🐛azuread_access_package_assignment_policy failes when approval_stage is set (after azuread upgrade)

[kristeey]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

• terraform version: 1.7.4
• azuread version: 3.0.2 (upgraded from azuread version: 2.51.0)

Affected Resource(s)

• azuread_access_package_assignment_policy

Terraform Configuration Files

Terraform code

resource "azuread_access_package_assignment_policy" "default-policy" {
  for_each          = var.groups
  access_package_id = azuread_access_package.access_package[each.key].id
  display_name      = "Terraform managed policy"
  description       = "Policy created by terraform."
  duration_in_days  = 365
  extension_enabled = each.value.extension_enabled

  requestor_settings {
    scope_type        = "SpecificDirectorySubjects"
    requests_accepted = true
    dynamic "requestor" {
      for_each = each.value.requestors
      content {
        object_id    = requestor.value.object_id
        subject_type = requestor.value.subject_type
      }
    }
  }

  approval_settings {
    approval_required                = each.value.approval_required
    approval_required_for_extension  = each.value.approval_required_for_extension
    requestor_justification_required = true
    dynamic "approval_stage" {
      for_each = each.value.approval_required ? [1] : []
      content {
        approval_timeout_in_days = each.value.approval_timeout_in_days
        primary_approver {
          object_id    = each.value.approver != null ? each.value.approver : azuread_group.groups[each.key].object_id
          subject_type = "groupMembers"
        }
        alternative_approval_enabled        = true
        enable_alternative_approval_in_days = ceil(2 * each.value.approval_timeout_in_days / 3)
        alternative_approver {
          object_id    = each.value.alternative_approver
          subject_type = "groupMembers"
        }
      }
    }
  }
}

Terraform Plan

# module.aad["some-sub-prod-01"].azuread_access_package_assignment_policy.default-policy["owner"] will be created
  + resource "azuread_access_package_assignment_policy" "default-policy" {
      + access_package_id = (known after apply)
      + description       = "Policy created by terraform."
      + display_name      = "Terraform managed policy"
      + duration_in_days  = 365
      + extension_enabled = true
      + id                = (known after apply)

      + approval_settings {
          + approval_required                = true
          + approval_required_for_extension  = true
          + requestor_justification_required = true

          + approval_stage {
              + alternative_approval_enabled        = true
              + approval_timeout_in_days            = 14
              + enable_alternative_approval_in_days = 10

              + alternative_approver {
                  + object_id    = "xxxx"
                  + subject_type = "groupMembers"
                }

              + primary_approver {
                  + object_id    = "xxxx"
                  + subject_type = "groupMembers"
                }
            }
        }

      + requestor_settings {
          + requests_accepted = true
          + scope_type        = "SpecificDirectorySubjects"

          + requestor {
              + object_id    = "xxxx"
              + subject_type = "groupMembers"
            }
        }
    }

Panic Output

Error: Creating access package assignment policy "Terraform managed policy"

  with module.aad["some-sub-prod-01"].azuread_access_package_assignment_policy.default-policy["owner"],
  on modules/aad/main.tf line 114, in resource "azuread_access_package_assignment_policy" "default-policy":
 114: resource "azuread_access_package_assignment_policy" "default-policy" {

unexpected status 400 (400 Bad Request) with error: ArgumentNullException:
Value cannot be null.
Parameter name: source

Expected Behavior

Access package assignment policy to get created as before the upgrade.

Actual Behavior

Creation failes with the error message above. The resource is setting approval_settings.approval_stage. A different resource that does not include this is successfully created, so there might be something fishy about that section.

Steps to Reproduce

1. terraform apply

[kristeey]

@manicminer

[pauliusmiskinis]

Issue is directly related to secondary/backup approvers. It now looks for escalation_approver instead of alternative_approver when crafting the graph payload, but it's not an expected block according to the resource

[JoshuaGlassKainos]

Are there any updates on this, I had an assignment work on initial deployment and after re-run it fails with the same error.