bugfix: azuread_application - delete password block

internal/services/applications/application_resource.go

@@ -726,6 +726,12 @@ func applicationResourceCustomizeDiff(ctx context.Context, diff *pluginsdk.Resou
 		}
 	}
 
+	if v := diff.GetRawConfig().AsValueMap()["password"]; v.IsKnown() {
+		if len(v.AsValueSet().Values()) == 0 {
+			diff.SetNewComputed("password")
+		}
+	}
+
 	// Validate roles and scopes to check for duplicate IDs or values
 	if err := applicationValidateRolesScopes(diff.Get("app_role").(*pluginsdk.Set).List(), diff.Get("api.0.oauth2_permission_scope").(*pluginsdk.Set).List()); err != nil {
 		return fmt.Errorf("checking for duplicate app roles / OAuth2.0 permission scopes: %v", err)
@@ -1447,6 +1453,21 @@ func applicationResourceUpdate(ctx context.Context, d *pluginsdk.ResourceData, m
 		}
 	}
 
+	// Remove application password when password block is removed at definition.
+	rawConfigPassword := d.GetRawConfig().AsValueMap()["password"]
+
+	if len(rawConfigPassword.AsValueSet().Values()) == 0 {
+		currentPassword := d.Get("password").(*pluginsdk.Set).List()
+
+		if len(currentPassword) == 1 {
+			keyIdToRemove := currentPassword[0].(map[string]interface{})["key_id"].(string)
+
+			if _, err = client.RemovePassword(ctx, id.ApplicationId, keyIdToRemove); err != nil {
+				return tf.ErrorDiagF(err, "Removing password credential %q from application with object ID %q", id.ApplicationId, keyIdToRemove)
+			}
+		}
+	}
+
 	var tags []string
 	if v, ok := d.GetOk("feature_tags"); ok && len(v.([]interface{})) > 0 && d.HasChange("feature_tags") {
 		tags = helpers.ApplicationExpandFeatures(v.([]interface{}))

internal/services/applications/application_resource_test.go

@@ -672,6 +672,41 @@ func TestAccApplication_passwordNotSet(t *testing.T) {
 	})
 }
 
+func TestAccApplication_PasswordSetAndRemove(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azuread_application", "test")
+	startDate := time.Now().AddDate(0, 0, 7).UTC().Format(time.RFC3339)
+	endDate := time.Now().AddDate(0, 5, 27).UTC().Format(time.RFC3339)
+	r := ApplicationResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.passwordComplete(data, startDate, endDate),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+				check.That(data.ResourceName).Key("password.#").HasValue("1"),
+				check.That(data.ResourceName).Key("password.0.key_id").Exists(),
+				check.That(data.ResourceName).Key("password.0.value").Exists(),
+				check.That(data.ResourceName).Key("password.0.start_date").Exists(),
+				check.That(data.ResourceName).Key("password.0.end_date").Exists(),
+				check.That(data.ResourceName).Key("password.0.display_name").HasValue(fmt.Sprintf("acctest-appPasswordComplete-%d", data.RandomInteger)),
+			),
+		},
+		{
+			Config: r.passwordRemoved(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		{
+			RefreshState: true,
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+				check.That(data.ResourceName).Key("password.#").HasValue("0"),
+			),
+		},
+	})
+}
+
 func (r ApplicationResource) Exists(ctx context.Context, clients *clients.Client, state *terraform.InstanceState) (*bool, error) {
 	client := clients.Applications.ApplicationsClientBeta
 	client.BaseClient.DisableRetries = true
@@ -1709,3 +1744,16 @@ resource "azuread_application" "test" {
 }
 `, data.RandomInteger, startDate, endDate)
 }
+
+func (r ApplicationResource) passwordRemoved(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+provider "azuread" {}
+
+data "azuread_client_config" "current" {}
+
+resource "azuread_application" "test" {
+  display_name = "acctest-APP-%[1]d"
+  owners       = [data.azuread_client_config.current.object_id]
+}
+`, data.RandomInteger)
+}