documentation for azuread_application, also export the object_id …

…attribute
hashicorp · Oct 18, 2023 · 4445925 · 4445925
1 parent 4475518
commit 4445925
Show file tree

Hide file tree

Showing 4 changed files with 88 additions and 2 deletions.
diff --git a/docs/resources/application.md b/docs/resources/application.md
@@ -6,13 +6,17 @@ subcategory: "Applications"
 
 Manages an application registration within Azure Active Directory.
 
+For a more lightweight alternative, please see the [azuread_application_registration](application_registration.html) resource. Please note that this resource should not be used together with the `azuread_application_registration` resource when managing the same application.
+
 ## API Permissions
 
 The following API permissions are required in order to use this resource.
 
-When authenticated with a service principal, this resource requires the following application role: `Application.ReadWrite.All`
+When authenticated with a service principal, this resource requires one of the following application roles: `Application.ReadWrite.OwnedBy` or `Application.ReadWrite.All`
+
+-> When using the `Application.ReadWrite.OwnedBy` application role, you should ensure that the principal being used to run Terraform is included in the `owners` property.
 
--> It is usually possible to create applications using this resource with just the `Application.ReadWrite.OwnedBy` application role, provided the principal being used to run Terraform is included in the `owners` property. However, this is not officially supported by the API so if you receive a `403` you need to investigate what API call is failing and add additional permissions as necessary. One commonly needed additional permission is `User.Read.All`, in case you specify additional `owners`.
+Additionally, you may need the `User.Read.All` application role when including user principals in the `owners` property.
 
 When authenticated with a user principal, this resource requires one of the following directory roles: `Application Administrator` or `Global Administrator`
 

diff --git a/docs/resources/application_registration.md b/docs/resources/application_registration.md
@@ -0,0 +1,72 @@
+---
+subcategory: "Applications"
+---
+
+# Resource: azuread_application_registration
+
+Manages an application registration within Azure Active Directory.
+
+For a more comprehensive alternative, please see the [azuread_application](application.html) resource. Please note that this resource should not be used together with the `azuread_application` resource when managing the same application.
+
+## API Permissions
+
+The following API permissions are required in order to use this resource.
+
+When authenticated with a service principal, this resource requires one of the following application roles: `Application.ReadWrite.OwnedBy` or `Application.ReadWrite.All`
+
+When authenticated with a user principal, this resource requires one of the following directory roles: `Application Administrator` or `Global Administrator`
+
+## Example Usage
+
+```terraform
+resource "azuread_application_registration" "test" {
+  display_name     = "Example Application"
+  description      = "My example application"
+  sign_in_audience = "AzureADMyOrg"
+
+  homepage_url          = "https://app.hashitown.com/"
+  logout_url            = "https://app.hashitown.com/logout"
+  marketing_url         = "https://hashitown.com/"
+  privacy_statement_url = "https://hashitown.com/privacy"
+  support_url           = "https://support.hashitown.com/"
+  terms_of_service_url  = "https://hashitown.com/terms"
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `description` - (Optional) A description of the application, as shown to end users.
+* `display_name` - (Required) The display name for the application.
+* `group_membership_claims` - (Optional) Configures the `groups` claim issued in a user or OAuth 2.0 access token that the app expects. Possible values are `None`, `SecurityGroup`, `DirectoryRole`, `ApplicationGroup` or `All`.
+* `homepage_url` - (Optional) Home page or landing page of the application.
+* `implicit_access_token_issuance_enabled` - (Optional) Whether this web application can request an access token using OAuth implicit flow.
+* `implicit_id_token_issuance_enabled` - (Optional) Whether this web application can request an ID token using OAuth implicit flow.
+* `logout_url` - (Optional) The URL that will be used by Microsoft's authorization service to sign out a user using front-channel, back-channel or SAML logout protocols.
+* `marketing_url` - (Optional) URL of the marketing page for the application.
+* `notes` - (Optional) User-specified notes relevant for the management of the application.
+* `privacy_statement_url` - (Optional) URL of the privacy statement for the application.
+* `requested_access_token_version` - (Optional) The access token version expected by this resource. Must be one of `1` or `2`, and must be `2` when `sign_in_audience` is either `AzureADandPersonalMicrosoftAccount` or `PersonalMicrosoftAccount` Defaults to `1`.
+* `service_management_reference` - (Optional) References application context information from a Service or Asset Management database.
+* `sign_in_audience` - (Optional) The Microsoft account types that are supported for the current application. Must be one of `AzureADMyOrg`, `AzureADMultipleOrgs`, `AzureADandPersonalMicrosoftAccount` or `PersonalMicrosoftAccount`. Defaults to `AzureADMyOrg`.
+* `support_url` - (Optional) URL of the support page for the application.
+* `terms_of_service_url` - (Optional) URL of the terms of service statement for the application.
+
+## Attributes Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+* `client_id` - The Client ID for the application, which is globally unique.
+* `disabled_by_microsoft` - Whether Microsoft has disabled the registered application. If the application is disabled, this will be a string indicating the status/reason, e.g. `DisabledDueToViolationOfServicesAgreement`
+* `id` - The resource ID for the application, for use when referencing this resource in your Terraform configuration.
+* `object_id` - The object ID of the application within the tenant.
+* `publisher_domain` - The verified publisher domain for the application.
+
+## Import
+
+Application Registrations can be imported using the object ID of the application, in the following format.
+
+```shell
+terraform import azuread_application_registration.test /applications/00000000-0000-0000-0000-000000000000
+```
diff --git a/internal/services/applications/application_registration_resource.go b/internal/services/applications/application_registration_resource.go
@@ -33,6 +33,7 @@ type ApplicationRegistrationModel struct {
 	LogoutUrl                          string   `tfschema:"logout_url"`
 	MarketingUrl                       string   `tfschema:"marketing_url"`
 	Notes                              string   `tfschema:"notes"`
+	ObjectId                           string   `tfschema:"object_id"`
 	PrivacyStatementUrl                string   `tfschema:"privacy_statement_url"`
 	PublisherDomain                    string   `tfschema:"publisher_domain"`
 	RequestedAccessTokenVersion        int      `tfschema:"requested_access_token_version"`
@@ -205,6 +206,12 @@ func (r ApplicationRegistrationResource) Attributes() map[string]*pluginsdk.Sche
 			Computed:    true,
 		},
 
