-
Notifications
You must be signed in to change notification settings - Fork 300
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
azuread_application_registration can't be destroyed by owner if using azuread_application_owner #1335
Comments
WorkaroundAs I don't need the --terraform --target=ownerobject to destroy assignments (i.e., I accept I have to remove the assignments manually when necessary) I use this workaround to achieve desired functionality: resource "terraform_data" "app_owners" {
input = {
app_object_id = azuread_application_registration.example.object_id
owner_id = azuread_user.jane.object_id
}
provisioner "local-exec" {
when = create
command = "az ad app owner add --id ${self.input.app_object_id} --owner-object-id ${self.input.owner_id}"
}
} |
Thanks for reporting @agyss. Unfortunately, the wider context of the destroy operation is entirely unavailable to providers due to the way Terraform works. This means there is no way for us to know which resources are going to be destroyed. The most appropriate way t resolve these kinds of dependency issues is by manipulating the graph itself - options include the It might be possible to fudge this inside the provider, but it requires some investigation and I'm not very confident that it's possible without breaking the expected contract and negatively affecting many users. Ultimately this should probably be a feature request of Terraform Core. |
I see. In this case I would propose to invent a boolean field named The combination of both pretty much has the same effect as the workaround suggested before. |
Just a thought - do you really need the This is one of the reasons the |
@manicminer in our flow we let users run terraform locally or in the pipeline. when using azuread_application we set the owner to be the pipeline SP and a set of users we let "own" that application. that group set changes and we always want to let the SP be an owner...so it's both important that we can set a SP to own and users to own in case the creator doesn't happen to be the SP |
Community Note
Terraform (and AzureAD Provider) Version
azuread 2.47.0
Affected Resource(s)
azuread_application_registration
azuread_application_owner
Terraform Configuration Files
Expected behaviour
If the user who is performing a terraform destory on all objects above is in the owners list and does not have higher privileges (like global admin), Terraform should realize that it can't destroy the owner object as it's permissions are required to delete the application. This would result in the same behaviour as in azure cli or the azure portal.
Of course this is only true if the destroy action should delete the application_registration as well and not terraform --target=ownerobject is used.
Actual behaviour
The owner is removed from the application_registration before the application itself is deleted, leading to a 403 error as the user no longer has authorization to do so (if not assigned higher permissions like global admin).
The text was updated successfully, but these errors were encountered: