (that I can see). This request is for the ability to add custom app roles to an Azure AD App Registration. This can be done programmatically via PowerShell currently, it would be great to have Terraform support.

New or Affected Resource(s)

• azuread_application
• azuread_application_group_role
• azuread_application_user_role

Potential Terraform Configuration

data "azuread_application_group_role" "myCustomGroupRole" {
    name = "myCustomRole"
    azureADGroupName = "MyAzureADGroupName"
    }

data "azuread_application_user_role "myCustomUserRole" {
    name = "myCustomUserRole"
    azureADUserName = "user1@mydomain.com"
}

resource "azuread_application" "test_registration" {
    name                       = "${var.azuread_appname}"
    homepage                   = "${var.azuread_homepage}"
    identifier_uris            = "${var.azuread_identifier_uris}"
    reply_urls                 = "${var.azuread_reply_urls}"
    available_to_other_tenants = "${var.azuread_available_to_other_tenants}"
    oauth2_allow_implicit_flow = "${var.azuread_oauth2_allow_implicit_flow}"
    approles                   = ["${data.azuread_application_group_role.myCustomGroupRole}, ${data.azuread_application_group_role.myCustomUserRole}]
}

References

https://docs.microsoft.com/en-us/powershell/module/azuread/new-azureadgroupapproleassignment?view=azureadps-2.0
https://docs.microsoft.com/en-us/powershell/module/azuread/new-azureaduserapproleassignment?view=azureadps-2.0
https://docs.microsoft.com/en-us/powershell/module/azuread/set-azureadapplication?view=azureadps-2.0

• #0000

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

It would be very helpful to have a way in this provider to manage custom RBAC roles. We are moving towards using AAD PIM to manage permissions (as opposed to direct group memberships), so we will be creating a number of custom roles. Some examples:

1. AKS Administration
2. Application Gateway Configuration Editor
3. Application Deployment Operator

References

• https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-custom-role-policy
• https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-roles

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

I'd like the provider to support creating and configuring the Azure Enterprise Application resources. These are service principals that are used as the Identity Provider for applications. It would be good to specify:

Logo and other properties
Assign and revoke users
configure the self-service settings

New or Affected Resource(s)

??? - might be related to azuread_service_principal

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Create resources to support Enterprise Applications and specifically AzureAD application proxy resources (https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy).

We're using this heavily with AzureAD and would love a declarative way to manage them vs creating them with the GUI or the relatively new PowerShell cmdlets.

New or Affected Resource(s)

• azurerm_application
• azurerm_application_proxy_configuration

References

• https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy
• https://docs.microsoft.com/en-us/powershell/module/azuread/?view=azureadps-2.0#application_proxy_application_management

Is there any estimate on a release date for 0.2.0? I really want to be able to use AD group as a data source, so my terraform files can reference a group by name. I need the group ID/object ID for AKS role assignments.

Thanks,
Erick

This issue was originally opened by @jungopro as hashicorp/terraform#20213. It was migrated here as a result of the provider split. The original body of the issue is below.

Terraform Version

v0.11.11

Terraform Configuration Files

resource "azuread_application" "app" {
  name                       = "example"
  homepage                   = "https://homepage"
  identifier_uris            = ["http://uri"]
  reply_urls                 = ["http://replyurl"]
  available_to_other_tenants = false
  oauth2_allow_implicit_flow = true
}

resource "azuread_service_principal" "spn" {
  application_id = "${azuread_application.app.application_id}"
}

resource "azuread_service_principal_password" "password" {
  service_principal_id = "${azuread_service_principal.spn.id}"
  value                = "VT=uSgbTanZhyz@%nL9Hpd+Tfay_MRV#"
  end_date             = "2020-01-01T01:02:03Z"
}

Expected Behavior

AD Resource (app, spn + password) created successfully

Actual Behavior

• azuread_application.app: graphrbac.ApplicationsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Unknown" Message="Unknown service error" Details=[{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."}}}]

Steps to Reproduce

1. terraform init
2. terraform apply

I'm using an spn with environment variables to authenticate tf to azure:

ARM_CLIENT_ID=...
ARM_SUBSCRIPTION_ID=...
ARM_TENANT_ID=...
ARM_CLIENT_SECRET=...

The account I use has contribute permissions on the subscription level. I can use the same account just fine with hte azurerm provider but I can't use it for the azuread provider

Anything I'm missing or is this a bug?

Thank you
Omer

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Add a new Terraform resource to add/grant app permissions related to Microsoft Graph.

New or Affected Resource(s)

• azurerm_app_permission_definition
• azurerm_app_permission_assignment

Potential Terraform Configuration

# Create app (existing resource)
resource "azurerm_azuread_application" "my-app" {
  name                       = "my-app"
}
# Create service principal (existing resource)
resource "azurerm_azuread_service_principal" "app-service-principal" {
  application_id = "${azurerm_azuread_application.my-app.application_id}"
}
# Create app_permission (requested resource)
resource "azurerm_app_permission_definition" "test" {
  name               = "my-app-permission-definition"
  permissions = ["Application.ReadWrite.All", "Directory.ReadWrite.All"] 
}
# Grant app permission (requested resource)
resource "azurerm_app_permission_assignment" "test" {
  app_permission_definition_id = "${azurerm_role_definition.test.id}"
  app_id       = "${azurerm_azuread_service_principal.id}"
}

References

• Executing this with Azure cli: https://docs.microsoft.com/en-us/cli/azure/ad/app/permission?view=azure-cli-latest#az-ad-app-permission-add
• What are Graph permissions: https://docs.microsoft.com/en-us/graph/permissions-reference
• This would be helpful for other Hashicorp products that require this (Vault): https://www.vaultproject.io/docs/secrets/azure/index.html#authentication

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform 0.11.13 / Azure AD 0.2.0

Affected Resource(s)

• azuread_application

Terraform Configuration Files

resource "azuread_application" "app" {
	name = "Example"
	homepage = "https://example"
	reply_urls = "https://example"
	oauth2_allow_implicit_flow = true

	// Microsoft Graph 
	// (not in order):
	// - Directory.Read.All
	// - Group.Read.All
	// - User.Read
	// - User.ReadBasic.All
	// - User.ReadWrite
	required_resource_access {
		resource_app_id = "00000003-0000-0000-c000-000000000000"
		
		resource_access {
			id = "06da0dbc-49e2-44d2-8312-53f166ab848a",
			type = "Scope"
		},

		resource_access {
			id = "5f8c59db-677d-491f-a6b8-5f174b11ec1d",
			type = "Scope"
		},

		resource_access {
			id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
			type = "Scope"
		},

		resource_access {
			id = "b340eb25-3456-403f-be2f-af7a0d370277",
			type = "Scope"
		},

		resource_access {
			id = "b4e74841-8e56-480b-be8b-910348b18b4c",
			type = "Scope"
		}
	}

	// Azure management API
	//(not in order):
	// - user_impersonation
	required_resource_access {
		resource_app_id = "797f4846-ba00-4fd7-ba43-dac1f8f63013"
		
		resource_access {
			id = "41094075-9dad-400e-a0bd-54e686782033",
			type = "Scope"
		},
	}
}

Expected Behavior

The Azure AD application created should have the specified API permissions when viewed in the preview portal

Actual Behavior

Although the application has the permissions specified, it also gains an 'exposed API' visible in the preview portal:

The exposed API correlates with the 41094075-9dad-400e-a0bd-54e686782033 permission (user_impersonation).

The behaviour is definitely odd because an application ID is not set, so the portal displays an undefined prefix:

Important Factoids

I'm reasonably certain this is a bug: adding these scopes shouldn't cause APIs to be exposed, and the scope is usable without the API exposed

Exposed APIs seem to be decided by this block of the manifest, which does not correlate with the attributes set in the HCL:

"oauth2Permissions": [
	{
		"adminConsentDescription": "Allow the application to access Scope test 2 on behalf of the signed-in user.",
		"adminConsentDisplayName": "Access Scope test 2",
		"id": "07b4045a-51de-4e05-bc63-cf4f10c931b6",
		"isEnabled": true,
		"lang": null,
		"origin": "Application",
		"type": "User",
		"userConsentDescription": "Allow the application to access Scope test 2 on your behalf.",
		"userConsentDisplayName": "Access Scope test 2",
		"value": "user_impersonation"
	}
],

The big issue is tracking down where this issue is introduced, i.e. is it

• The provider
• A breaking change or bug in the Azure API
• Some kind of bug in the preview portal that causes it to add this information?

Note

I can provide a debug log but it seems to be of limited use since it does not contain HTTP request bodies or their responses

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

When working on a shared state, after an azuread_application resource is created I have to jump into the Azure console to add my teammates as Owners. Otherwise they will receive an access denied error when using it.

