Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Predefined parameters are missed in the application provisioned from template #852

Closed
alexvvladimirov opened this issue Jul 27, 2022 · 3 comments · Fixed by #1214
Closed

Predefined parameters are missed in the application provisioned from template #852

alexvvladimirov opened this issue Jul 27, 2022 · 3 comments · Fixed by #1214
Labels
enhancement feature/applications
Milestone
Future

Comments

@alexvvladimirov
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform v1.2.5
Provider registry.terraform.io/hashicorp/azuread v2.26.1

Affected Resource(s)

  • azuread_application
  • azuread_service_principal
  • azuread_application_template

Terraform Configuration Files

data "azuread_application_template" "this" {
  display_name = "GitHub Enterprise Managed User"
}

resource "azuread_application" "this" {
  display_name = "GitHub EMU"
  template_id  = data.azuread_application_template.this.template_id
}

resource "azuread_service_principal" "this" {
  application_id = azuread_application.this.application_id
  use_existing   = true
}

Debug Output

https://gist.github.com/alexvvladimirov/9b9204b917db2ffa7a79dba2a055ca61

Expected Behavior

The gallery application provisioned from template should contain all predefined parameters (incl. appRoles, redirectUris, homePageUrl, etc) as we would provision it through Graph API or Azure portal.

POST https://graph.microsoft.com/v1.0/applicationTemplates/3b5ca639-0790-480e-9b24-9625375a05e7/instantiate
Content-type: application/json
{
    "displayName": "GitHub EMU (test)"
}

image

image

image

Actual Behavior

The gallery app provisioned from template doesn't contain a lot of predefined parameters (incl. appRoles, redirectUris, homePageUr).

After analyzing debug output I can see when TF starts creating the gallery app, it sends POST request to Graph API. The response contains all necessary predefined parameters:

2022/07/27 10:37:26 [DEBUG] ============================ Begin AzureAD Response ===========================
POST https://graph.microsoft.com/v1.0/***/applicationTemplates/3b5ca639-0790-480e-9b24-9625375a05e7/instantiate
Request ID: ***

HTTP/1.1 201 Created
Transfer-Encoding: chunked
Cache-Control: no-cache
Client-Request-Id: b330754e-2273-484a-ad28-a482284443eb
Content-Type: application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8
Date: Wed, 27 Jul 2022 01:37:26 GMT
Location: https://graph.microsoft.com
Odata-Version: 4.0
Request-Id: b330754e-2273-484a-ad28-a482284443eb
Strict-Transport-Security: max-age=31536000
Vary: Accept-Encoding
X-Ms-Ags-Diagnostic: {"ServerInfo":{***}}

