You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform (and AzureAD Provider) Version
provider version 2.53.1
Affected Resource(s)
azuread_application_pre_authorized
Terraform Configuration Files
# This null_resource adds clients for which there is no app registration. Thus, we can't use "azuread_application_pre_authorized" for them, anyway, the need to be allowed to access call a certain scope on the "target_app"resource"null_resource""patched_app_reg" {
triggers={
scope_1 =lookup(<target_app>, "scope1", <tenant>)
scope_2 =lookup(<target_app>, "scope2", <tenant>)
}
provisioner"local-exec" {
interpreter=["pwsh", "-Command"]
command=<<EOF az rest --method Patch --uri "https://graph.microsoft.com/v1.0/applications/<target_app>" --headers 'Content-Type=application/json' --body '{"api": {"preAuthorizedApplications": [{"appId": <some_guid_1>, "delegatedPermissionIds": [<all_scope_id_lookup>, "scope1", <tenant>)}"]},{"appId": <some_guid_2>, "delegatedPermissionIds": [<all_scope_id_lookup>, "scope1", <tenant>)}"]},{"appId": <some_guid_3>, "delegatedPermissionIds": [<all_scope_id_lookup>, "scope1", <tenant>)}"]}]}}'EOFenvironment={
POWERSHELL_TELEMETRY_OPTOUT =1
}
}
}
resource"azuread_application_pre_authorized""new_app_reg" {
application_object_id=<target_app>authorized_client_id=<some_guid_with_app_reg>permission_ids=[<scope_lookup>, "scope1", <tenant>)]
}
Expected Behavior
Both the "null_resource" and the "azuread_application_pre_authorized" add pre_authorized clients to the "target_app". When the "azuread_application_pre_authorized.new_app_reg" is deleted, the "null_resource" added ones are not touched.
Actual Behavior
When "azuread_application_pre_authorized.new_app_reg" is removed, all four pre_authorized clients are deleted, not only the single managed one through it, but also the azure cli patched ones.
Steps to Reproduce
TF apply the above (with real values I cannot state)
As stated in the comment above, we have to use the null_resource for three / multiple clients as there is no app registration available for them. We must use azure cli to pre_authorize them has we can't grant the permission needed through "app registration -> api permission" and consent to it.
The text was updated successfully, but these errors were encountered:
@l33tCod-er Does the out-of-bound pre-authorized app entry have the same client ID as the TF managed one? During removal, pre-authorized apps in the manifest are matched against the client ID and are only removed when it matches.
@manicminer No, they are disjoint. The non-TF (null resource) managed client IDs are not the same as the TF managed ones. The reason we have the non-TF managed ones (null resource) is that there is no app registration in our tenant for them. Using "azuread_application_pre_authorized" falls for them for that reason.
Community Note
Terraform (and AzureAD Provider) Version
Affected Resource(s)
azuread_application_pre_authorized
Terraform Configuration Files
Expected Behavior
Both the "null_resource" and the "azuread_application_pre_authorized" add pre_authorized clients to the "target_app". When the "azuread_application_pre_authorized.new_app_reg" is deleted, the "null_resource" added ones are not touched.
Actual Behavior
When "azuread_application_pre_authorized.new_app_reg" is removed, all four pre_authorized clients are deleted, not only the single managed one through it, but also the azure cli patched ones.
Steps to Reproduce
Important Factoids
As stated in the comment above, we have to use the null_resource for three / multiple clients as there is no app registration available for them. We must use azure cli to pre_authorize them has we can't grant the permission needed through "app registration -> api permission" and consent to it.
The text was updated successfully, but these errors were encountered: