Generic rest API resource and data for msgraph requests

[smokedlinq]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Create a resource similar to the azapi resources that let you create/update MSGraph resources using the APIs. This will let us adopt newer APIs that don't yet have explicit resources but use the same underlying authentication of the AzureAD provider.

New or Affected Resource(s)

• azuread_rest

Potential Terraform Configuration

resource "azuread_rest" {
  method = "PATCH" # default to POST
  path   = "/v1.0/policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}"
  body   = jsonencode(object({...}))
}

data "azuread_rest" {
  path     = "/v1.0/policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}"
  response = ["*"]
}

References

N/A

[manicminer]

@smokedlinq Thanks for requesting this feature. Whilst on the surface it might seem attractive to have a generic resource that can interact with any API URI, this is against our design principles for a number of reasons.

A core capability of Terraform is the ability to fully manage resources under management, which necessitates awareness of all supported properties, their values, and particularly the business rules and technical semantics around making changes to these values (which are both frequently not straightforward). Generic resources that only represent an API call cannot evaluate the result of the operation and therefore cannot offer any safety or idempotence.

For MS Graph specifically, there are a number of concerns to take into account including authentication (which is supported differently between APIs), order of operations, breaking up of operations into multiple dependent API calls, differing HTTP status codes, different error message structures and what can be inferred from these, and most pointedly issues of eventual consistency and API bugs in general. These are carefully and uniquely coded for in each and every resource that is added to the provider.

There is already an official http data source which can be used to query arbitrary API endpoints, however I would personally contend that any processing (e.g. create, update or delete operations) not yet supported by Terraform should be either added explicitly as a resource (PRs welcome!) or, if your needs warrant it, implemented separately with appropriate business logic.

We are actively working to expand SDK support for Microsoft Graph in a way that we can more easily add resources going forward. Your example of Role Management Policies is an excellent example of a candidate resource for this provider, and is something we'd look to add should a PR be submitted. In the meantime, this would also require the separate addition of support to our current SDK.

Taking the above into account, I'm going to close this issue as something we're not planning to add to the provider. However, please feel free to open separate issues specifically for the resources you are interested in seeing support for, and we'll prioritize these as best we can. Thanks!