From eaa35c797bed9e6c52cad0dba4af50b8e2ccd780 Mon Sep 17 00:00:00 2001 From: Joakim Bakke Hellum Date: Mon, 10 Jun 2019 02:04:08 +0200 Subject: [PATCH 1/3] azuread_service_principal: export the `oauth2_permissions` property --- azuread/data_service_principal.go | 53 +++++++++++++++++++ azuread/data_service_principal_test.go | 2 + .../docs/d/service_principal.html.markdown | 22 ++++++++ 3 files changed, 77 insertions(+) diff --git a/azuread/data_service_principal.go b/azuread/data_service_principal.go index e9b8afa860..39620e964f 100644 --- a/azuread/data_service_principal.go +++ b/azuread/data_service_principal.go @@ -38,6 +38,55 @@ func dataServicePrincipal() *schema.Resource { ValidateFunc: validate.UUID, ConflictsWith: []string{"object_id", "display_name"}, }, + + "oauth2_permissions": { + Type: schema.TypeList, + Optional: true, + Computed: true, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "admin_consent_description": { + Type: schema.TypeString, + Computed: true, + }, + + "admin_consent_display_name": { + Type: schema.TypeString, + Computed: true, + }, + + "id": { + Type: schema.TypeString, + Computed: true, + }, + + "is_enabled": { + Type: schema.TypeBool, + Computed: true, + }, + + "type": { + Type: schema.TypeString, + Computed: true, + }, + + "user_consent_description": { + Type: schema.TypeString, + Computed: true, + }, + + "user_consent_display_name": { + Type: schema.TypeString, + Computed: true, + }, + + "value": { + Type: schema.TypeString, + Computed: true, + }, + }, + }, + }, }, } } @@ -126,5 +175,9 @@ func dataSourceActiveDirectoryServicePrincipalRead(d *schema.ResourceData, meta d.Set("display_name", sp.DisplayName) d.Set("object_id", sp.ObjectID) + if oauth2Permissions, ok := sp.AdditionalProperties["oauth2Permissions"].([]interface{}); ok { + d.Set("oauth2_permissions", flattenADApplicationOauth2Permissions(oauth2Permissions)) + } + return nil } diff --git a/azuread/data_service_principal_test.go b/azuread/data_service_principal_test.go index f0a166d287..d145e9ea21 100644 --- a/azuread/data_service_principal_test.go +++ b/azuread/data_service_principal_test.go @@ -24,6 +24,8 @@ func TestAccAzureADServicePrincipalDataSource_byApplicationId(t *testing.T) { resource.TestCheckResourceAttrSet(dataSourceName, "application_id"), resource.TestCheckResourceAttrSet(dataSourceName, "object_id"), resource.TestCheckResourceAttrSet(dataSourceName, "display_name"), + resource.TestCheckResourceAttr(dataSourceName, "oauth2_permissions.#", "1"), + resource.TestCheckResourceAttr(dataSourceName, "oauth2_permissions.0.admin_consent_description", fmt.Sprintf("Access %s", fmt.Sprintf("acctestspa%s", id))), ), }, }, diff --git a/website/docs/d/service_principal.html.markdown b/website/docs/d/service_principal.html.markdown index c11ba4f923..0311777ab1 100644 --- a/website/docs/d/service_principal.html.markdown +++ b/website/docs/d/service_principal.html.markdown @@ -49,8 +49,30 @@ The following arguments are supported: -> **NOTE:** At least one of `application_id`, `display_name` or `object_id` must be specified. +* `oauth2_permissions` - A collection of OAuth 2.0 permissions exposed by the associated application. Each permission is covered by a `oauth2_permission` block as documented below. + ## Attributes Reference The following attributes are exported: * `id` - The Object ID for the Service Principal. + +--- + +`oauth2_permission` block exports the following: + +* `id` - The unique identifier for one of the `OAuth2Permission` + +* `type` - The type of the permission + +* `admin_consent_description` - The description of the admin consent + +* `admin_consent_display_name` - The display name of the admin consent + +* `is_enabled` - Is this permission enabled? + +* `user_consent_description` - The description of the user consent + +* `user_consent_display_name` - The display name of the user consent + +* `value` - The name of this permission From be150ea554a1a15759853ff677615185a83dda5a Mon Sep 17 00:00:00 2001 From: Joakim Bakke Hellum Date: Mon, 10 Jun 2019 04:11:28 +0200 Subject: [PATCH 2/3] export `oauth2_permissions` property (resource) --- azuread/data_service_principal.go | 2 +- azuread/resource_service_principal.go | 92 +++++++++++++++++++ azuread/resource_service_principal_test.go | 2 + .../docs/r/service_principal.html.markdown | 22 +++++ 4 files changed, 117 insertions(+), 1 deletion(-) diff --git a/azuread/data_service_principal.go b/azuread/data_service_principal.go index 39620e964f..a470d0b537 100644 --- a/azuread/data_service_principal.go +++ b/azuread/data_service_principal.go @@ -176,7 +176,7 @@ func dataSourceActiveDirectoryServicePrincipalRead(d *schema.ResourceData, meta d.Set("object_id", sp.ObjectID) if oauth2Permissions, ok := sp.AdditionalProperties["oauth2Permissions"].([]interface{}); ok { - d.Set("oauth2_permissions", flattenADApplicationOauth2Permissions(oauth2Permissions)) + d.Set("oauth2_permissions", flattenServicePrincipalOauth2Permissions(oauth2Permissions)) } return nil diff --git a/azuread/resource_service_principal.go b/azuread/resource_service_principal.go index fcf0b6e7be..711a171012 100644 --- a/azuread/resource_service_principal.go +++ b/azuread/resource_service_principal.go @@ -51,6 +51,54 @@ func resourceServicePrincipal() *schema.Resource { Computed: true, }, + "oauth2_permissions": { + Type: schema.TypeList, + Computed: true, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "admin_consent_description": { + Type: schema.TypeString, + Computed: true, + }, + + "admin_consent_display_name": { + Type: schema.TypeString, + Computed: true, + }, + + "id": { + Type: schema.TypeString, + Computed: true, + }, + + "is_enabled": { + Type: schema.TypeBool, + Computed: true, + }, + + "type": { + Type: schema.TypeString, + Computed: true, + }, + + "user_consent_description": { + Type: schema.TypeString, + Computed: true, + }, + + "user_consent_display_name": { + Type: schema.TypeString, + Computed: true, + }, + + "value": { + Type: schema.TypeString, + Computed: true, + }, + }, + }, + }, + "object_id": { Type: schema.TypeString, Computed: true, @@ -123,6 +171,10 @@ func resourceServicePrincipalRead(d *schema.ResourceData, meta interface{}) erro } } + if oauth2Permissions, ok := app.AdditionalProperties["oauth2Permissions"].([]interface{}); ok { + d.Set("oauth2_permissions", flattenServicePrincipalOauth2Permissions(oauth2Permissions)) + } + return nil } @@ -140,3 +192,43 @@ func resourceServicePrincipalDelete(d *schema.ResourceData, meta interface{}) er return nil } + +func flattenServicePrincipalOauth2Permissions(in []interface{}) []map[string]interface{} { + if in == nil { + return []map[string]interface{}{} + } + + result := make([]map[string]interface{}, 0, len(in)) + for _, oauth2Permissions := range in { + rawPermission := oauth2Permissions.(map[string]interface{}) + permission := make(map[string]interface{}) + if v := rawPermission["adminConsentDescription"]; v != nil { + permission["admin_consent_description"] = v + } + if v := rawPermission["adminConsentDisplayName"]; v != nil { + permission["admin_consent_description"] = v + } + if v := rawPermission["id"]; v != nil { + permission["id"] = v + } + if v := rawPermission["isEnabled"]; v != nil { + permission["is_enabled"] = v.(bool) + } + if v := rawPermission["type"]; v != nil { + permission["type"] = v + } + if v := rawPermission["userConsentDescription"]; v != nil { + permission["user_consent_description"] = v + } + if v := rawPermission["userConsentDisplayName"]; v != nil { + permission["user_consent_display_name"] = v + } + if v := rawPermission["value"]; v != nil { + permission["value"] = v + } + + result = append(result, permission) + } + + return result +} diff --git a/azuread/resource_service_principal_test.go b/azuread/resource_service_principal_test.go index 32cbba8381..8cf7dcf679 100644 --- a/azuread/resource_service_principal_test.go +++ b/azuread/resource_service_principal_test.go @@ -26,6 +26,8 @@ func TestAccAzureADServicePrincipal_basic(t *testing.T) { testCheckADServicePrincipalExists(resourceName), resource.TestCheckResourceAttrSet(resourceName, "display_name"), resource.TestCheckResourceAttrSet(resourceName, "application_id"), + resource.TestCheckResourceAttr(resourceName, "oauth2_permissions.#", "1"), + resource.TestCheckResourceAttr(resourceName, "oauth2_permissions.0.admin_consent_description", fmt.Sprintf("Access %s", fmt.Sprintf("acctestspa%s", id))), resource.TestCheckResourceAttrSet(resourceName, "object_id"), ), }, diff --git a/website/docs/r/service_principal.html.markdown b/website/docs/r/service_principal.html.markdown index a41b3cee52..3f1dcefd3a 100644 --- a/website/docs/r/service_principal.html.markdown +++ b/website/docs/r/service_principal.html.markdown @@ -52,6 +52,28 @@ The following attributes are exported: * `display_name` - The Display Name of the Azure Active Directory Application associated with this Service Principal. +* `oauth2_permissions` - A collection of OAuth 2.0 permissions exposed by the associated application. Each permission is covered by a `oauth2_permission` block as documented below. + +--- + +`oauth2_permission` block exports the following: + +* `id` - The unique identifier for one of the `OAuth2Permission`. + +* `type` - The type of the permission. + +* `admin_consent_description` - The description of the admin consent. + +* `admin_consent_display_name` - The display name of the admin consent. + +* `is_enabled` - Is this permission enabled? + +* `user_consent_description` - The description of the user consent. + +* `user_consent_display_name` - The display name of the user consent. + +* `value` - The name of this permission. + ## Import Azure Active Directory Service Principals can be imported using the `object id`, e.g. From e7a72489aac28a5388baae3cc4bc9034c2c43ece Mon Sep 17 00:00:00 2001 From: Joakim Bakke Hellum Date: Mon, 10 Jun 2019 23:32:24 +0200 Subject: [PATCH 3/3] Address code review comments --- azuread/data_application.go | 52 +----------- azuread/data_service_principal.go | 54 +----------- azuread/data_service_principal_test.go | 2 +- azuread/helpers/graph/application.go | 96 ++++++++++++++++++++++ azuread/resource_application.go | 89 +------------------- azuread/resource_service_principal.go | 92 +-------------------- azuread/resource_service_principal_test.go | 2 +- 7 files changed, 110 insertions(+), 277 deletions(-) create mode 100644 azuread/helpers/graph/application.go diff --git a/azuread/data_application.go b/azuread/data_application.go index 6ef2267e4d..fa31a49e2a 100644 --- a/azuread/data_application.go +++ b/azuread/data_application.go @@ -7,6 +7,7 @@ import ( "github.com/hashicorp/terraform/helper/schema" "github.com/terraform-providers/terraform-provider-azuread/azuread/helpers/ar" + "github.com/terraform-providers/terraform-provider-azuread/azuread/helpers/graph" "github.com/terraform-providers/terraform-provider-azuread/azuread/helpers/tf" "github.com/terraform-providers/terraform-provider-azuread/azuread/helpers/validate" ) @@ -109,54 +110,7 @@ func dataApplication() *schema.Resource { }, }, - "oauth2_permissions": { - Type: schema.TypeList, - Optional: true, - Computed: true, - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "admin_consent_description": { - Type: schema.TypeString, - Computed: true, - }, - - "admin_consent_display_name": { - Type: schema.TypeString, - Computed: true, - }, - - "id": { - Type: schema.TypeString, - Computed: true, - }, - - "is_enabled": { - Type: schema.TypeBool, - Computed: true, - }, - - "type": { - Type: schema.TypeString, - Computed: true, - }, - - "user_consent_description": { - Type: schema.TypeString, - Computed: true, - }, - - "user_consent_display_name": { - Type: schema.TypeString, - Computed: true, - }, - - "value": { - Type: schema.TypeString, - Computed: true, - }, - }, - }, - }, + "oauth2_permissions": graph.SchemaOauth2Permissions(), }, } } @@ -243,7 +197,7 @@ func dataApplicationRead(d *schema.ResourceData, meta interface{}) error { return