Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Removal of "azuread_application_pre_authorized" also removes pre-existing pre-authorized clients not managed by Terraform #1584

Open
l33tCod-er opened this issue Dec 9, 2024 · 4 comments

Comments

@l33tCod-er
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

  • provider version 2.53.1

Affected Resource(s)

  • azuread_application_pre_authorized

Terraform Configuration Files

# This null_resource adds clients for which there is no app registration. Thus, we can't use "azuread_application_pre_authorized" for them, anyway, the need to be allowed to access call a certain scope on the "target_app"
resource "null_resource" "patched_app_reg" {
  triggers = {
    scope_1 = lookup(<target_app>, "scope1", <tenant>)
    scope_2 = lookup(<target_app>, "scope2", <tenant>)
  }

  provisioner "local-exec" {
    interpreter = ["pwsh", "-Command"]
    command     = <<EOF
        az rest --method Patch --uri "https://graph.microsoft.com/v1.0/applications/<target_app>" --headers 'Content-Type=application/json' --body '{"api": {"preAuthorizedApplications": [{"appId": <some_guid_1>, "delegatedPermissionIds": [<all_scope_id_lookup>, "scope1", <tenant>)}"]},{"appId": <some_guid_2>, "delegatedPermissionIds": [<all_scope_id_lookup>, "scope1", <tenant>)}"]},{"appId": <some_guid_3>, "delegatedPermissionIds": [<all_scope_id_lookup>, "scope1", <tenant>)}"]}]}}'
EOF

    environment = {
      POWERSHELL_TELEMETRY_OPTOUT = 1
    }
  }
}

resource "azuread_application_pre_authorized" "new_app_reg" {
  application_object_id = <target_app>
  authorized_client_id  = <some_guid_with_app_reg>
  permission_ids        = [<scope_lookup>, "scope1", <tenant>)]
}

Expected Behavior

Both the "null_resource" and the "azuread_application_pre_authorized" add pre_authorized clients to the "target_app". When the "azuread_application_pre_authorized.new_app_reg" is deleted, the "null_resource" added ones are not touched.

Actual Behavior

When "azuread_application_pre_authorized.new_app_reg" is removed, all four pre_authorized clients are deleted, not only the single managed one through it, but also the azure cli patched ones.

Steps to Reproduce

  1. TF apply the above (with real values I cannot state)
  2. Remove azuread_application_pre_authorized.new_app_reg
  3. TF apply
  4. All pre_authorized clients are gone

Important Factoids

As stated in the comment above, we have to use the null_resource for three / multiple clients as there is no app registration available for them. We must use azure cli to pre_authorize them has we can't grant the permission needed through "app registration -> api permission" and consent to it.

@l33tCod-er
Copy link
Author

Same seems to be true with "azuread_application_pre_authorized" only: added three, deleted one - and in the end, only a single one was preserved

@manicminer
Copy link
Contributor

@l33tCod-er Does the out-of-bound pre-authorized app entry have the same client ID as the TF managed one? During removal, pre-authorized apps in the manifest are matched against the client ID and are only removed when it matches.

@l33tCod-er
Copy link
Author

@manicminer No, they are disjoint. The non-TF (null resource) managed client IDs are not the same as the TF managed ones. The reason we have the non-TF managed ones (null resource) is that there is no app registration in our tenant for them. Using "azuread_application_pre_authorized" falls for them for that reason.

@l33tCod-er
Copy link
Author

Amy update on this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants