Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error: The terraform-provider-azuread_v3.0.2_x5 plugin crashed! (Applying a change to an existing conditional access policy and adding a new policy) #1617

Closed
AdmiralGold opened this issue Jan 14, 2025 · 0 comments · Fixed by #1619
Closed

Error: The terraform-provider-azuread_v3.0.2_x5 plugin crashed! (Applying a change to an existing conditional access policy and adding a new policy) #1617

AdmiralGold opened this issue Jan 14, 2025 · 0 comments · Fixed by #1619
Labels
bug crash

Comments

@AdmiralGold
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

terraform_1.9.6_linux_amd64

required_providers {
    azuread = {
      source  = "hashicorp/azuread"
      version = "= 3.0.2"
    }
  }

Affected Resource(s)

  • azuread_conditional_access_policy

Terraform Configuration Files

resource "azuread_conditional_access_policy" "_100_Admin_All_apps_Require_MFA_For_admins" {
  display_name = "100_-_Admin_-_All apps_-__Require_MFA_For_admins"
  state        = "enabledForReportingButNotEnforced"

  conditions {
    client_app_types = [
      "browser",
      "mobileAppsAndDesktopClients",
    ]
    sign_in_risk_levels           = []
    user_risk_levels              = []
    service_principal_risk_levels = []

    applications {
      excluded_applications = []
      included_applications = [
        "All",
      ]

    }

    users {
      excluded_groups = []
      excluded_roles  = []
      excluded_users  = []
      included_groups = []
      included_roles  = module.global.privileged_role_ids
      included_users = [
        "All",
      ]
    }
  }

  grant_controls {
    built_in_controls = [
      "mfa",
    ]
    custom_authentication_factors = []
    operator                      = "OR"
    terms_of_use                  = []
  }
  session_controls {
    application_enforced_restrictions_enabled = false
    cloud_app_security_policy                 = null
    disable_resilience_defaults               = false
    persistent_browser_mode                   = "never"
    sign_in_frequency                         = 23
    sign_in_frequency_authentication_type     = "primaryAndSecondaryAuthentication"
    sign_in_frequency_interval                = "timeBased"
    sign_in_frequency_period                  = "hours"
  }
}


resource "azuread_conditional_access_policy" "_101_Admin_All_apps_Require_trusted_device_For_admins" {
  display_name = "101_-_Admin_-_All apps_-_Require_trusted_device_For_admins"
  state        = "enabledForReportingButNotEnforced"

  conditions {
    client_app_types = [
      "browser",
      "mobileAppsAndDesktopClients",
    ]
    sign_in_risk_levels           = []
    user_risk_levels              = []
    service_principal_risk_levels = []

    applications {
      excluded_applications = []
      included_applications = [
        "All",
      ]

    }

    users {
      excluded_groups = []
      excluded_roles  = []
      excluded_users  = []
      included_groups = []
      included_roles  = module.global.privileged_role_ids
      included_users = [
        "All",
      ]
    }
  }

  grant_controls {
    built_in_controls = [
      "compliantDevice",
      "domainJoinedDevice",
    ]
    custom_authentication_factors = []
    operator                      = "OR"
    terms_of_use                  = []
  }
  session_controls {
    application_enforced_restrictions_enabled = false
    cloud_app_security_policy                 = null
    disable_resilience_defaults               = false
    persistent_browser_mode                   = "never"
    sign_in_frequency                         = 8
    sign_in_frequency_authentication_type     = "primaryAndSecondaryAuthentication"
    sign_in_frequency_interval                = "timeBased"
    sign_in_frequency_period                  = "hours"
  }
}

resource "azuread_conditional_access_policy" "_102_-_Admin_-_All_apps_-_Block_access_For_admins_When_on_untrusted_location" {
  display_name = "102_-_Admin_-_All apps_-_Block_access_For_admins_When_on_untrusted_location"
  state        = "enabledForReportingButNotEnforced"

  conditions {
    client_app_types = [
      "browser",
      "mobileAppsAndDesktopClients",
    ]
    sign_in_risk_levels           = []
    user_risk_levels              = []
    service_principal_risk_levels = []

    applications {
      excluded_applications = []
      included_applications = [
        "All",
      ]

    }
    locations {
      excluded_locations = []
      included_locations = ["All"]
    }

    users {
      excluded_groups = []
      excluded_roles  = []
      excluded_users  = []
      included_groups = []
      included_roles  = module.global.privileged_role_ids
      included_users  = []
    }
  }

  grant_controls {
    built_in_controls = [
      "block",
    ]
    custom_authentication_factors = []
    operator                      = "OR"
    terms_of_use                  = []
  }
}

resource "azuread_conditional_access_policy" "_106_-_Admin_-_Privileged_systems_Block_access_When_on_untrusted_location" {
  display_name = "106_-_Admin_-_Privileged systems_-_Block_access_When_on_untrusted_location"
  state        = "enabledForReportingButNotEnforced"

  conditions {
    client_app_types = [
      "browser",
      "mobileAppsAndDesktopClients",
    ]
    sign_in_risk_levels           = []
    user_risk_levels              = []
    service_principal_risk_levels = []

    applications {
      excluded_applications = []
      included_applications = [
        "797f4846-ba00-4fd7-ba43-dac1f8f63013", #Microsoft Azure Management
      ]

    }

    users {
      excluded_groups = []
      excluded_roles  = []
      excluded_users  = []
      included_groups = []
      included_roles  = module.global.privileged_role_ids
      included_users = [
        "All",
      ]
    }
  }

  grant_controls {
    built_in_controls = [
      "block",
    ]
    custom_authentication_factors = []
    operator                      = "OR"
    terms_of_use                  = []
  }

}

resource "azuread_conditional_access_policy" "_107_TEST" {
  display_name = "107_TEST"
  state        = "enabledForReportingButNotEnforced"

  conditions {
    client_app_types = [
      "browser",
    ]
    sign_in_risk_levels           = []
    user_risk_levels              = []
    service_principal_risk_levels = []

    applications {
      excluded_applications = []
      included_applications = []

    }

    users {
      excluded_groups = []
      excluded_roles  = []
      excluded_users  = []
      included_groups = []
      included_roles  = module.global.privileged_role_ids
      included_users = [
        "All",
      ]
    }
  }

  grant_controls {
    built_in_controls = [
      "mfa",
    ]
    custom_authentication_factors = []
    operator                      = "OR"
    terms_of_use                  = []
  }