12a7
{"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#microsoft.graph.applicationServicePrincipal","application":{"id":"5e831e8e-889e-429c-aa72-e526daaf26f8","appId":"2112f37e-3e7b-4608-bfad-3eccdf0961e7","applicationTemplateId":"3b5ca639-0790-480e-9b24-9625375a05e7","createdDateTime":"2022-07-27T01:37:23Z","deletedDateTime":null,"displayName":"GitHub EMU","description":null,"groupMembershipClaims":null,"identifierUris":[],"isFallbackPublicClient":false,"signInAudience":"AzureADMyOrg","tags":[],"tokenEncryptionKeyId":null,"defaultRedirectUri":null,"optionalClaims":null,"addIns":[],"api":{"acceptMappedClaims":null,"knownClientApplications":[],"requestedAccessTokenVersion":null,"oauth2PermissionScopes":[{"adminConsentDescription":"Allow the application to access GitHub EMU on behalf of the signed-in user.","adminConsentDisplayName":"Access GitHub EMU","id":"0e4b3147-70b6-4138-ac08-ac25da9cc368","isEnabled":true,"type":"User","userConsentDescription":"Allow the application to access GitHub EMU on your behalf.","userConsentDisplayName":"Access GitHub EMU","value":"user_impersonation"}],"preAuthorizedApplications":[]},"appRoles":[{"allowedMemberTypes":["User"],"displayName":"Enterprise Owner","id":"981df190-8801-4618-a08a-d91f6206c954","isEnabled":true,"description":"Enterprise Owner","value":null,"origin":"Application"},{"allowedMemberTypes":["User"],"displayName":"User","id":"27d9891d-2c17-4f45-a262-781a0e55c80a","isEnabled":true,"description":"User","value":null,"origin":"Application"},{"allowedMemberTypes":["User"],"displayName":"msiam_access","id":"5a6327d3-9140-458a-b894-320a25d0f525","isEnabled":true,"description":"msiam_access","value":null,"origin":"Application"},{"allowedMemberTypes":["User"],"displayName":"Billing Manager","id":"0e338b8c-cc7f-498a-928d-ea3470d7e7e3","isEnabled":true,"description":"Billing Manager","value":null,"origin":"Application"}],"info":{"logoUrl":null,"marketingUrl":null,"privacyStatementUrl":null,"supportUrl":null,"termsOfServiceUrl":null},"keyCredentials":[],"parentalControlSettings":{"countriesBlockedForMinors":[],"legalAgeGroupRule":"Allow"},"passwordCredentials":[],"publicClient":{"redirectUris":[]},"requiredResourceAccess":[],"verifiedPublisher":{"displayName":null,"verifiedPublisherId":null,"addedDateTime":null},"web":{"homePageUrl":"https://github.com/enterprises/*?metadata=githubenterprisemanageduser|ISV9.1|primary|z","redirectUris":["https://github.com/enterprises/*"],"logoutUrl":null}},"servicePrincipal":{"id":"e530b277-1a56-4227-9cd7-515f145cb482","deletedDateTime":null,"accountEnabled":true,"appId":"2112f37e-3e7b-4608-bfad-3eccdf0961e7","applicationTemplateId":"3b5ca639-0790-480e-9b24-9625375a05e7","appDisplayName":"GitHub EMU","alternativeNames":[],"appOwnerOrganizationId":"***","displayName":"GitHub EMU","appRoleAssignmentRequired":true,"loginUrl":null,"logoutUrl":null,"homepage":"https://github.com/enterprises/*?metadata=githubenterprisemanageduser|ISV9.1|primary|z","notificationEmailAddresses":[],"preferredSingleSignOnMode":null,"preferredTokenSigningKeyThumbprint":null,"replyUrls":[],"servicePrincipalNames":["2112f37e-3e7b-4608-bfad-3eccdf0961e7"],"servicePrincipalType":"Application","tags":["WindowsAzureActiveDirectoryIntegratedApp"],"tokenEncryptionKeyId":null,"samlSingleSignOnSettings":null,"verifiedPublisher":{"displayName":null,"verifiedPublisherId":null,"addedDateTime":null},"addIns":[],"appRoles":[{"allowedMemberTypes":["User"],"displayName":"Enterprise Owner","id":"981df190-8801-4618-a08a-d91f6206c954","isEnabled":true,"description":"Enterprise Owner","value":null,"origin":"Application"},{"allowedMemberTypes":["User"],"displayName":"User","id":"27d9891d-2c17-4f45-a262-781a0e55c80a","isEnabled":true,"description":"User","value":null,"origin":"Application"},{"allowedMemberTypes":["User"],"displayName":"msiam_access","id":"5a6327d3-9140-458a-b894-320a25d0f525","isEnabled":true,"description":"msiam_access","value":null,"origin":"Application"},{"allowedMemberTypes":["User"],"displayName":"Billing Manager","id":"0e338b8c-cc7f-498a-928d-ea3470d7e7e3","isEnabled":true,"description":"Billing Manager","value":null,"origin":"Application"}],"info":{"logoUrl":null,"marketingUrl":null,"privacyStatementUrl":null,"supportUrl":null,"termsOfServiceUrl":null},"keyCredentials":[],"oauth2PermissionScopes":[{"adminConsentDescription":"Allow the application to access GitHub EMU on behalf of the signed-in user.","adminConsentDisplayName":"Access GitHub EMU","id":"0e4b3147-70b6-4138-ac08-ac25da9cc368","isEnabled":true,"type":"User","userConsentDescription":"Allow the application to access GitHub EMU on your behalf.","userConsentDisplayName":"Access GitHub EMU","value":"user_impersonation"}],"passwordCredentials":[]}}
0

But then TF sends PATCH request and set the most of predefined parameters to empty/null values:

2022/07/27 10:37:28 [DEBUG] ============================ Begin AzureAD Request ============================
Request ID: ***

PATCH /beta/***/applications/5e831e8e-889e-429c-aa72-e526daaf26f8 HTTP/1.1
Host: graph.microsoft.com
User-Agent: HashiCorp Terraform/1.2.5 (+https://www.terraform.io) Terraform Plugin SDK/2.10.1 terraform-provider-azuread/dev Hamilton (Go-http-client/1.1) pid-222c6c49-1b0a-5959-a213-6608f9eb8820
Content-Length: 752
Accept: application/json; charset=utf-8; IEEE754Compatible=false
Content-Type: application/json; charset=utf-8
Odata-Maxversion: 4.0
Odata-Version: 4.0
Accept-Encoding: gzip

{"groupMembershipClaims":null,"id":"5e831e8e-889e-429c-aa72-e526daaf26f8","api":{"acceptMappedClaims":false,"knownClientApplications":[],"oauth2PermissionScopes":[],"requestedAccessTokenVersion":1},"appRoles":[],"displayName":"GitHub EMU","identifierUris":[],"info":{"marketingUrl":"","privacyStatementUrl":"","supportUrl":"","termsOfServiceUrl":""},"isDeviceOnlyAuthSupported":false,"isFallbackPublicClient":false,"oauth2RequirePostResponse":false,"optionalClaims":{},"publicClient":{"redirectUris":[]},"requiredResourceAccess":[],"signInAudience":"AzureADMyOrg","spa":{"redirectUris":[]},"tags":[],"web":{"homePageUrl":null,"implicitGrantSettings":{"enableAccessTokenIssuance":false,"enableIdTokenIssuance":false},"logoutUrl":null,"redirectUris":[]}}
============================= End AzureAD Request =============================:

As a result the app loses important predefined parameters.

image

image

Steps to Reproduce

  1. terraform apply

Important Factoids

References
@Threpio
Copy link
Contributor

Threpio commented Jul 30, 2022

The culprit:

terraform-provider-azuread/internal/services/applications/application_resource.go

Line 940 in bf65f5d

return applicationResourceUpdate(ctx, d, meta)

I am not 100% sure how to tackle this straight away - I will let someone more experienced than I to see how to implement the template correctly.

@manicminer manicminer added this to the Future milestone Jul 31, 2022
@manicminer
Copy link
Contributor

Thanks for reporting @alexvvladimirov. This is something we should be able to improve, however at this time such improvement depends on further investigation of improving Computed properties. I'm hoping we'll be in a position to address this in the next major version of the provider which is due in the coming months.

In the meantime, you would need to work around this by explicitly configuring these predefined parameters as part of your Terraform config for the application.

@manicminer manicminer mentioned this issue Oct 18, 2023
Merged
2 tasks
@manicminer
Copy link
Contributor

We are working on a new resource azuread_application_from_template along with a host of additional resources for managing individual components of applications, which I believe will resolve this issue of clobbering application properties that were inherited from the gallery application template. These resources are in flight in #1214 and will land in the next provider release.

Our recommendation will be to adopt this new resource for launching applications from gallery templates, particularly in cases where the existing azuread_application scrambles these predefined properties. Accordingly, I've marked this issue for closure with #1214.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 19, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement feature/applications
Projects
None yet
Milestone
Future
3 participants
@manicminer @alexvvladimirov @Threpio