New or Affected Resource(s)

• azuread_application

Potential Terraform Configuration

Unsure, maybe a resource per-owner vs a resource encompassing all owners?

resource "azuread_application_owners" "my-app" {
  application_id = "${azuread_application.my-app.application_id}"
  users = ["..."]
}

resource "azuread_application_owner" "my-app_bob" {
  application_id = "${azuread_application.my-app.application_id}"
  user_id = "${bobs_id}"
}

References

Error message from a co-workers recently added resource:

$ terraform apply
...
* azuread_application.my-app: Error patching Azure AD Application with ID "9cfdc4b1-ff1d-421c-be22-2125f1f0349d": graphrbac.ApplicationsClient#Patch: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Unknown" Message="Unknown service error" Details=[{"odata.error":{"code":"Authorization_RequestDenied","date":"2019-02-15T17:26:29","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":"1431185e-3a31-4e57-b37c-4633949765a8"}}]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

azuread_service_principal_password allows users to set a password expiration. The resource does not provide a way for Terraform users to smooth workflows around password expiry. Inspired by https://www.terraform.io/docs/providers/acme/r/certificate.html#min_days_remaining, a nice feature would allow users to set a lead time before password expiry where Terraform will automatically delete and re-create the resource. See the ACME provider code for a more concrete example of how the certificate resources handles auto-magic detection of the need to re-create the resource.

New or Affected Resource(s)

• azuread_service_principal_password

Potential Terraform Configuration

resource "azuread_application" "test" {
  name                       = "example"
  homepage                   = "http://homepage"
  identifier_uris            = ["http://uri"]
  reply_urls                 = ["http://replyurl"]
  available_to_other_tenants = false
  oauth2_allow_implicit_flow = true
}

resource "azuread_service_principal" "test" {
  application_id = "${azuread_application.test.application_id}"
}

resource "azuread_service_principal_password" "test" {
  service_principal_id = "${azuread_service_principal.test.id}"
  value                = "VT=uSgbTanZhyz@%nL9Hpd+Tfay_MRV#"
  end_date_relative    = "240h"
  min_days_remaining   = 5 # this is the new field
}

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Affected Resource(s)

azurerm_azuread_application.sampleapp

Terraform Configuration Files

resource "azurerm_azuread_application" "sampleapp" {
  name                       = "SampleApp"
  homepage                   = "https://sampleapp.com/"
  identifier_uris            = [
                                "https://sampleapp.com/",
                                "https://sampleapp.onmicrosoft.com/00000000-0000-0000-0000-00000000"
                                ]
  reply_urls                 = [
                                "https://my.sampleapp.com/"
                                       ]
  available_to_other_tenants = false
  oauth2_allow_implicit_flow = false
}

resource "azurerm_azuread_service_principal" "sampleapp" {
  application_id = "00000000-0000-0000-0000-000000000000"
}

Expected Behavior

The azuread_application was imported in Terraform azurerm provider version = 1.15. So nothing is expected to happen as the .tf files have not been modified.

Actual Behavior

Now after when the provider was updated to version 1.18 and also on 1.19, terraform wants to modify the reply url's as below:
~ azurerm_azuread_application.cognos reply_urls.1: "https://sampleapp.onmicrosoft.com/00000000-0000-0000-0000-00000000" => "https://my.sampleapp.com/"

As per the .tf file for the app, the Reply URL is correct but terraform wants to modify it & the terraform state file also has the correct reply URL when I looked at the state file.

But when running terraform plan it thinks that the IdentifierURI is the Reply URL & wants to modify when in reality they are correct. Its confused into thinking that IdentifierURI is the Reply URL when the state file has it correct.

Now I can get away with this without putting the Reply URL or Identifier URI in the .tf file as below:

resource "azurerm_azuread_application" "sampleapp" {
  name                       = "SampleApp"
  homepage                   = "https://sampleapp.com/"
  available_to_other_tenants = false
  oauth2_allow_implicit_flow = false
}

resource "azurerm_azuread_service_principal" "sampleapp" {
  application_id = "00000000-0000-0000-0000-000000000000"
}

running hcl terrfaform plan with the above file does not result into terraform wanting to do any modification.

This looks like a bug in the newer provider version as the same config worked in previous versions without any issues.

Steps to Reproduce

1. terraform plan

Important Factoids

References

• #0000

Issues on GitHub are intended to be related to bugs or feature requests with provider codebase,
so we recommend using our other community resources instead of asking here 👍.

