Split azuread_application in multiple resources

[flvndh]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Split azuread_application into multiple resources.

The resource does too much and makes certain scenarios complex. For example, an Azure Container App that uses Azure AD authentication needs the client id and client secret of the application. In turn, the application needs the Azure Container App fully qualified domain name to set up the redirect url.

TLDR; It creates cycles.

This kind of problem could be solved by delegating (and postponing) certain configuration to other resources.

# Details left for simplicity

resource "azuread_application" "main" {
  web {
    redirect_uris = ["https://${jsondecode(azapi_resource.container_app.output).properties.configuration.ingress.fqdn}/.auth/login/aad/callback"]
    
    implicit_grant {
      id_token_issuance_enabled = true
    }
  }
}

resource "azuread_application_password" "main" {
  application_object_id = azuread_application.main.object_id
}

resource "azapi_resource" "container_app" {
  body = jsonencode({
    properties = {
      configuration = {
        secrets = [{ name = "client-password", value = azuread_application_password.main.value }]
      }
    }
  })
}

resource "azapi_resource" "container_app_auth" {
  body = jsonencode({
    properties = {
      identityProviders = {
        azureActiveDirectory = {
          registration = {
            clientId = azuread_application.main.client_id
            clientSecretSettingName = "client-password"
          }
        }
      }
    }
  })
}

New or Affected Resource(s)

• azuread_application
• azuread_application_web ?

Potential Terraform Configuration

resource "azuread_application" "main" { ... }

resource "azuread_application_web" "main" {
  redirect_uris = ["https://${jsondecode(azapi_resource.container_app.output).properties.configuration.ingress.fqdn}/.auth/login/aad/callback"]
    
  implicit_grant {
    id_token_issuance_enabled = true
  }
}

This would solve the issue as it removes the dependency from the application to the container app.

References

• Authentication and authorization in Azure Container Apps

[t3mi]

@flvndh cycle issue, in this particular case, could be overcome by skipping secret setup during container app creation and instead container app could be patched using azapi_update_resource after creation of the Azure AD app.

resource "azapi_resource" "container_app" {
  body = jsonencode({
    properties = {
      configuration = {
        ...
      }
    }
  })
}

resource "azuread_application" "main" {
  web {
    redirect_uris = ["https://${jsondecode(azapi_resource.container_app.output).properties.configuration.ingress.fqdn}/.auth/login/aad/callback"]
    
    implicit_grant {
      id_token_issuance_enabled = true
    }
  }
}

resource "azuread_application_password" "main" {
  application_object_id = azuread_application.main.object_id
}

resource "azapi_update_resource" "container_app" {
  type                    = "Microsoft.App/containerApps@2022-03-01"
  resource_id             = azapi_resource.container_app.id
  ignore_missing_property = true

  body = jsonencode({
    properties = {
      configuration = {
        secrets = [{
          name  = "client-password"
          value = azuread_application_password.main.value
        }]
      }
    }
  })
}

resource "azapi_resource" "container_app_auth" {
  body = jsonencode({
    properties = {
      identityProviders = {
        azureActiveDirectory = {
          registration = {
            clientId                = azuread_application.main.client_id
            clientSecretSettingName = "client-password"
          }
        }
      }
    }
  })

  depends_on = [
    azapi_update_resource.container_app,
  ]
}

[flvndh]

Thanks @t3mi ! To overcome this situation I was setting the redirect URL using az ad app update but this is even better as it relies solely on Terraform.

[manicminer]

@flvndh Thanks for suggesting. This is going to be our strategy for managing app registrations in version 3 and above o the AzureAD provider. We have not yet finalised any schemas but we have ideas based on feedback from community members who have struggled with complex and./or interdependent configurations.

Let's use this issue as a place to collect these, anyone is welcome to add their config conundrums to this thread as it will help form ideas for upcoming schemas.