Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

azuread_app_role_assignment not properly assigning the role #1409

Open
detredwings02 opened this issue Jun 13, 2024 · 1 comment
Open

azuread_app_role_assignment not properly assigning the role #1409

detredwings02 opened this issue Jun 13, 2024 · 1 comment
Labels
question

Comments

@detredwings02
Copy link

Community Note

  • Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritise this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

  • Terraform Cloud version - 1.8.5
  • AzureAD version - 2.51.0

Affected Resource(s)

  • azuread_app_role_assignment

Terraform Configuration Files

# variables.tf
variable "azuread_service_principals" {
  type = any
  default = [
    {
      display_name_suffix           = "LogViewer"
      app_role_create               = true
      app_role_allowed_member_types = ["User"]
      app_role_description          = "Access Connect Logs"
      app_role_display_name         = "ConnectLogViewers"
      app_role_value                = "LogViewer.Read"
      set_web_redirect_uris         = true
    },
    {
      display_name_suffix   = "AppInsights"
      app_role_create       = false
      set_web_redirect_uris = false
    }
  ]
}

# locals.tf
locals {
  azuread_service_principals = [for s in concat(var.azuread_service_principals, var.azuread_service_principals_additional) :
    {
      display_name                  = tostring(try(s.display_name, "${data.azurerm_subscription.current.display_name}-${local.location}-${s.display_name_suffix}"))
      owners                        = [data.azurerm_client_config.current.object_id]
      password_rotation_increment   = tonumber(try(s.password_rotation_increment, null))
      app_role_create               = tobool(try(s.app_role_create, false))
      app_role_allowed_member_types = toset(try(s.app_role_allowed_member_types, null))
      app_role_description          = tostring(try(s.app_role_description, null))
      app_role_display_name         = tostring(try(s.app_role_display_name, null))
      app_role_value                = tostring(try(s.app_role_value, null))
      web_redirect_uris             = toset(try(s.web_redirect_uris, s.set_web_redirect_uris != true ? null : local.azuread_service_principals_web_redirect_uris))
    }
  ]
}

locals {
  app_role_groups = [
    "${local.environment}_LogViewers",
    "Global_LogViewers"
  ]
}

# data.tf

data "azuread_group" "app_roles" {
  for_each = toset(
    [for g in local.app_role_groups : g]
  )
  display_name = each.key
}

locals {
  azuread_app_role_assignments = flatten([
    for a in local.azuread_service_principals : a.app_role_create == true ? [
      for g in data.azuread_group.app_roles :
      {
        application_display_name = a.display_name
        app_role_value           = a.app_role_value
        display_name             = g.display_name
        app_role_id              = azuread_application.test[a.display_name].app_role_ids[a.app_role_value]
        principal_object_id      = g.object_id
        resource_object_id       = azuread_service_principal.test[a.display_name].object_id
      }
    ] : []
  ])
}

# application.tf
resource "azuread_app_role_assignment" "test" {
  for_each            = { for a in local.azuread_app_role_assignments : a.display_name => a }
  app_role_id         = azuread_application.test[each.value.application_display_name].app_role_ids[each.value.app_role_value]
  principal_object_id = each.value.principal_object_id
  resource_object_id  = each.value.resource_object_id
}

Debug Output

Panic Output

Expected Behavior

The app role groups should be assigned the app roles. Please note there are NO errors in the plan or apply.

The service principal used to run terraform has these API permissions:
image
Is an owner of both the Enterprise application and the service principal.

Actual Behavior

This is the app role:
image

The app role groups are "partially" added to the app role as below:
image

But when I click on 'edit assignment' you can see that it is 'none' and no role is assigned:
image

Steps to Reproduce

  1. terraform apply

Important Factoids

References

  • #0000
@nbaju1
Copy link

nbaju1 commented Jun 17, 2024

This is the actual behavior when you manually add an assignment in Entra ID and then edit it. Not sure what you mean by "partially" assigned, that picture states that the roles are assigned.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@manicminer @detredwings02 @nbaju1