-
Notifications
You must be signed in to change notification settings - Fork 301
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DirectoryObjects.BaseClient.Get() 403 during assigning the owners for azuread_application #703
Comments
Hi @tsologub, thanks for the detailed report. This possibly requires I'm planning some work to improve the enumeration of members/owners across the provider, as whilst our current approach was initially robust, there have been a number of API changes which cause incidental issues. |
Yes, I have tested and can confirm. Adding
Yes, the error goes away.
Funny thing, but no. This set of permissions is sufficient to set as an owner any service principal. But if I want to set a user, as owner... the good old 403 appears. |
Thanks @tsologub, that correlates with my expectations. With a default configuration, service principals are readable by anyone. I'll factor this in and see what I can come up with. We need to improve our testing with minimal permission grants to try and catch these earlier, but I believe we'll be able to resolve this. |
I was trying to implement this one on my own and dug deeper into this. Have some findings that I'd like to share. First, I found the code line which causes this behavior. Of course, when we make a During
The provisioning succeeds if I remove the Does this mean that Azure AD performs a p.s. Do you think we can update hamilton here to |
@manicminer As I've mentioned in this comment #713 (comment), the #713 doesn't solve this issue. I didn't fully get why the PR was merged. 😮 Could you reproduce it on your side? What is the solution? |
Hi @tsologub, the PR made sense to merge even if it did not necessarily fix the issue, although I intended to not close the issue - so I've reopened it. Sorry about that :) |
@manicminer I have noticed that it works if one populates the Mapping my words onto code - https://github.com/tsologub/terraform-provider-azuread/pull/1/files In that example, all the owners (except for calling service principal) are added via the |
@tsologub Thanks for the information on the workaround. I have noticed several times when creating applications with no specified owners, that sometimes the app will be auto-assigned the caller as owner but other times will be created with no owners at all. Given this, and that it seems the API behavior is changing WRT ownership, I'm hesitant to change the way we assign owners at this time, but will revisit when we have more information in the near future. |
any updates or next steps about this? near future is a bit opaque. |
To get us unblocked, we went with including in |
@tsologub tnx for the suggestion. The work-around on my end is to perform 2 consecutive TF runs. One with The Service Principal used had following rights: |
The provider documentation mentions |
Just to follow up on this issue; as I mentioned previously we're hesitant to change the behavior of the With that in mind, we're creating a new set of resources that approach application management somewhat differently. These will be smaller in scope, allowing practitioners to select the functionality they want and obtain additional functionality not afforded by the existing resource. Accordingly I've linked this issue to #1214 and it will be closed as resolved shortly. Our recommendation will be to consider adopting the soon-to-be-introduced |
Community Note
Terraform (and AzureAD Provider) Version
Affected Resource(s)
azuread_application
Terraform Configuration Files
Debug Output
https://gist.github.com/tsologub/9d28a1f8100948ea8903d1e15715e405
Expected Behavior
According to this note, I expect the
Application.ReadWrite.OwnedBy
should be sufficient to populate theowners
.The authenticated service principal has owners. The new application will receive as owners the authenticated service principal plus its owners.
Actual Behavior
Steps to Reproduce
terraform apply
Important Factoids
Observing the
GET
requests from the debug output, I can see that the.../directoryObjects/...
endpoint is being used.I don't understand why for
GET https://graph.microsoft.com/v1.0/<tenant_id>/directoryObjects/<object_id_from_authenticated_service_principal>
returns the 200. And forGET /v1.0/<tenant-id>/directoryObjects/<human_object_id_who_is_the_owner_of_authenticated_service_principal>
returns 403.I have double-checked all the object IDs. They are correct.
Everything is working if I include only the authenticated service principal in
owners
.The text was updated successfully, but these errors were encountered: