Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Setting resource_access using msgraph.oauth2_permission_scope_ids creates an unrecognized permission in Azure #1461

Closed
joachimBurket opened this issue Aug 28, 2024 · 2 comments
Closed

Setting resource_access using msgraph.oauth2_permission_scope_ids creates an unrecognized permission in Azure #1461

joachimBurket opened this issue Aug 28, 2024 · 2 comments

Comments

@joachimBurket
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

$ terraform -v
Terraform v1.9.5
on linux_amd64
+ provider registry.terraform.io/hashicorp/azuread v2.53.1

Affected Resource(s)

  • azuread_application

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp
terraform {
  required_version = ">= 1.6"
  required_providers {
    azuread = {
      source  = "hashicorp/azuread"
      version = ">=2.53.1, <3.0.0"
    }
  }
}

# Get well known MS applications info from hashicorp datasource
data "azuread_application_published_app_ids" "well_known" {}

# MSGraph application info
data "azuread_service_principal" "msgraph" {
  client_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
}


resource "azuread_application" "example" {
  display_name            = "example"
  sign_in_audience        = "AzureADMyOrg"
  group_membership_claims = ["SecurityGroup"]

  api {
    mapped_claims_enabled          = true
    requested_access_token_version = 2
  }

  web {
    homepage_url  = "https://app.example.net"
    logout_url    = "https://app.example.net/logout"
    redirect_uris = ["https://app.example.net/account"]
  }

  required_resource_access {
    resource_app_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph

    resource_access {
      id   = data.azuread_service_principal.msgraph.oauth2_permission_scope_ids["email"]
      type = "Scope"
    }

    resource_access {
      id   = data.azuread_service_principal.msgraph.oauth2_permission_scope_ids["User.ReadWrite.All"]
      type = "Role"
    }
  }
}

Debug Output

None

Panic Output

None

Expected Behavior

The Application should have the email and User.ReadWrite.All API Permissions in Azure AD.

Actual Behavior

The User.ReadWrite.All permission's ID isn't recognized in Azure AD:

image

If I manually add the User.ReadWrite.All permission in Azure AD, the wrong permission (with the ID) disappear:

image

And if I then run terraform plan command, it tries to update the permissions IDs as this:

$ terraform plan
data.azuread_application_published_app_ids.well_known: Reading...
data.azuread_application_published_app_ids.well_known: Read complete after 0s [id=appIds]
data.azuread_service_principal.msgraph: Reading...
data.azuread_service_principal.msgraph: Read complete after 0s [id=81cb0947-dcc2-4b94-846c-abc63bf4f61c]
azuread_application.example: Refreshing state... [id=/applications/b4cbf5d6-8aee-400f-bae9-b61257eaaf47]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated
with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # azuread_application.example will be updated in-place
  ~ resource "azuread_application" "example" {
        id                             = "/applications/b4cbf5d6-8aee-400f-bae9-b61257eaaf47"
        tags                           = []
        # (26 unchanged attributes hidden)

      - required_resource_access {
          - resource_app_id = "00000003-0000-0000-c000-000000000000" -> null

          - resource_access {
              - id   = "64a6cdd6-aab1-4aaf-94b8-3cc8405e90d0" -> null
              - type = "Scope" -> null
            }
          - resource_access {
              - id   = "741f803b-c850-494e-b5df-cde7c675a1ca" -> null
              - type = "Role" -> null
            }
        }
      + required_resource_access {
          + resource_app_id = "00000003-0000-0000-c000-000000000000"

          + resource_access {
              + id   = "64a6cdd6-aab1-4aaf-94b8-3cc8405e90d0"
              + type = "Scope"
            }
          + resource_access {
              + id   = "204e0828-b5ca-4ad8-b9f3-f32a958e7cc4"
              + type = "Role"
            }
        }

        # (6 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Steps to Reproduce

  1. terraform apply
  2. Go in the created Application in Azure AD, under the API permissions menu

Important Factoids

None

References

None
@nbaju1
Copy link

nbaju1 commented Aug 29, 2024
edited
Loading

User.ReadWrite.All isn't an oauth2 scope, it's an app role.

Change your last entry to this:

    resource_access {
      id   = data.azuread_service_principal.msgraph.app_role_ids["User.ReadWrite.All"]
      type = "Role"
    }

@joachimBurket
Copy link
Author

Oh! My bad, I hadn't realized it! Thanks a lot for the quick answer! :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@joachimBurket @nbaju1