Hello Team,

we are using "azuread_application" provider to create a client Azure AD application. we dont see any Public Client property in attributes of the provider. Is there a way to achieve a public client property using terraform?

resource "azuread_application" "clientreg" {
  name                       = "${local.Clientname}"
  reply_urls                 = ["https://${local.Clientname}"]
  available_to_other_tenants = true
  required_resource_access {
    resource_app_id = "00000000-0000-0000-0000-000000000000"
  
    resource_access {
      id = "${local.AzureAD}"
      type = "Scope"
    }
  }
  required_resource_access {
    resource_app_id = "${azuread_application.serverreg.application_id}"
  
    resource_access {
      id = "${data.external.AADserver_application.result["oauth2PermissionsID"]}"
      type = "Scope"
    }
  }
  lifecycle {
    ignore_changes = ["required_resource_access","tags.CreatedDate"]
  }
}

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

I have some configuration scripts I am converting to terraform. One of them uses the az cli command

az ad sp create-for-rbac --name $servicePrincipalName --create-cert --cert $servicePrincipalName --keyvault serviceprincipal-creds --skip-assignment true

The advantage of using this is that the certificate for the service principal is stored in key vault and so can be used from there in other scripts and deployments. It appears that the current version does not support certificates, with or without key vault.

Any chance this could be implemented?

New or Affected Resource(s)

• azuread_service_principal

Potential Terraform Configuration

Not sure how this would look, given that it combines key vault and Azure AD

References

https://docs.microsoft.com/en-us/cli/azure/create-an-azure-service-principal-azure-cli?view=azure-cli-latest

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Affected Resource(s)

• azuread_application

Terraform Configuration Files

resource "azuread_application" "aws-cognito-xxx" {
  name                       = "aws-cognito-xxx"
  homepage                   = "https://localhost"
  identifier_uris            = ["urn:amazon:cognito:sp:us-east-1_YUXXXXX"]
  reply_urls                 = ["https://111.111.205.10:443/SAML20/SP"]
  available_to_other_tenants = false
  oauth2_allow_implicit_flow = false
}

Debug Output

Terraform output is:

Error: azuread_application.aws-cognito-xxx: "identifier_uris.0" url has no host: "urn:amazon:cognito:sp:us-east-1_YUXXXXX"

Panic Output

Expected Behavior

identifier_uris and reply_urls should support URI and not only URL according to URI format
https://en.wikipedia.org/wiki/Uniform_Resource_Identifier

Actual Behavior

Due to ValidateFunc: validate.URLIsHTTPOrHTTPS in https://github.com/terraform-providers/terraform-provider-azuread/blob/master/azuread/resource_application.go this is not supported for neither identifier_uris or reply_urls

Steps to Reproduce

1. terraform apply

Important Factoids

References

• #0000

Hi there,

After the upgrade to v0.2.0 we're getting diffs generated for the new required_resource_access property on azuread_application.

I know we can either:

• pin to v0.1.0; or
• add the existing required_resource_access value to our config

but I thought it still worth raising an issue because I think that there's a way to prevent this from happening if the value hasn't been set by Terraform before? (I forget the exact terminology for it though!)

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Ability to assign AD users (both guests and members) Azure AD directory roles.

New or Affected Resource(s)

• azuread_directory_role_member

Potential Terraform Configuration

resource "azuread_directory_role_member" "role-member" {
    role_name = "Guest inviter"
    member_upn = "[email protected]"
}

References

• #0000

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

azurerm_azuread_service_principal: Add option for tag

New or Affected Resource(s)

• azurerm_azuread_service_principal

Potential Terraform Configuration

resource "azurerm_azuread_service_principal" "test" {
  application_id = "${azurerm_azuread_application.test.application_id}"
  principal_tags = {
    WindowsAzureActiveDirectoryIntegratedApp = true
  }
}

References

• New-AzureADServicePrincipal -AppId $ADApplication.AppID -Tags @("WindowsAzureActiveDirectoryIntegratedApp")
• https://docs.microsoft.com/en-us/powershell/module/azuread/new-azureadserviceprincipal?view=azureadps-2.0
• There seems to be quite a bit missing from the AzureAD side of things. I haven't gotten around to trying to do them all through Terraform yet. : [

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

The service principal resource documentation states:

NOTE: If you're authenticating using a Service Principal then it must have permissions to both Read and write all applications and Sign in and read user profile within the Windows Azure Active Directory API.

Yet there's no documentation on really "how" to do that -- it would be awesome if you included this case on Authenticating via Service Principal as its directly related to that documentation.

Then the service principal resource documentation could have a link pointing to that section in the docs.

Do you have a quick answer using the Azure CLI as to how to add the necessary roles? I can only work on this project a couple hours a day and performing az login everytime has gotten annoying!

Affected Resource(s)

• azurerm_azuread_service_principal*

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform v0.11.13

• provider.azuread v0.2.0
• provider.random v2.1.0

Affected Resource(s)

• azuread_service_principal

Terraform Configuration Files

# Configure the Microsoft Azure Active Directory Provider
provider "azuread" {
  version = "~> 0.2.0"
}

resource "azuread_application" "test-reference" {
  name = "test"
  available_to_other_tenants = false
}

resource "azuread_service_principal" "test-service-principal" {
  application_id = "${azuread_application.test-reference.id}"
}

resource "random_string" "service-principal-password" {
  length  = 16
  special = true

  keepers = {
    # Generate a new password each time we switch to a new service principal
    service_principal_id = "${azuread_service_principal.test-service-principal.id}"
  }
}

resource "azuread_service_principal_password" "service-principal-password" {
  service_principal_id = "${azuread_service_principal.test-service-principal.id}"
  value                = "${random_string.service-principal-password.result}"
  end_date             = "2020-01-01T00:00:00Z"
}

Debug Output

https://gist.github.com/mion00/ae046421c2c11aba6dd3b7d825b14833

Expected Behavior

Terraform should have created an application, a service principal and set the given random password to the service principal.

Actual Behavior

Terraform creates the application, but fails in creating the service principal.

The error is:

* azuread_service_principal.test-service-principal: Error creating Service Principal for application  "48b74525-6738-4857-b3a5-d9ae29309526": graphrbac.ServicePrincipalsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Unknown" Message="Unknown service error" Details=[{"odata.error":{"code":"Authentication_Unauthorized","date":"2019-03-22T11:12:02","message":{"lang":"en","value":"Authenticating principal does not havepermission to instantiate multi-tenantapplications and there is not matching Applicationin the request tenant."},"requestId":"cfcf67f3-6d8c-42f5-b5e2-782e4b971b3a"}}]

Steps to Reproduce

1. terraform apply

Important Factoids

None

References

Seems similar to #35, but I am using the az CLI for authentication, not a Service Principal

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

New or Affected Resource(s)

• azuread_group

Potential Terraform Configuration

resource "azuread_group" "mygroup" {
name= "mygroup"
members = ["${azuread_member.member1.id}","guid-guid-guid-guid"]
owners = ["${azuread_member.member1.id}","guid-guid-guid-guid"]
}

# or maybe this is better to allow a mixture of managed and unmanaged owners/members

resource "azuread_group_owner" "managed_owner" {
group = "${azuread_group.mygroup.id}"
owner = "${azuread_member.member1.id}"
}

resource "azuread_group_member" "managed_member" {
group = "${azuread_group.mygroup.id}"
member = "${azuread_member.member1.id}"
}

References

Please add ability to create azuread_application resource with application type "Native". By default, azuread_application resource is being created with application type is "Web app / API"

For example:

resource "azuread_application" "app" {
name = "app"
type = "native"
}

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

> terraform -v
Terraform v0.11.13
+ provider.azurerm v1.25.0

Affected Resource(s)

• azuread_application
• azuread_service_principal
• azuread_service_principal_password

Expected Behavior

az ad sp credential list --id {} and az ad app credential list --id {} for an SPN and credential created by Terraform should return information.

Actual Behavior

Attempting to retrieve the SP credential produces an error...

az ad sp credential list --id 8ac6f6f2-...
The command failed with an unexpected error. Here is the traceback:

Parameter 'application_object_id' can not be None.
Traceback (most recent call last):
  File "/usr/local/Cellar/azure-cli/2.0.61/libexec/lib/python3.7/site-packages/knack/cli.py", line 206, in invoke
    cmd_result = self.invocation.execute(args)
  File "/usr/local/Cellar/azure-cli/2.0.61/libexec/lib/python3.7/site-packages/azure/cli/core/commands/__init__.py", line 351, in execute
    raise ex
  File "/usr/local/Cellar/azure-cli/2.0.61/libexec/lib/python3.7/site-packages/azure/cli/core/commands/__init__.py", line 409, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
  File "/usr/local/Cellar/azure-cli/2.0.61/libexec/lib/python3.7/site-packages/azure/cli/core/commands/__init__.py", line 400, in _run_job
    cmd_copy.exception_handler(ex)
  File "/usr/local/Cellar/azure-cli/2.0.61/libexec/lib/python3.7/site-packages/azure/cli/command_modules/role/commands.py", line 69, in graph_err_handler
    raise ex
  File "/usr/local/Cellar/azure-cli/2.0.61/libexec/lib/python3.7/site-packages/azure/cli/core/commands/__init__.py", line 379, in _run_job
    result = cmd_copy(params)
  File "/usr/local/Cellar/azure-cli/2.0.61/libexec/lib/python3.7/site-packages/azure/cli/core/commands/__init__.py", line 171, in __call__
    return self.handler(*args, **kwargs)
  File "/usr/local/Cellar/azure-cli/2.0.61/libexec/lib/python3.7/site-packages/azure/cli/core/__init__.py", line 451, in default_command_handler
    return op(**command_args)
  File "/usr/local/Cellar/azure-cli/2.0.61/libexec/lib/python3.7/site-packages/azure/cli/command_modules/role/custom.py", line 1080, in list_service_principal_credentials
    return _get_service_principal_credentials(graph_client, app_object_id, cert)
  File "/usr/local/Cellar/azure-cli/2.0.61/libexec/lib/python3.7/site-packages/azure/cli/command_modules/role/custom.py", line 1087, in _get_service_principal_credentials
    app_creds = list(graph_client.applications.list_password_credentials(app_object_id))
  File "/usr/local/Cellar/azure-cli/2.0.61/libexec/lib/python3.7/site-packages/msrest/paging.py", line 143, in __next__
    self.advance_page()
  File "/usr/local/Cellar/azure-cli/2.0.61/libexec/lib/python3.7/site-packages/msrest/paging.py", line 129, in advance_page
    self._response = self._get_next(self.next_link)
  File "/usr/local/Cellar/azure-cli/2.0.61/libexec/lib/python3.7/site-packages/azure/graphrbac/operations/applications_operations.py", line 669, in internal_paging
    'applicationObjectId': self._serialize.url("application_object_id", application_object_id, 'str'),
  File "/usr/local/Cellar/azure-cli/2.0.61/libexec/lib/python3.7/site-packages/msrest/serialization.py", line 592, in url
    data = self.validate(data, name, required=True, **kwargs)
  File "/usr/local/Cellar/azure-cli/2.0.61/libexec/lib/python3.7/site-packages/msrest/serialization.py", line 662, in validate
    raise ValidationError("required", name, True)
msrest.exceptions.ValidationError: Parameter 'application_object_id' can not be None.

Attempting to retrieve the APP credential returns empty...

az ad app credential list --id 837fe3bf-aabd-437d-aab1-ddf66828ae37                                                                                                                    

Steps to Reproduce

Create an application, service principal, and service principal password. This is my example...

resource "random_uuid" "spn_password" {}

resource "azuread_application" "spn" {
  name     = "${var.spn_name}"
  homepage = "${local.spn_url}"
}

resource "azuread_service_principal" "spn" {
  application_id = "${azuread_application.spn.application_id}"
}

resource "azuread_service_principal_password" "spn" {
  service_principal_id = "${azuread_service_principal.spn.id}"
  value                = "${random_uuid.spn_password.result}"
  end_date_relative    = "${var.spn_password_expiry}"
}

Try to retrieve the SP and APP credential list in az cli for the new SPN.

az ad sp credential list --id {}
az ad app credential list --id {}

Important Factoids

If the SPN and credentials are generated using az cli instead of Terraform, the credential list command works.

The SPN and credential seem to work, I just can't list the credentials from az cli.

References

Azure/azure-cli#8900

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Please support creating SPs equally to cmd line command az ad sp create-for-rbac --years 2

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

I have a resource provider for azuread_domain_services ready, but I need at least v23.0.0 of the azure-go-sdk to complete the implementation. (see Azure/azure-sdk-for-go#3285)

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform v0.11.14

• provider.azuread v0.3.1 (built from the following master commit ac25838)

Affected Resource(s)

• azuread_application

Terraform Configuration Files

resource "azuread_application" "native" {
  name                       = "native"
  type                       = "native"
  reply_urls                 = ["urn:ietf:wg:oauth:2.0:oob"]
  available_to_other_tenants = false
  oauth2_allow_implicit_flow = true
}

Debug Output

Terraform DEBUG output

Expected Behavior

Creates an azuread_application of type native with the following reply URL:-

"urn:ietf:wg:oauth:2.0:oob"

Actual Behavior

Error: azuread_application.native: "reply_urls.0" url has no host: "urn:ietf:wg:oauth:2.0:oob"

Steps to Reproduce

1. terraform apply

Important Factoids

This is a valid reply URL:-

az ad app show --id [REDACTED] | ConvertFrom-Json | Select-Object -ExpandProperty replyUrls
urn:ietf:wg:oauth:2.0:oob

References

• #34

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Currently, one must set an end_date value when using azuread_service_principal_password. In the Azure Console, one can select 1 year or 2 years when creating the entry.

I don't see any way (say null resources) to be able to effectively create a relative date to when the resource was created. And (preferably) trigger a refresh at a certain expiry. While I don't know if this is something this module should support. There is something to be said for having a relative date that is only calculated on the initial creation of the resource.

New or Affected Resource(s)

• azuread_service_principal_password

Potential Terraform Configuration

resource "azuread_service_principal_password" "my-app-secret" {
  service_principal_id = "${azuread_service_principal.my-app.id}"
  value                = "${random_string.consul_sp.result}"
  relative_end_date    = "2yr"
}

azurerm version: 1.16

I want to grant permissions to Active Directory Application.

Using Azure CLI have such option:

az ad app update -h

...
update a native application with delegated permission of "access the AAD directory as the
    signed-in user"
        az ad app update --id e042ec79-34cd-498f-9d9f-123456781234 --required-resource-accesses
        @manifest.json
        ("manifest.json" contains the following content)
        [{
            "resourceAppId": "00000002-0000-0000-c000-000000000000",
            "resourceAccess": [
                {
                    "id": "a42657d6-7f20-40e3-b6f0-cee03008a62a",
                    "type": "Scope"
                }
           ]
        }]
...

Is there any way to do the same with Terraform AzureRM.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Ability to Create PIM Policies and Configure PIM access via Terraform

New or Affected Resource(s)

New data source would be required

• azuread_privileged_identity_management

Potential Terraform Configuration

resource "azurerm_priviliged_identity_management" "PIM-Group-1" {
  scope = "Subscription_PIM_1"
  role_definition_name = "Contributor"
  aad_group_id = "${var.aad_group_id}"
}

References

https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

tried both Terraform v0.11.10 and v0.11.11
Providers:
"azuread" (0.1.0)...
"azurerm" (1.21.0)...

Affected Resource(s)

• azuread_service_principal

Problem Description

Trying to follow the migration steps:
https://www.terraform.io/docs/providers/azurerm/guides/migrating-to-azuread.html

after successfully moving the resources in the statefile with

terraform state mv module.app_env.azurerm_azuread_service_principal.gitlab_runner_sp module.app_env.azuread_service_principal.gitlab_runner_sp

following

terraform plan

ends up in panic with lease on statefile not being released

Debug Output

Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0xb67f38]

goroutine 12534 [running]:
github.com/hashicorp/terraform/terraform.(*NodeRefreshableManagedResourceInstance).evalTreeManagedResourceNoState(0xc0002fa048, 0x2, 0x2506de0)
	/opt/gopath/src/github.com/hashicorp/terraform/terraform/node_resource_refresh.go:238 +0x328
github.com/hashicorp/terraform/terraform.(*NodeRefreshableManagedResourceInstance).EvalTree(0xc0002fa048, 0x2edae60, 0xc0002fa048)
	/opt/gopath/src/github.com/hashicorp/terraform/terraform/node_resource_refresh.go:98 +0x6e
github.com/hashicorp/terraform/terraform.(*Graph).walk.func1(0x2edae60, 0xc0002fa048, 0x0, 0x0)
	/opt/gopath/src/github.com/hashicorp/terraform/terraform/graph.go:113 +0x9a2
github.com/hashicorp/terraform/dag.(*Walker).walkVertex(0xc00126ea80, 0x2edae60, 0xc0002fa048, 0xc000bcc140)
	/opt/gopath/src/github.com/hashicorp/terraform/dag/walk.go:387 +0x367
created by github.com/hashicorp/terraform/dag.(*Walker).Update
	/opt/gopath/src/github.com/hashicorp/terraform/dag/walk.go:310 +0x986

!!!!!!!!!!!!!!!!!!!!!!!!!!! TERRAFORM CRASH !!!!!!!!!!!!!!!!!!!!!!!!!!!!

Terraform crashed! This is always indicative of a bug within Terraform.
A crash log has been placed at "crash.log" relative to your current
working directory. It would be immensely helpful if you could please
report the crash with Terraform[1] so that we can fix this.

When reporting bugs, please include your terraform version. That
information is available on the first line of crash.log. You can also
get it by running 'terraform --version' on the command line.

[1]: https://github.com/hashicorp/terraform/issues

!!!!!!!!!!!!!!!!!!!!!!!!!!! TERRAFORM CRASH !!!!!!!!!!!!!!!!!!!!!!!!!!!!

Panic Output

2019/02/16 01:58:16 [TRACE] dag/walk: walking "module.app_env.azuread_service_principal.gitlab_runner_sp"
2019/02/16 01:58:16 [TRACE] vertex 'root.module.app_env.azuread_service_principal.gitlab_runner_sp': walking
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0xb67f38]

goroutine 12534 [running]:
github.com/hashicorp/terraform/terraform.(*NodeRefreshableManagedResourceInstance).evalTreeManagedResourceNoState(0xc0002fa048, 0x2, 0x2506de0)
        /opt/gopath/src/github.com/hashicorp/terraform/terraform/node_resource_refresh.go:238 +0x328
github.com/hashicorp/terraform/terraform.(*NodeRefreshableManagedResourceInstance).EvalTree(0xc0002fa048, 0x2edae60, 0xc0002fa048)
        /opt/gopath/src/github.com/hashicorp/terraform/terraform/node_resource_refresh.go:98 +0x6e
github.com/hashicorp/terraform/terraform.(*Graph).walk.func1(0x2edae60, 0xc0002fa048, 0x0, 0x0)
        /opt/gopath/src/github.com/hashicorp/terraform/terraform/graph.go:113 +0x9a2
github.com/hashicorp/terraform/dag.(*Walker).walkVertex(0xc00126ea80, 0x2edae60, 0xc0002fa048, 0xc000bcc140)
        /opt/gopath/src/github.com/hashicorp/terraform/dag/walk.go:387 +0x367
created by github.com/hashicorp/terraform/dag.(*Walker).Update
        /opt/gopath/src/github.com/hashicorp/terraform/dag/walk.go:310 +0x986

Steps to Reproduce

... I hope I'm going to have some time soon to quickly write a tf file for generating this issue although the issue is clear, I managed to overpass it although with a lot of manual intervention directly in the statefile

Manual solution to overcome the issue

Manually solved the issue by editing the state file...
it looks like terraform state mv <source> <dest> left all azuread_ references in "depends_on" fields unmigrated like this:

"depends_on": [
    "azurerm_azuread_service_principal.gitlab_runner_sp"

instead of

"depends_on": [
    "azuread_service_principal.gitlab_runner_sp"

hence the panic so edit the statefile and replace all azurerm_azuread_ occurences to azuread_ and rerun plan

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

azuread_application should have an option to set the groupMembershipClaims field

New or Affected Resource(s)

• azuread_application

Potential Terraform Configuration

# Default
resource "azuread_application" "testdefault" {
  name                       = "testapp"
  available_to_other_tenants = false
  oauth2_allow_implicit_flow = false
  group_membership_claims    = null 

# configured
resource "azuread_application" "testconfigured" {
  name                       = "testapp"
  available_to_other_tenants = false
  oauth2_allow_implicit_flow = false
  group_membership_claims    = "All" 

References

https://docs.microsoft.com/en-us/azure/aks/azure-ad-integration-cli#create-azure-ad-server-component this is creating the applications and service principals for AKS -> AZ AD Auth

• #0000

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

When using azurerm_role_assignment to set permissions, we often want to refer to existing users and groups.

It would be great if there was a data provider for this.

It might also be useful to have a resource provider to create these in the first place.

New or Affected Resource(s)

n/a

Potential Terraform Configuration

n/a

References

n/a

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

The documentation for resource azuread_application_password makes reference to object_id. The provider itself however uses application_id.

The actual value should be the object_id of the azuread_application rather than the application_id, so it is probably more correct to update the code than the documentation.

New or Affected Resource(s)

• azuread_application_password

How to provision the Azure_application_Client secrets using the Terraform ?

Tried provisioning azuread_service_principal_password , but it is not provisioning the Client secrets.

Regards
Gopi

I am getting a 403 permission denied error when trying to create an AzureAd Application and service principal.

According to the Microsoft Azure AD documentation there is a specific permission which allows an service principal to create and manage it's own applications/spns.

The Application.ReadWrite.OwnedBy permission allows the same operations as Application.ReadWrite.All except that the former allows these operations only on applications and service principals that the calling app is an owner of. Ownership is indicated by the owners navigation property on the target application or service principal resource.

Allows the calling app to create other applications and service principals, and fully manage those applications and service principals (read, update, update application secrets and delete)...

NOTE: Using the Application.ReadWrite.OwnedBy permission to call GET /applications to list applications will fail with a 403. Instead use GET servicePrincipals/{id}/ownedObjects to list the applications owned by the calling application.

reference: https://docs.microsoft.com/en-us/graph/permissions-reference

It looks to me that Terraform provider does not yet support this alternative and requires the full "Application.ReadWrite.All" permissions which grants full access to all applications.

It would be much better if we can support creating apps/spns using this alternative implementation.

In this way we can envisage a scenario where a Terraform SPN can be master of it's own domain, creating AzureAD applications and resources and assigning rights appropriately without requiring full directory.write. access.