Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New Resources: azuread_application_registration, azuread_application_from_template and others #1214

Merged
merged 46 commits into from
Oct 20, 2023
Merged

New Resources: azuread_application_registration, azuread_application_from_template and others #1214

merged 46 commits into from
Oct 20, 2023

Conversation

manicminer
Copy link
Contributor

@manicminer manicminer commented Oct 17, 2023
edited
Loading

Rationale and Practitioner Benefits

We're adding these resources to complement the existing azuread_application resource. Whilst the existing monolithic resource is useful for declaring and managing the whole application manifest at once, these new resources offer a more composable approach and only manage a small set of properties each. They are intended for use both in simpler configurations, and in more advanced configs, the latter of which which might include:

  • where application properties need to self-reference values from the application that are only known after creation (e.g. the client ID)
  • where you need to create 2 or more applications that reference each other in certain property values, thereby creating a circular graph dependency
  • instantiating gallery applications from template, where properties are applied to the new application but the azuread_application resource removes them or otherwise updates them
  • where new applications are assigned an initial owner by the API but the azuread_application resource isn't able to detect this correctly, perhaps due to lack of API permissions
  • where you might want to retain any other default property value inherited by a new application but cannot or do not wish to add these to your Terraform configuration
  • where the linked service principal requires certain property values to be set before you can set a related property value on the application object
  • where you want to manage individual aspect of an application across more than one Terraform module, for example assigning owners or API permissions

Internal work

This includes some refactoring to accommodate these new resources and also to aid in moving over to new structured resource IDs

  • Updating github.com/manicminer/hamilton
  • Updating github.com/hashicorp/go-azure-sdk
  • Updating golangci-lint
  • Deprecating and removing the utils package which contained legacy helper funcs
  • Structured ID and state migration for application resource
  • Compatibility fixes for existing azuread_application_* resources as stopgap until v3.0
  • Fixing up some validation functions

More ID parser upgrades and state migrations to follow in separate PRs.

TODO

  • Upstream PR for Hamilton changes
  • Documentation

Changelog

FEATURES:

  • New Resource: azuread_application_api_access
  • New Resource: azuread_application_app_role
  • New Resource: azuread_application_fallback_public_client
  • New Resource: azuread_application_from_template
  • New Resource: azuread_application_identifier_uri
  • New Resource: azuread_application_known_clients
  • New Resource: azuread_application_owner
  • New Resource: azuread_application_permission_scope
  • New Resource: azuread_application_redirect_uris
  • New Resource: azuread_application_registration

ENHANCEMENTS:

  • data.azuread_application - export the client_id attribute, deprecate the application_id attribute
  • data.azuread_service_principal - support for the client_id property, deprecate the application_id property
  • data.azuread_service_principals - support for the client_ids property, deprecate the application_ids property
  • data.azuread_service_principals - export the client_id attribute in the service_principals block, deprecate the application_id attribute
  • azuread_application - export the client_id attribute, deprecate the application_id attribute
  • azuread_application_federated_identity_credential - support for the application_id property, deprecate the application_object_id property
  • azuread_application_certificate - support for the application_id property, deprecate the application_object_id property
  • azuread_application_password - support for the application_id property, deprecate the application_object_id property
  • azuread_application_pre_authorized - support for the application_id property, deprecate the application_object_id property
  • azuread_service_principal - support for the client_id property, deprecate the application_id property

Issues

Closes: #428
Closes: #501
Closes: #703
Closes: #773
Closes: #778
Closes: #797
Closes: #800
Closes: #834
Closes: #836
Closes: #852
Closes: #919
Closes: #924
Closes: #950
Closes: #1001
Closes: #1002
Closes: #1093

@manicminer manicminer added this to the v2.44.0 milestone Oct 17, 2023
This was referenced Oct 17, 2023
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
@manicminer manicminer changed the title New Resources: azuread_application_registration, azuread_application_app_role, azuread_application_permission_scope New Resources: azuread_application_registration, azuread_application_from_template and others Oct 18, 2023
@manicminer manicminer mentioned this pull request Oct 18, 2023
Closed
@manicminer manicminer marked this pull request as ready for review October 19, 2023 01:24
@manicminer manicminer requested a review from a team October 19, 2023 01:24
@manicminer
Copy link
Contributor Author

Test results

Screenshot 2023-10-19 at 21 46 20 Screenshot 2023-10-19 at 21 37 34

katbyte
katbyte approved these changes Oct 20, 2023
View reviewed changes
Copy link
Collaborator

@katbyte katbyte left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Aside from some minor comments LGTM 🌵

docs/data-sources/application.md Outdated
@@ -43,7 +44,8 @@ The following attributes are exported:
* `api` - An `api` block as documented below.
* `app_role_ids` - A mapping of app role values to app role IDs, intended to be useful when referencing app roles in other resources in your configuration.
* `app_roles` - A collection of `app_role` blocks as documented below. For more information see [official documentation on Application Roles](https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles).
* `application_id` - The Application ID (also called Client ID).
* `application_id` - (Deprecated) The Client ID for the application.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we just remove this like we do in rm as its deprecated? / should be deprecated in favour of X

docs/data-sources/service_principal.md Outdated
* `alternative_names` - A list of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
* `application_id` - The application ID (client ID) of the application associated with this service principal.
* `application_id` - (Deprecated) The client ID of the application associated with this service principal.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and here

docs/data-sources/service_principal.md Outdated
* `app_role_assignment_required` - Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application.
* `app_role_ids` - A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
* `app_roles` - A list of app roles published by the associated application, as documented below. For more information [official documentation](https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles).
* `application_tenant_id` - The tenant ID where the associated application is registered.
* `client_id` - (Deprecated) The client ID of the application associated with this service principal.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and here

docs/data-sources/service_principals.md Outdated
* `app_role_assignment_required` - Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application.
* `application_id` - The application ID (client ID) of the application associated with this service principal.
* `application_id` - (Deprecated) The client ID of the application associated with this service principal.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and here

docs/resources/application.md Outdated
@@ -324,7 +331,8 @@ The following arguments are supported:
In addition to all arguments above, the following attributes are exported:

* `app_role_ids` - A mapping of app role values to app role IDs, intended to be useful when referencing app roles in other resources in your configuration.
* `application_id` - The Application ID (also called Client ID).
* `application_id` - (Deprecated) The Client ID for the application.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and here

docs/resources/service_principal.md Outdated
Comment on lines 96 to 97
* `application_id` - (Optional, Deprecated) The client ID of the application for which to create a service principal.
* `client_id` - (Optional) The client ID of the application for which to create a service principal.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and here etc,

i'd lean towards removal, but at least should indicate client id is replacement

@manicminer manicminer merged commit d750b6d into main Oct 20, 2023
17 checks passed
@manicminer manicminer deleted the r/applications-gen3 branch October 20, 2023 01:44
manicminer added a commit that referenced this pull request Oct 20, 2023
@manicminer
Changelog for #1214
19895e8
manicminer added a commit that referenced this pull request Oct 20, 2023
@manicminer
Changelog links for #1214
f999c1e
@manicminer manicminer mentioned this pull request Oct 24, 2023
Closed
dduportal pushed a commit to jenkins-infra/azure that referenced this pull request Oct 25, 2023
@jenkins-infra-updatecli @jenkins-infra-bot
Bump Terraform azuread provider version to 2.44.1 (#499)
e826910 
<Actions>
<action
id="c2aadc6326b4b0bc58df11ee286b0f67ccdb5888bd77f391e6473570113337ec">
        <h3>Bump Terraform `azuread` provider version</h3>
<details
id="1d9343c012f5434ac9fe8a98135bae3667b399259be16d9b14302ea3bd424a24">
            <summary>Update Terraform lock file</summary>
<p>&#34;hashicorp/azuread&#34; updated from &#34;2.43.0&#34; to
&#34;2.44.0&#34; in file &#34;.terraform.lock.hcl&#34;</p>
            <details>
                <summary>2.44.0</summary>
<pre>Changelog retrieved
from:&#xA;&#x9;https://github.com/hashicorp/terraform-provider-azuread/releases/tag/v2.44.0&#xA;*
Developer Note: the Typed Resource SDK, as also used in the AzureRM
provider, is now the preferred way of introducing new resources
([#1188](https://github.com/hashicorp/terraform-provider-azuread/issues/1188))&#xA;&#xA;FEATURES:&#xA;&#xA;*
**New Resource:** `azuread_application_api_access`
([#1214](hashicorp/terraform-provider-azuread#1214
**New Resource:** `azuread_application_app_role`
([#1214](hashicorp/terraform-provider-azuread#1214
**New Resource:** `azuread_application_fallback_public_client`
([#1214](hashicorp/terraform-provider-azuread#1214
**New Resource:** `azuread_application_from_template`
([#1214](hashicorp/terraform-provider-azuread#1214
**New Resource:** `azuread_application_identifier_uri`
([#1214](hashicorp/terraform-provider-azuread#1214
**New Resource:** `azuread_application_known_clients`
([#1214](hashicorp/terraform-provider-azuread#1214
**New Resource:** `azuread_application_owner`
([#1214](hashicorp/terraform-provider-azuread#1214
**New Resource:** `azuread_application_permission_scope
([#1214](https://github.com/hashicorp/terraform-provider-azuread/issues/1214))`&#xA;*
**New Resource:** `azuread_application_redirect_uris`
([#1214](hashicorp/terraform-provider-azuread#1214
**New Resource:** `azuread_application_registration`
([#1214](hashicorp/terraform-provider-azuread#1214
**New Resource:** `azuread_authentication_strength_policy`
([#1171](https://github.com/hashicorp/terraform-provider-azuread/issues/1171))&#xA;&#xA;ENHANCEMENTS:&#xA;&#xA;*
`data.azuread_application` - export the `client_id` attribute, deprecate
the `application_id` attribute
([#1214](hashicorp/terraform-provider-azuread#1214
`data.azuread_service_principal` - support for the `client_id` property,
deprecate the `application_id` property
([#1214](hashicorp/terraform-provider-azuread#1214
`data.azuread_service_principals` - support for the `client_ids`
property, deprecate the `application_ids` property
([#1214](hashicorp/terraform-provider-azuread#1214
`data.azuread_service_principals` - export the `client_id` attribute in
the `service_principals` block, deprecate the `application_id` attribute
([#1214](hashicorp/terraform-provider-azuread#1214
`azuread_application` - export the `client_id` attribute, deprecate the
`application_id` attribute
([#1214](hashicorp/terraform-provider-azuread#1214
`azuread_application_federated_identity_credential` - support for the
`application_id` property, deprecate the `application_object_id`
property
([#1214](hashicorp/terraform-provider-azuread#1214
`azuread_application_certificate` - support for the `application_id`
property, deprecate the `application_object_id` property
([#1214](hashicorp/terraform-provider-azuread#1214
`azuread_application_password` - support for the `application_id`
property, deprecate the `application_object_id` property
([#1214](hashicorp/terraform-provider-azuread#1214
`azuread_application_pre_authorized` - support for the `application_id`
property, deprecate the `application_object_id` property
([#1214](hashicorp/terraform-provider-azuread#1214
`azuread_service_principal` - support for the `client_id` property,
deprecate the `application_id` property
([#1214](hashicorp/terraform-provider-azuread#1214
`azuread_conditional_access_policy` - support for the
`authentication_strength_policy_id` property in the `grant_controls`
block [GH_1171]&#xA;&#xA;BUG FIXES:&#xA;&#xA;* `azuread_group_member` -
resolve a bug when refreshing state if the group is missing
([#1198](https://github.com/hashicorp/terraform-provider-azuread/issues/1198))&#xA;&#xA;&#xA;</pre>
            </details>
            <details>
                <summary>2.44.1</summary>
<pre>Changelog retrieved
from:&#xA;&#x9;https://github.com/hashicorp/terraform-provider-azuread/releases/tag/v2.44.1&#xA;BUG
FIXES:&#xA;&#xA;* `azuread_application_certificate` - work around an
unexpected diff with the `application_object_id` property
([#1221](hashicorp/terraform-provider-azuread#1221
`azuread_application_federated_identity_credential` - work around an
unexpected diff with the `application_object_id` property
([#1221](hashicorp/terraform-provider-azuread#1221
`azuread_application_password` - work around an unexpected diff with the
`application_object_id` property
([#1221](hashicorp/terraform-provider-azuread#1221
`azuread_application_pre_authorized` - work around an unexpected diff
with the `application_object_id` property
([#1221](https://github.com/hashicorp/terraform-provider-azuread/issues/1221))&#xA;&#xA;&#xA;</pre>
            </details>
        </details>
    </action>
</Actions>

---

<table>
  <tr>
    <td width="77">
<img src="https://www.updatecli.io/images/updatecli.png" alt="Updatecli
logo" width="50" height="50">
    </td>
    <td>
      <p>
Created automatically by <a
href="https://www.updatecli.io/">Updatecli</a>
      </p>
      <details><summary>Options:</summary>
        <br />
<p>Most of Updatecli configuration is done via <a
href="https://www.updatecli.io/docs/prologue/quick-start/">its
manifest(s)</a>.</p>
        <ul>
<li>If you close this pull request, Updatecli will automatically reopen
it, the next time it runs.</li>
<li>If you close this pull request and delete the base branch, Updatecli
will automatically recreate it, erasing all previous commits made.</li>
        </ul>
        <p>
Feel free to report any issues at <a
href="https://github.com/updatecli/updatecli/issues">github.com/updatecli/updatecli</a>.<br
/>
If you find this tool useful, do not hesitate to star <a
href="https://github.com/updatecli/updatecli/stargazers">our GitHub
repository</a> as a sign of appreciation, and/or to tell us directly on
our <a
href="https://matrix.to/#/#Updatecli_community:gitter.im">chat</a>!
        </p>
      </details>
    </td>
  </tr>
</table>

---------

Co-authored-by: Jenkins Infra Bot (updatecli) <60776566+jenkins-infra-bot@users.noreply.github.com>
@Israphel
Copy link

Israphel commented Oct 25, 2023
edited
Loading

Why the example still uses application_id? https://registry.terraform.io/providers/hashicorp/azuread/2.44.1/docs/resources/application
https://registry.terraform.io/providers/hashicorp/azuread/2.44.1/docs/resources/service_principal

@manicminer
Copy link
Contributor Author

Hi @Israphel, unfortunately I missed these but @PseudoCoding caught them and fixed in #1220. The docs will be updated this week when the release goes out.

@manicminer manicminer mentioned this pull request Oct 25, 2023
Open
@mloskot mloskot mentioned this pull request Nov 15, 2023
Merged
4 tasks
@JohannesRudolph JohannesRudolph mentioned this pull request Nov 22, 2023
Closed
@penenkel penenkel mentioned this pull request Apr 2, 2024
Open
janvanicek added a commit to keboola/job-runner that referenced this pull request Sep 26, 2024
@janvanicek
fix: Change deprecated application_id attribute to client_id
977e4d4 
See
- hashicorp/terraform-provider-azuread#1214
- https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application
janvanicek added a commit to keboola/job-runner that referenced this pull request Sep 26, 2024
@janvanicek
fix: Change deprecated application_id attribute to client_id
5e0f8bf 
See
- hashicorp/terraform-provider-azuread#1214
- https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application
janvanicek added a commit to keboola/job-runner that referenced this pull request Sep 26, 2024
@janvanicek
fix: Change deprecated application_id attribute to client_id
15d0ec6 
See
- hashicorp/terraform-provider-azuread#1214
- https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 25, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@katbyte katbyte katbyte approved these changes

Assignees
No one assigned
Labels
dependencies feature/applications feature/service-principals new-resource size/XL
Projects
None yet
Milestone
v2.44.0
Development

Successfully merging this pull request may close these issues.

How to create an app that also creates a service principal allowPublicClient property of azure ad application Manifest is set to false but should be null DirectoryObjects.BaseClient.Get() 403 during assigning the owners for azuread_application New resource azuread_application_platform azuread_application: default the identifier_uris field as "api://application_id" as the portal does
Using unverified domains in azuread_application's identifier_uris (for SAML 2.0 based SSO integrations) requires two-step apply New root level resource for Application Required Resource Access Fixed Azure Bug where no Owners assigned when creating Gallery Applications App registrations referencing each other Predefined parameters are missed in the application provisioned from template
3 participants
@manicminer @Israphel @katbyte