fmt.Errorf("Error setting `group_membership_claims`: %+v", err) } - if err := d.Set("oauth2_permissions", flattenADApplicationOauth2Permissions(app.Oauth2Permissions)); err != nil { + if err := d.Set("oauth2_permissions", graph.FlattenOauth2Permissions(app.Oauth2Permissions)); err != nil { return fmt.Errorf("Error setting `oauth2_permissions`: %+v", err) } diff --git a/azuread/data_service_principal.go b/azuread/data_service_principal.go index a470d0b537..e5ba8de774 100644 --- a/azuread/data_service_principal.go +++ b/azuread/data_service_principal.go @@ -4,6 +4,7 @@ import ( "fmt" "github.com/terraform-providers/terraform-provider-azuread/azuread/helpers/ar" + "github.com/terraform-providers/terraform-provider-azuread/azuread/helpers/graph" "github.com/terraform-providers/terraform-provider-azuread/azuread/helpers/validate" "github.com/Azure/azure-sdk-for-go/services/graphrbac/1.6/graphrbac" @@ -39,54 +40,7 @@ func dataServicePrincipal() *schema.Resource { ConflictsWith: []string{"object_id", "display_name"}, }, - "oauth2_permissions": { - Type: schema.TypeList, - Optional: true, - Computed: true, - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "admin_consent_description": { - Type: schema.TypeString, - Computed: true, - }, - - "admin_consent_display_name": { - Type: schema.TypeString, - Computed: true, - }, - - "id": { - Type: schema.TypeString, - Computed: true, - }, - - "is_enabled": { - Type: schema.TypeBool, - Computed: true, - }, - - "type": { - Type: schema.TypeString, - Computed: true, - }, - - "user_consent_description": { - Type: schema.TypeString, - Computed: true, - }, - - "user_consent_display_name": { - Type: schema.TypeString, - Computed: true, - }, - - "value": { - Type: schema.TypeString, - Computed: true, - }, - }, - }, - }, + "oauth2_permissions": graph.SchemaOauth2Permissions(), }, } } @@ -175,8 +129,8 @@ func dataSourceActiveDirectoryServicePrincipalRead(d *schema.ResourceData, meta d.Set("display_name", sp.DisplayName) d.Set("object_id", sp.ObjectID) - if oauth2Permissions, ok := sp.AdditionalProperties["oauth2Permissions"].([]interface{}); ok { - d.Set("oauth2_permissions", flattenServicePrincipalOauth2Permissions(oauth2Permissions)) + if err := d.Set("oauth2_permissions", graph.FlattenOauth2Permissions(sp.Oauth2Permissions)); err != nil { + return fmt.Errorf("Error setting `oauth2_permissions`: %+v", err) } return nil diff --git a/azuread/data_service_principal_test.go b/azuread/data_service_principal_test.go index d145e9ea21..bf2a31afd8 100644 --- a/azuread/data_service_principal_test.go +++ b/azuread/data_service_principal_test.go @@ -25,7 +25,7 @@ func TestAccAzureADServicePrincipalDataSource_byApplicationId(t *testing.T) { resource.TestCheckResourceAttrSet(dataSourceName, "object_id"), resource.TestCheckResourceAttrSet(dataSourceName, "display_name"), resource.TestCheckResourceAttr(dataSourceName, "oauth2_permissions.#", "1"), - resource.TestCheckResourceAttr(dataSourceName, "oauth2_permissions.0.admin_consent_description", fmt.Sprintf("Access %s", fmt.Sprintf("acctestspa%s", id))), + resource.TestCheckResourceAttr(dataSourceName, "oauth2_permissions.0.admin_consent_description", fmt.Sprintf("Allow the application to access %s on behalf of the signed-in user.", fmt.Sprintf("acctestspa%s", id))), ), }, }, diff --git a/azuread/helpers/graph/application.go b/azuread/helpers/graph/application.go new file mode 100644 index 0000000000..12f5f2dff5 --- /dev/null +++ b/azuread/helpers/graph/application.go @@ -0,0 +1,96 @@ +package graph + +import ( + "github.com/Azure/azure-sdk-for-go/services/graphrbac/1.6/graphrbac" + "github.com/hashicorp/terraform/helper/schema" +) + +func SchemaOauth2Permissions() *schema.Schema { + return &schema.Schema{ + Type: schema.TypeList, + Optional: true, + Computed: true, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "admin_consent_description": { + Type: schema.TypeString, + Computed: true, + }, + + "admin_consent_display_name": { + Type: schema.TypeString, + Computed: true, + }, + + "id": { + Type: schema.TypeString, + Computed: true, + }, + + "is_enabled": { + Type: schema.TypeBool, + Computed: true, + }, + + "type": { + Type: schema.TypeString, + Computed: true, + }, + + "user_consent_description": { + Type: schema.TypeString, + Computed: true, + }, + + "user_consent_display_name": { + Type: schema.TypeString, + Computed: true, + }, + + "value": { + Type: schema.TypeString, + Computed: true, + }, + }, + }, + } +} + +func FlattenOauth2Permissions(in *[]graphrbac.OAuth2Permission) []map[string]interface{} { + if in == nil { + return []map[string]interface{}{} + } + + result := make([]map[string]interface{}, 0) + for _, p := range *in { + permission := make(map[string]interface{}) + if v := p.AdminConsentDescription; v != nil { + permission["admin_consent_description"] = v + } + if v := p.AdminConsentDisplayName; v != nil { + permission["admin_consent_display_name"] = v + } + if v := p.ID; v != nil { + permission["id"] = v + } + if v := p.IsEnabled; v != nil { + permission["is_enabled"] = *v + } + if v := p.Type; v != nil { + permission["type"] = v + } + if v := p.UserConsentDescription; v != nil { + permission["user_consent_description"] = v + } + if v := p.UserConsentDisplayName; v != nil { + permission["user_consent_display_name"] = v + } + if v := p.Value; v != nil { + permission["value"] = v + } + + result = append(result, permission) + } + + return result +} diff --git a/azuread/resource_application.go b/azuread/resource_application.go index d0fd8c3d2a..947f30b73f 100644 --- a/azuread/resource_application.go +++ b/azuread/resource_application.go @@ -130,53 +130,7 @@ func resourceApplication() *schema.Resource { }, }, - "oauth2_permissions": { - Type: schema.TypeList, - Computed: true, - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "admin_consent_description": { - Type: schema.TypeString, - Computed: true, - }, - - "admin_consent_display_name": { - Type: schema.TypeString, - Computed: true, - }, - - "id": { - Type: schema.TypeString, - Computed: true, - }, - - "is_enabled": { - Type: schema.TypeBool, - Computed: true, - }, - - "type": { - Type: schema.TypeString, - Computed: true, - }, - - "user_consent_description": { - Type: schema.TypeString, - Computed: true, - }, - - "user_consent_display_name": { - Type: schema.TypeString, - Computed: true, - }, - - "value": { - Type: schema.TypeString, - Computed: true, - }, - }, - }, - }, + "oauth2_permissions": graph.SchemaOauth2Permissions(), "object_id": { Type: schema.TypeString, @@ -366,7 +320,7 @@ func resourceApplicationRead(d *schema.ResourceData, meta interface{}) error { return fmt.Errorf("Error setting `required_resource_access`: %+v", err) } - if err := d.Set("oauth2_permissions", flattenADApplicationOauth2Permissions(app.Oauth2Permissions)); err != nil { + if err := d.Set("oauth2_permissions", graph.FlattenOauth2Permissions(app.Oauth2Permissions)); err != nil { return fmt.Errorf("Error setting `oauth2_permissions`: %+v", err) } @@ -478,42 +432,3 @@ func flattenADApplicationResourceAccess(in *[]graphrbac.ResourceAccess) []interf return accesses } - -func flattenADApplicationOauth2Permissions(in *[]graphrbac.OAuth2Permission) []map[string]interface{} { - if in == nil { - return []map[string]interface{}{} - } - - result := make([]map[string]interface{}, 0) - for _, p := range *in { - permission := make(map[string]interface{}) - if v := p.AdminConsentDescription; v != nil { - permission["admin_consent_description"] = v - } - if v := p.AdminConsentDisplayName; v != nil { - permission["admin_consent_display_name"] = v - } - if v := p.ID; v != nil { - permission["id"] = v - } - if v := p.IsEnabled; v != nil { - permission["is_enabled"] = *v - } - if v := p.Type; v != nil { - permission["type"] = v - } - if v := p.UserConsentDescription; v != nil { - permission["user_consent_description"] = v - } - if v := p.UserConsentDisplayName; v != nil { - permission["user_consent_display_name"] = v - } - if v := p.Value; v != nil { - permission["value"] = v - } - - result = append(result, permission) - } - - return result -} diff --git a/azuread/resource_service_principal.go b/azuread/resource_service_principal.go index 45e9fcfc9e..44b50a381d 100644 --- a/azuread/resource_service_principal.go +++ b/azuread/resource_service_principal.go @@ -39,53 +39,7 @@ func resourceServicePrincipal() *schema.Resource { Computed: true, }, - "oauth2_permissions": { - Type: schema.TypeList, - Computed: true, - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "admin_consent_description": { - Type: schema.TypeString, - Computed: true, - }, - - "admin_consent_display_name": { - Type: schema.TypeString, - Computed: true, - }, - - "id": { - Type: schema.TypeString, - Computed: true, - }, - - "is_enabled": { - Type: schema.TypeBool, - Computed: true, - }, - - "type": { - Type: schema.TypeString, - Computed: true, - }, - - "user_consent_description": { - Type: schema.TypeString, - Computed: true, - }, - - "user_consent_display_name": { - Type: schema.TypeString, - Computed: true, - }, - - "value": { - Type: schema.TypeString, - Computed: true, - }, - }, - }, - }, + "oauth2_permissions": graph.SchemaOauth2Permissions(), "object_id": { Type: schema.TypeString, @@ -164,8 +118,8 @@ func resourceServicePrincipalRead(d *schema.ResourceData, meta interface{}) erro return fmt.Errorf("Error setting `tags`: %+v", err) } - if oauth2Permissions, ok := app.AdditionalProperties["oauth2Permissions"].([]interface{}); ok { - d.Set("oauth2_permissions", flattenServicePrincipalOauth2Permissions(oauth2Permissions)) + if err := d.Set("oauth2_permissions", graph.FlattenOauth2Permissions(app.Oauth2Permissions)); err != nil { + return fmt.Errorf("Error setting `oauth2_permissions`: %+v", err) } return nil @@ -185,43 +139,3 @@ func resourceServicePrincipalDelete(d *schema.ResourceData, meta interface{}) er return nil } - -func flattenServicePrincipalOauth2Permissions(in []interface{}) []map[string]interface{} { - if in == nil { - return []map[string]interface{}{} - } - - result := make([]map[string]interface{}, 0, len(in)) - for _, oauth2Permissions := range in { - rawPermission := oauth2Permissions.(map[string]interface{}) - permission := make(map[string]interface{}) - if v := rawPermission["adminConsentDescription"]; v != nil { - permission["admin_consent_description"] = v - } - if v := rawPermission["adminConsentDisplayName"]; v != nil { - permission["admin_consent_description"] = v - } - if v := rawPermission["id"]; v != nil { - permission["id"] = v - } - if v := rawPermission["isEnabled"]; v != nil { - permission["is_enabled"] = v.(bool) - } - if v := rawPermission["type"]; v != nil { - permission["type"] = v - } - if v := rawPermission["userConsentDescription"]; v != nil { - permission["user_consent_description"] = v - } - if v := rawPermission["userConsentDisplayName"]; v != nil { - permission["user_consent_display_name"] = v - } - if v := rawPermission["value"]; v != nil { - permission["value"] = v - } - - result = append(result, permission) - } - - return result -} diff --git a/azuread/resource_service_principal_test.go b/azuread/resource_service_principal_test.go index 8cf7dcf679..d498557593 100644 --- a/azuread/resource_service_principal_test.go +++ b/azuread/resource_service_principal_test.go @@ -27,7 +27,7 @@ func TestAccAzureADServicePrincipal_basic(t *testing.T) { resource.TestCheckResourceAttrSet(resourceName, "display_name"), resource.TestCheckResourceAttrSet(resourceName, "application_id"), resource.TestCheckResourceAttr(resourceName, "oauth2_permissions.#", "1"), - resource.TestCheckResourceAttr(resourceName, "oauth2_permissions.0.admin_consent_description", fmt.Sprintf("Access %s", fmt.Sprintf("acctestspa%s", id))), + resource.TestCheckResourceAttr(resourceName, "oauth2_permissions.0.admin_consent_description", fmt.Sprintf("Allow the application to access %s on behalf of the signed-in user.", fmt.Sprintf("acctestspa%s", id))), resource.TestCheckResourceAttrSet(resourceName, "object_id"), ), },