azuread_application: work around very buggy API when instantiating from template
#1406
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…_application_registration
…om template The `/instantiate` operation can return a 404 whlst also processing the request completely normally. This leads to orphaned objects in the directory, and a resource that cannot successfully Create. Work around this by polling for the application and service principal that you'd expect to see created out-of-band, whenever a 404 is received. Also set a temporary `displayName` for the application, as this is the only means we have to identify the resulting object is the one we are looking for. Unfortunately this means that this workaround cannot be implemented for the `azuread_application_from_template` resource, since that resource intentionally avoids changing the implicitly created `user_impersonation` scope - this will get created with nonsensical display names / descriptions in the consent flow. Since the whole point of the standalone resource is to inherit scopes from the template, this makes it infeasible to add this workaround there.
…ner/hamilton` - depends on manicminer/hamilton#285
tombuildsstuff
approved these changes
Jun 11, 2024
| @@ -63,3 +63,5 @@ require ( | |||
| ) | |||
|
|
|||
| go 1.21.3 | |||
|
|
|||
| replace github.com/manicminer/hamilton => github.com/MarkDordoy/hamilton v0.17.1-0.20240611151114-899c6ce169f6 | |||
There was a problem hiding this comment.
Sorry forgot to note that this depends on manicminer/hamilton#285, will rebase prior to merge
MarkDordoy
approved these changes
Jun 12, 2024
manicminer
deleted the
bugfix/application-instantiate-404-api-bug-workaround
branch
manicminer
added a commit
that referenced
this pull request
Jun 13, 2024
dduportal
referenced
this pull request
in jenkins-infra/azure
Jun 18, 2024
<Actions>
<action
id="6d17e7acdb2f3311576150379e22805f2f9b4aa72ff00ec136aceee45cae4b98">
<h3>Bump Terraform `azuread` provider version</h3>
<details
id="1d9343c012f5434ac9fe8a98135bae3667b399259be16d9b14302ea3bd424a24">
<summary>Update Terraform lock file</summary>
<p>changes detected:
	"hashicorp/azuread" updated from
"2.51.0" to "2.52.0" in file
".terraform.lock.hcl"</p>
<details>
<summary>2.52.0</summary>
<pre>Changelog retrieved
from:
	https://github.com/hashicorp/terraform-provider-azuread/releases/tag/v2.52.0
BUG
FIXES:

* `azuread_application` - fix a bug that could prevent
the `ignore_changes` lifecycle argument from working for the `app_role`,
`oauth2_permission_scope`, `identifier_uris`, `optional_claims`, and
`required_resource_access` properties
([#1403](hashicorp/terraform-provider-azuread#1403
`azuread_application` - add a workaround for an API bug when
instantiating an application from template using the `template_id`
property
([#1406](https://github.com/hashicorp/terraform-provider-azuread/issues/1406))


</pre>
</details>
</details>
<a
href="https://infra.ci.jenkins.io/job/updatecli/job/azure/job/main/245/">Jenkins
pipeline link</a>
</action>
</Actions>
---
<table>
<tr>
<td width="77">
<img src="https://www.updatecli.io/images/updatecli.png" alt="Updatecli
logo" width="50" height="50">
</td>
<td>
<p>
Created automatically by <a
href="https://www.updatecli.io/">Updatecli</a>
</p>
<details><summary>Options:</summary>
<br />
<p>Most of Updatecli configuration is done via <a
href="https://www.updatecli.io/docs/prologue/quick-start/">its
manifest(s)</a>.</p>
<ul>
<li>If you close this pull request, Updatecli will automatically reopen
it, the next time it runs.</li>
<li>If you close this pull request and delete the base branch, Updatecli
will automatically recreate it, erasing all previous commits made.</li>
</ul>
<p>
Feel free to report any issues at <a
href="https://github.com/updatecli/updatecli/issues">github.com/updatecli/updatecli</a>.<br
/>
If you find this tool useful, do not hesitate to star <a
href="https://github.com/updatecli/updatecli/stargazers">our GitHub
repository</a> as a sign of appreciation, and/or to tell us directly on
our <a
href="https://matrix.to/#/#Updatecli_community:gitter.im">chat</a>!
</p>
</details>
</td>
</tr>
</table>
Co-authored-by: Jenkins Infra Bot (updatecli) <60776566+jenkins-infra-bot@users.noreply.github.com>
BrendanThompson
pushed a commit
to BrendanThompson/terraform-provider-azuread
that referenced
this pull request
Jun 18, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Important
Depends on manicminer/hamilton#285, requires rebase prior to merging
The
/instantiateoperation can return a 404 whlst also processing the request completely normally. This leads to orphaned objects in the directory, and a resource that cannot successfully Create.Work around this by polling for the application and service principal that you'd expect to see created out-of-band, whenever a 404 is received. Also set a temporary
displayNamefor the application, as this is the only means we have to identify the resulting object is the one we are looking for.Unfortunately this means that this workaround cannot be implemented for the
azuread_application_from_templateresource, since that resource intentionally avoids changing the implicitly createduser_impersonationscope - this will get created with nonsensical display names / descriptions in the consent flow. Since the whole point of the standalone resource is to inherit scopes (and other fields) from the template, this makes it infeasible to add this workaround there.Tested locally by intercepting the response to
POST /v1.0/applicationTemplates/4601ed45-8ff3-4599-8377-b6649007e876/instantiateand sending a 404 back to the provider.Test results: