Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

azuread_application_identifier_uri without verified domain not applying on first attempt #1392

Open
nbaju1 opened this issue May 27, 2024 · 1 comment

Comments

@nbaju1
Copy link

nbaju1 commented May 27, 2024

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform v1.8.1
AzureAD Provider: 2.49.0

Affected Resource(s)

  • azuread_application_identifier_uri

Terraform Configuration Files

(Note that I use the CDKTF for Python, so the example is a manually written mock-up of the actual configuration)

resource "azuread_application" "example" {
  display_name = "example"

  lifecycle {
    ignore_changes = [
      identifier_uris,
    ]
  }
}

resource "azuread_service_principal" "example_sp" {
  client_id = azuread_application.example.client_id
}

resource "azuread_application_identifier_uri" "example_uri" {
  application_id = azuread_application.example.id
  identifier_uri = "https://non-verified-host.com"
}

Debug Output

│ Error: creating Application IdentifierUri (Application ID: <redacted>", IdentifierUri ID: "<redacted>"): ApplicationsClient.BaseClient.Patch(): unexpected status 400 with OData error: HostNameNotOnVerifiedDomain: Values of identifierUris property must use a verified domain of the organization or its subdomain: 'https://non-verified-host.com'
│ 
│   with azuread_application_identifier_uri.example_uri,
│   on cdk.tf.json line 90, in resource.azuread_application_identifier_uri.example_uri:
│   90:       }
│ 
│ creating Application IdentifierUri (Application ID:
│ "<redacted>", IdentifierUri ID:
│ "<redacted>"):
│ ApplicationsClient.BaseClient.Patch(): unexpected status 400 with OData
│ error: HostNameNotOnVerifiedDomain: Values of identifierUris property must
│ use a verified domain of the organization or its subdomain:
│ 'https://non-verified-host.com'

Expected Behavior

Applies identifier URI after application creation.

Actual Behavior

Creates application, but fails on applying the identifier URI.

Steps to Reproduce

  1. terraform plan
  2. terraform apply

Workarounds

  • Re-running terraform apply with same configuration applies the identifier URI without error.
  • If a corresponding service principal is added to the configuration, and a depends_on = azuread_service_principal.example_sp is added to the azuread_application_identifier_uri resource, the identifier URI is applied without error.
@nbaju1 nbaju1 changed the title azuread_application_identifier_uri without verified hostnames not applying on first attempt azuread_application_identifier_uri without verified hostname not applying on first attempt May 27, 2024
@nbaju1 nbaju1 changed the title azuread_application_identifier_uri without verified hostname not applying on first attempt azuread_application_identifier_uri without verified domain not applying on first attempt May 27, 2024
@nbaju1
Copy link
Author

nbaju1 commented May 28, 2024

Just realized that the first workaround is basically the same as the second. Creating the URI resource after the service principal is created will allow the unverified domain. Which is most likely due to identifierUris being used for both application registration identifier and SAML SSO config, where there is much more freedom in the syntax of the identifier compared to the identifier on the application registration.
So I assume this won't work at all for bare application registrations.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants