plan does not find old named locations, tries to deploy /identity/conditionalAccess/namedLocations/xxxxxxxxxxx

[mirone85]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

3.0.0 and 3.0.1

Affected Resource(s)

• azuread_named_location
  azuread_named_location

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

Debug Output

Panic Output

Expected Behavior

terraform should find the guid of the existing named location

Actual Behavior

terraform plan tries to install new named location in this form /identity/conditionalAccess/namedLocations/xxxxxx

Steps to Reproduce

go to azure ad provider 3.0.0 or 3.0.1, edit existing named location by adding new IP for example, run terraform plan

1. terraform apply

Important Factoids

References

• #0000

[bubbletroubles]

Some more info (I'm having the same problem). @manicminer is this related to #1497 ?

Terraform Plan when using the AzureAD 3.x provider detects changes

 # azuread_conditional_access_policy.policy-name-here will be updated in-place
  ~ resource "azuread_conditional_access_policy" "policy-name-here" {
        id           = "/identity/conditionalAccess/policies/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
        # (3 unchanged attributes hidden)

      ~ conditions {
            # (4 unchanged attributes hidden)

          ~ locations {
              ~ excluded_locations = [
                  - "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
                  + "/identity/conditionalAccess/namedLocations/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
                ]
                # (1 unchanged attribute hidden)
            }

            # (4 unchanged blocks hidden)
        }

        # (1 unchanged block hidden)
    }

The Terraform Apply outputs

Error: Could not update conditional access policy with ID: "/identity/conditionalAccess/policies/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
│ 
│   with azuread_conditional_access_policy.policy-name-here,
│   on file-name.tf line 11, in resource "azuread_conditional_access_policy" "policy-name-here":
│   11: resource "azuread_conditional_access_policy" "policy-name-here" {
│ 
│ unexpected status 400 (400 Bad Request) with error: BadRequest: 1040:
│ NamedLocation with id
│ /identity/conditionalAccess/namedLocations/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
│ does not exist in the directory.

[enorlando]

We are also having this issue

  # azuread_conditional_access_policy.xx will be updated in-place
  ~ resource "azuread_conditional_access_policy" "xx" {
        id           = "/identity/conditionalAccess/policies/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx""
        # (3 unchanged attributes hidden)

      ~ conditions {
            # (4 unchanged attributes hidden)

          ~ locations {
              ~ excluded_locations = [
                  ~ "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"" -> "/identity/conditionalAccess/namedLocations/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
                ]
                # (1 unchanged attribute hidden)
            }

            # (3 unchanged blocks hidden)
        }

        # (1 unchanged block hidden)
    }

[manicminer]

Thanks for the report - presuming that the UUIDs match, I'll see if I can put in some diff suppression for that.

[bubbletroubles]

Yes, the UUIDs match.

[mirone85]

is there a feedback

[enorlando]

@manicminer any update on when this will get resolved?

[mirone85]

is there a feedback, when this will be resolved

[mirone85]

any update when this will be resolved?

[enorlando]

Hi @manicminer, do we have any eta on a fix for this please?

[bubbletroubles]

@manicminer

Hopefully this adds a bit of context as to why people keep asking about this one. Basically, it's a bug which has broken our ability to apply Conditional Access, and we can't go back to AzureAD 2.x either.

We tried to use the AzureAD v3 provider on our Conditional Access policies. During the Apply phase, it upgraded the named locations. However, we are now stuck due to this bug.

The Apply won't successfully complete (see #1504 (comment) for details). However, the Apply also upgraded the "Named Locations". This means we can't go back to AzureAD 2.x provider.

Error when trying to revert back to AzureAD 2.x

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: Resource instance managed by newer provider version
│ 
│ The current state of
│ module.conditional_access.azuread_named_location.<named-location-name>
│ was created by a newer provider version than is currently selected. Upgrade
│ the azuread provider to work with this state.

Hoping this can be fixed soon!

[bn-jswick]

This is my workaround for the change in format of the id parameter on the azuread_named_location resource and a lack of object_id parameter.

element(split("/", azuread_named_location.pipeline_agents.id), 4)

In use:

resource "azuread_conditional_access_policy" "tf_spn" {
  display_name = "Terraform Service Principal Network Location"
  state        = "enabled"

  conditions {
    client_app_types = ["all"]

    applications {
      included_applications = ["All"]
    }

    client_applications {
      included_service_principals = [local.terraform_spn_object_id]
      excluded_service_principals = []
    }

    locations {
      # Work around for https://github.com/hashicorp/terraform-provider-azuread/issues/1504
      excluded_locations = [element(split("/", azuread_named_location.pipeline_agents.id), 4)]
      included_locations = ["All"]
    }

    users {
      included_users = ["None"]
    }
  }

  grant_controls {
    operator          = "OR"
    built_in_controls = ["block"]
  }
}

[ekbaramundi]

Bump

[enorlando]

@manicminer do we have any eta on this one?

[sdx-jkataja]

Different resources in the Azure AD provider seem to accept ID in either /identity/path/to/UUID path or UUID syntax (see other issues).

Also experiencing the issue. In debug logs I can see that POST to
https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies returns HTTP/2.0 400 Bad Request with the following error:

{
  "error": {
    "code": "BadRequest",
    "message": "1040: NamedLocation with id /identity/conditionalAccess/namedLocations/aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa does not exist in the directory.",
    "innerError": {
      "date": "2024-10-29T16:10:00",
      "request-id": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
      "client-request-id": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
    }
  }
}

[DevopsMercenary]

I've been using the replace function... @bn-jswick

      excluded_locations = [replace(azuread_named_location.trusted-countries.id, "//identity/conditionalAccess/namedLocations//", "")]