}

Global Module outputs.tf

# ------
# COMMON
# ------

output "privileged_role_ids" {
  description = "A set of role IDs with high privileges. Role IDs can be found in Microsoft docs: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference."
  value = [
    "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3", #Application Administrator
    "cf1c38e5-3621-4004-a7cb-879624dced7c", #Application Developer
    "8424c6f0-a189-499e-bbd0-26c1753c96d4", #Attribute Definition Administrator
    "58a13ea3-c632-46ae-9ee0-9c0d43cd7f3d", #Attribute Assignment Administrator
    "1d336d2c-4ae8-42ef-9711-b3604ce3fc2c", #Attribute Definition Reader
    "ffd52fa5-98dc-465c-991d-fc073eb59f8f", #Attribute Assignment Reader
    "5b784334-f94b-471a-a387-e7219fc49ca2", #Attribute Log Administrator
    "9c99539d-8186-4804-835f-fd51ef9e2dcd", #Attribute Log Reader
    "c4e39bd9-1100-46d3-8c65-fb160da0071f", #Authentication Administrator
    "0526716b-113d-4c15-b2c8-68e3c22b9f80", #Authentication Policy Administrator
    "e3973bdf-4987-49ae-837a-ba8e231c7286", #Azure DevOps Administrator
    "7495fdc4-34c4-4d15-a289-98788ce399fd", #Azure Information Protection Administrator
    "aaf43236-0c0d-4d5f-883a-6955382ac081", #B2C IEF Keyset Administrator
    "3edaf663-341e-4475-9f94-5c398ef6c070", #B2C IEF Policy Administrator
    "b0f54661-2d74-4c50-afa3-1ec803f12efe", #Billing Administrator
    "892c5842-a9a6-463a-8041-72aa08ca3cf6", #Cloud App Security Administrator
    "158c047a-c907-4556-b7ef-446551a6b5f7", #Cloud Application Administrator
    "7698a772-787b-4ac8-901f-60d6b08affd2", #Cloud Device Administrator
    "b1be1c3e-b65d-4f19-8427-f6fa0d97feb9", #Conditional Access Administrator
    "5c4f9dcd-47dc-4cf7-8c9a-9e4207cbfc91", #Customer LockBox Access Approver
    "88d8e3e3-8f55-4a1e-953a-9b9898b8876b", #Directory Readers
    #"d29b2b05-8046-44ba-8758-1e26182fcf32", #Directory Synchronization Accounts
    "9360feb5-f418-4baa-8175-e2a00bac4301", #Directory Writers
    "8329153b-31d0-4727-b945-745eb3bc5f31", #Domain Name Administrator
    "3f1acade-1e04-4fbc-9b69-f0302cd84aef", #Edge Administrator
    "29232cdf-9323-42fd-ade2-1d097af3e4de", #Exchange Administrator
    "6e591065-9bad-43ed-90f3-e9424366d2f0", #External ID User Flow Administrator
    "0f971eea-41eb-4569-a71e-57bb8a3eff1e", #External ID User Flow Attribute Administrator
    "be2f45a1-457d-42af-a067-6ec1fa63bc45", #External Identity Provider Administrator
    "a9ea8996-122f-4c74-9520-8edcd192826c", #Fabric Administrator
    "62e90394-69f5-4237-9190-012177145e10", #Global Administrator
    "f2ef992c-3afb-46b9-b7cf-a126ee74c451", #Global Reader
    "ac434307-12b9-4fa1-a708-88bf58caabc1", #Global Secure Access Administrator
    "fdd7a751-b60b-444a-984c-02652fe8fa1c", #Groups Administrator
    "95e79109-95c0-4d8e-aee3-d01accf2d47b", #Guest Inviter
    "729827e3-9c14-49f7-bb1b-9608f156bbb8", #Helpdesk Administrator
    "8ac3fc64-6eca-42ea-9e69-59f4c7b60eb2", #Hybrid Identity Administrator
    "45d8d3c5-c802-45c6-b32a-1d70b5e1e86e", #Identity Governance Administrator
    "3a2c62db-5318-420d-8d74-23affee5d9d5", #Intune Administrator
    "4d6ac14f-3453-41d0-bef9-a3e0c569773a", #License Administrator
    "59d46f88-662b-457b-bceb-5c3809e5908f", #Lifecycle Workflows Administrator
    "9f06204d-73c1-4d4c-880a-6edb90606fd8", #Microsoft Entra Joined Device Local Administrator
    "d37c8bed-0711-4417-ba38-b4abe66ce4c2", #Network Administrator
    "2b745bdf-0803-4d80-aa65-822c4493daac", #Office Apps Administrator
    "966707d0-3269-4727-9be2-8c3a10f19b9d", #Password Administrator
    "af78dc32-cf4d-46f9-ba4e-4428526346b5", #Permissions Management Administrator
    "7be44c8a-adaf-4e2a-84d6-ab2649e08a13", #Privileged Authentication Administrator
    "e8611ab8-c189-46e8-94e1-60213ab1f814", #Privileged Role Administrator
    "194ae4cb-b126-40b2-bd5b-6091b380977d", #Security Administrator
    "5f2222b1-57c3-48ba-8ad5-d4759f1fde6f", #Security Operator
    "5d6b6bb7-de71-4623-b4af-96380a352509", #Security Reader
    "f28a1f50-f6e7-4571-818b-6a12f2af6b6c", #SharePoint Administrator
    "75941009-915a-4869-abe7-691bff18279e", #Skype for Business Administrator
    "69091246-20e8-4a56-aa4d-066075b2a7a8", #Teams Administrator
    "baf37b3a-610e-45da-9e62-d9d1e5e8914b", #Teams Communications Administrator
    "f70938a0-fc10-4177-9e90-2178f8765737", #Teams Communications Support Engineer
    "fcf91098-03e3-41a9-b5ba-6f0ec8188a12", #Teams Communications Support Specialist
    "3d762c5a-1b6c-493f-843e-55a3b42923d4", #Teams Devices Administrator
    "112ca1a2-15ad-4102-995e-45b0bc479a6a", #Tenant Creator
    "fe930be7-5e62-47db-91af-98c3a49a38b1", #User Administrator
    "11451d60-acb2-45eb-a7d6-43d0f0125c13", #Windows 365 Administrator
    "32696413-001a-46ae-978c-ce0f6b3620d2", #Windows Update Deployment Administrator
  ]
}

Debug Output


│ contain more details.
╵
╷
│ Error: Plugin did not respond
│ 
│   with azuread_conditional_access_policy._107_TEST,
│   on ring_100_admin_policies.tf line 198, in resource "azuread_conditional_access_policy" "_107_TEST":
│  198: resource "azuread_conditional_access_policy" "_107_TEST" {
│ 
│ The plugin encountered an error, and failed to respond to the
│ plugin.(*GRPCProvider).ApplyResourceChange call. The plugin logs may
│ contain more details.
╵

Stack trace from the terraform-provider-azuread_v3.0.2_x5 plugin:

panic: interface conversion: interface {} is nil, not map[string]interface {}

goroutine 41 [running]:
github.com/hashicorp/terraform-provider-azuread/internal/services/conditionalaccess.expandConditionalAccessApplications({0xc0006f1ae0?, 0xc0006e5200?, 0x22d7dbd?})
	github.com/hashicorp/terraform-provider-azuread/internal/services/conditionalaccess/conditionalaccess.go:397 +0x5f4
github.com/hashicorp/terraform-provider-azuread/internal/services/conditionalaccess.expandConditionalAccessConditionSet({0xc0006f1ab0, 0x22c8b98?, 0x74411d0193f8?})
	github.com/hashicorp/terraform-provider-azuread/internal/services/conditionalaccess/conditionalaccess.go:364 +0x81d
github.com/hashicorp/terraform-provider-azuread/internal/services/conditionalaccess.conditionalAccessPolicyResourceCreate({0x25e0218, 0xc0002408c0}, 0xc0004ce880, {0x1afb7c0, 0xc000533208})
	github.com/hashicorp/terraform-provider-azuread/internal/services/conditionalaccess/conditional_access_policy_resource.go:619 +0x27c
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).create(0xc00044a8c0, {0x25e0170, 0xc000457bf0}, 0xc0004ce880, {0x1afb7c0, 0xc000533208})
	github.com/hashicorp/terraform-plugin-sdk/v2@v2.34.0/helper/schema/resource.go:806 +0x119
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).Apply(0xc00044a8c0, {0x25e0170, 0xc000457bf0}, 0xc0002d2a90, 0xc0004ce580, {0x1afb7c0, 0xc000533208})
	github.com/hashicorp/terraform-plugin-sdk/v2@v2.34.0/helper/schema/resource.go:937 +0xa89
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*GRPCProviderServer).ApplyResourceChange(0xc0003ac690, {0x25e0170?, 0xc000457b30?}, 0xc0004b41e0)
	github.com/hashicorp/terraform-plugin-sdk/v2@v2.34.0/helper/schema/grpc_provider.go:1153 +0xd5c
github.com/hashicorp/terraform-plugin-go/tfprotov5/tf5server.(*server).ApplyResourceChange(0xc0002c8640, {0x25e0170?, 0xc000456540?}, 0xc000b61500)
	github.com/hashicorp/terraform-plugin-go@v0.24.0/tfprotov5/tf5server/server.go:865 +0x3d0
github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/tfplugin5._Provider_ApplyResourceChange_Handler({0x1ffee80, 0xc0002c8640}, {0x25e0170, 0xc000456540}, 0xc0000d3000, 0x0)
	github.com/hashicorp/terraform-plugin-go@v0.24.0/tfprotov5/internal/tfplugin5/tfplugin5_grpc.pb.go:545 +0x1a6
google.golang.org/grpc.(*Server).processUnaryRPC(0xc0000da000, {0x25e0170, 0xc0004564b0}, {0x25e6540, 0xc0000d4340}, 0xc00055cfc0, 0xc0003cb8f0, 0x349a6f8, 0x0)
	google.golang.org/grpc@v1.67.0/server.go:1394 +0xe49
google.golang.org/grpc.(*Server).handleStream(0xc0000da000, {0x25e6540, 0xc0000d4340}, 0xc00055cfc0)
	google.golang.org/grpc@v1.67.0/server.go:1805 +0xe8b
google.golang.org/grpc.(*Server).serveStreams.func2.1()
	google.golang.org/grpc@v1.67.0/server.go:1029 +0x8b
created by google.golang.org/grpc.(*Server).serveStreams.func2 in goroutine 26
	google.golang.org/grpc@v1.67.0/server.go:1040 +0x125

Error: The terraform-provider-azuread_v3.0.2_x5 plugin crashed!

This is always indicative of a bug within the plugin. It would be immensely
helpful if you could report the crash with the plugin's maintainers so that it
can be fixed. The output above should help diagnose the issue.

Panic Output

Expected Behavior

Should have been a successful apply

Actual Behavior

Failed to apply despite successful validate and plan.

Steps to Reproduce

  1. terraform apply

Important Factoids

References

  • #0000
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug crash
Projects
None yet
Milestone
No milestone
1 participant
@AdmiralGold