Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

azurerm_azuread_service_principal does not always find a Service Principal #1844

Closed
steve-hawkins opened this issue Aug 30, 2018 · 8 comments · Fixed by #1862
Closed

azurerm_azuread_service_principal does not always find a Service Principal #1844

steve-hawkins opened this issue Aug 30, 2018 · 8 comments · Fixed by #1862
Labels
bug service/authentication v/1.x (legacy)

Comments

@steve-hawkins
Copy link
Contributor

steve-hawkins commented Aug 30, 2018
edited
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.8

  • provider.azurerm v1.13.0

Affected Resource(s)

Data Source: azurerm_azuread_service_principal

Terraform Configuration Files

variable "application_name" {
  type = "string"
}

resource "azurerm_azuread_application" "test" {
  name = "${var.application_name}"
}

resource "azurerm_azuread_service_principal" "test" {
  application_id = "${azurerm_azuread_application.test.application_id}"
}

data "azurerm_azuread_service_principal" "test" {
  application_id = "${azurerm_azuread_application.test.application_id}"
}

output "spn_object_id" {
  value = "${data.azurerm_azuread_service_principal.test.id}"
}

Debug Output

gist

Panic Output

N/A

Expected Behavior

The Application Registration Service Principal Object ID should be returned

Actual Behavior

A Service Principal for Application ID was not found

Steps to Reproduce

This part is hard to document as I have only noticed it on three out of five current Application Registrations. I will add more here if I can find an issue with the actual Application Registrations, but as I mention in the section below using the Azure CLI I can find the Service Principal Object ID for all the five Application Registrations I have created.

  1. terraform apply

Important Factoids

az ad sp show --id '[REDACTED]'

{
  "accountEnabled": true,
  "addIns": [],
  "alternativeNames": [],
  "appDisplayName": "test_application",
  "appId": "[REDACTED]",
  "appOwnerTenantId": "[REDACTED]",
  "appRoleAssignmentRequired": false,
  "appRoles": [],
  "deletionTimestamp": null,
  "displayName": "test_application",
  "errorUrl": null,
  "homepage": "http://test_application",
  "keyCredentials": [],
  "logoutUrl": null,
  "oauth2Permissions": [
    {
      "adminConsentDescription": "Allow the application to access test_application on behalf of the signed-in user.",
      "adminConsentDisplayName": "Access test_application",
      "id": "[REDACTED]",
      "isEnabled": true,
      "type": "User",
      "userConsentDescription": "Allow the application to access test_application on your behalf.",
      "userConsentDisplayName": "Access test_application",
      "value": "user_impersonation"
    }
  ],
  **"objectId": "[REDACTED]",
  "objectType": "ServicePrincipal",**
  "odata.metadata": "https://graph.windows.net/[REDACTED]/$metadata#directoryObjects/Microsoft.DirectoryServices.ServicePrincipal/@Element",
  "odata.type": "Microsoft.DirectoryServices.ServicePrincipal",
  "passwordCredentials": [],
  "preferredTokenSigningKeyThumbprint": null,
  "publisherName": "Steve Limited",
  "replyUrls": [],
  "samlMetadataUrl": null,
  "servicePrincipalNames": [
    "http://test_application",
    "[REDACTED]"
  ],
  "servicePrincipalType": "Application",
  "signInAudience": "AzureADMyOrg",
  "tags": [],
  "tokenEncryptionKeyId": null
}

References

N/A
@steve-hawkins steve-hawkins mentioned this issue Aug 30, 2018
Closed
@tiwood
Copy link
Contributor

tiwood commented Aug 30, 2018

I think I've found the issue. Any chance you have +100 Service Principals in your Azure AD tenant?
Currently only the first 100 results are included in the API response.

Even if that is not the case in your environment, I'm going to create a PR to fix this. This also affects the other azuread* resources.

@gvilarino
Copy link

@tiwood I just tried this. I do not have 100+ SPNs in my Azure AD tenant and still experiencing the same error described in the issue.

@tiwood
Copy link
Contributor

tiwood commented Aug 30, 2018

@gvilarino, are you sure? I've just checked on my side and I have way over 150 Service Principals, were many of them are sort of 'builtin'.
Remember, most Microsoft Services use Service Principals to access the Graph too.

You can check that with pwsh:
(Get-AzureRmADServicePrincipal).Count

@gvilarino
Copy link

gvilarino commented Aug 30, 2018
edited
Loading

Ok @tiwood, after more carful inspection it seems I may have more.

I don't use Windows so I can't use PowerShell (non-win version is severly bugged/limited) so I tried this in Azure CLI 2.0:

az ad sp list --query "length(@)"

This returns way over 100. (Is this the correct command?)

However, I do have under 100 Azure AD apps. Again, the extremely frustrating naming they used (in the portal, SPNs are named Enterprise Applications and apps App Registrations)

@tiwood
Copy link
Contributor

tiwood commented Aug 30, 2018
edited
Loading

This returns way over 100. (Is this the correct command?)

Yes, this is the correct command. If you are over 100 then you will have issues with the current iteration of the azuread resources.

Service Principal (Enterprise Registration)

  • is unique to your Azure AD tenant
  • is used to authenticate against various APIs (Graph, Azure AD, etc.
  • is like a user account
  • is called Enterprise Registration (You register an Enterprise Application, which results in an Enterprise Registration or Service Principal 🤓️)

Application (Enterprise Application)

  • is the global representation of you application and contains (potential) global properties.
  • needs a registration in your Azure AD tenant to access stuff (again Registration --> Enterprise Registration (Service Principal)
  • can have n representations in form of Service principals (registrations in n Azure ADs)

This is a pretty good and short writeup.

@gvilarino
Copy link

gvilarino commented Aug 30, 2018
edited
Loading

Thanks for clarifying @tiwood. I hope the fix lands soon :)

Also, do you happen to know a good place to understand where/how to grant permissions described by @steve-hawkins here? I tried it before but wasn't successful

@steve-hawkins
Copy link
Contributor Author

@tiwood we are well over 100, so that might be part of the issue

I know there are SPs that have been created recently that do return the correct Object ID and I cannot find an obvious difference, here is a gist of a successful attempt

@tiwood tiwood mentioned this issue Sep 4, 2018
Merged
@ghost
Copy link

ghost commented Mar 6, 2019

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!

@ghost ghost locked and limited conversation to collaborators Mar 6, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug service/authentication v/1.x (legacy)
Projects
None yet
Milestone
No milestone
5 participants
@tombuildsstuff @gvilarino @tiwood @steve-hawkins @catriona-m