+		"object_id": {
+			Description: "The object ID of the application within the tenant",
+			Type:        pluginsdk.TypeString,
+			Computed:    true,
+		},
+
 		"publisher_domain": {
 			Description: "The verified publisher domain for the application",
 			Type:        pluginsdk.TypeString,
@@ -304,6 +311,7 @@ func (r ApplicationRegistrationResource) Read() sdk.ResourceFunc {
 				DisplayName:                pointer.From(result.DisplayName),
 				GroupMembershipClaims:      pointer.From(result.GroupMembershipClaims),
 				Notes:                      string(pointer.From(result.Notes)),
+				ObjectId:                   pointer.From(result.ID()),
 				PublisherDomain:            pointer.From(result.PublisherDomain),
 				ServiceManagementReference: string(pointer.From(result.ServiceManagementReference)),
 				SignInAudience:             pointer.From(result.SignInAudience),

diff --git a/internal/services/applications/application_registration_resource_test.go b/internal/services/applications/application_registration_resource_test.go
@@ -30,6 +30,7 @@ func TestAccApplicationRegistration_basic(t *testing.T) {
 			Check: acceptance.ComposeTestCheckFunc(
 				check.That(data.ResourceName).ExistsInAzure(r),
 				check.That(data.ResourceName).Key("client_id").Exists(),
+				check.That(data.ResourceName).Key("object_id").Exists(),
 				check.That(data.ResourceName).Key("display_name").HasValue(fmt.Sprintf("acctest-AppRegistration-%d", data.RandomInteger)),
 			),
 		},
@@ -47,6 +48,7 @@ func TestAccApplicationRegistration_complete(t *testing.T) {
 			Check: acceptance.ComposeTestCheckFunc(
 				check.That(data.ResourceName).ExistsInAzure(r),
 				check.That(data.ResourceName).Key("client_id").Exists(),
+				check.That(data.ResourceName).Key("object_id").Exists(),
 			),
 		},
 		data.ImportStep(),