Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Identifier URI created with ApplicationIdentifierUri is lost on Application update #1036

Open
lukaskabrt opened this issue May 3, 2024 · 3 comments
Open

Identifier URI created with ApplicationIdentifierUri is lost on Application update #1036

lukaskabrt opened this issue May 3, 2024 · 3 comments
Labels
area/docs Improvements or additions to documentation kind/bug Some behavior is incorrect or out of spec

Comments

@lukaskabrt
Copy link

lukaskabrt commented May 3, 2024
edited

What happened?

I am trying to set Identifier URI for Azure AD Application using ApplicationIdentifierUri

        var applicationArgs = new Pulumi.AzureAD.ApplicationArgs
        {
            DisplayName = configuration.Api.Name
        };
        var application = new Pulumi.AzureAD.Application("entraid-app", applicationArgs);

        _ = new Pulumi.AzureAD.ApplicationIdentifierUri("entraid-app-api-identifier", new()
        {
            ApplicationId = application.Id,
            IdentifierUri = application.ClientId.Apply(id => $"api://{id}")
        });

This code works as expected and creates the application with the specified Identifier URI. However, if I make any change to the Application resource e.g.

var applicationArgs = new Pulumi.AzureAD.ApplicationArgs
{
    DisplayName = configuration.Api.Name,
    Web = new ApplicationWebArgs
    {
        ImplicitGrant = new ApplicationWebImplicitGrantArgs { AccessTokenIssuanceEnabled = true },
    }
};

and run pulumi up the change is applied, but the Identifier URI is removed from the application in Azure AD. The ApplicationIdentifierUri still exists in the Pulumi stack, but Identifier URI doesn't exist in the actual Azure AD application.

Example

Please, see description.

Output of pulumi about

CLI
Version 3.114.0
Go Version go1.22.2
Go Compiler gc

Plugins
KIND NAME VERSION
language dotnet unknown

Host
OS Microsoft Windows 11 Enterprise
Version 10.0.22621 Build 22621
Arch x86_64

This project is written in dotnet: executable='C:\Program Files\dotnet\dotnet.exe' version='8.0.300-preview.24203.14'

Dependencies:
NAME VERSION
Pulumi 3.62.0
Pulumi.AzureAD 5.48.0
Pulumi.AzureNative 2.38.0
Pulumi.Random 4.16.0

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
@lukaskabrt lukaskabrt added kind/bug Some behavior is incorrect or out of spec needs-triage Needs attention from the triage team labels May 3, 2024
@thomas11
Copy link
Contributor

thomas11 commented May 7, 2024

Hi @lukaskabrt, thank you for reporting this. This behavior is expected but unfortunately we failed to document it in this case. The problem is that application identifier URIs can be managed either through the Application resource or as stand-alone resources (as in your case).

You can either manage your ApplicationIdentifierUri entirely inside the Application resource, via the IdentifierUris property, or set new CustomResourceOptions { IgnoreChanges = { "IdentifierUris" } } on the Application resource to tell Pulumi to disregard that property for updates (full docs here).

@thomas11 thomas11 added area/docs Improvements or additions to documentation and removed needs-triage Needs attention from the triage team labels May 7, 2024
@lukaskabrt
Copy link
Author

Hi @thomas11, thanks you for your suggestion, unfortunately it seems, that the approach with new CustomResourceOptions { IgnoreChanges = { "IdentifierUris" } } doesn't work. The result is the same as in the original report.

I am no expert on Pulumi internals, but from the linked docs it makes sense.

The ignoreChanges resource option specifies a list of properties that Pulumi will ignore when it updates existing resources. Pulumi ignores a property by using the old value from the state instead of the value provided by the Pulumi program when determining whether an update or replace is needed.

My understanding is that IgnoreChanges prevents Pulumi from triggering an update when the property changes, but when some other property changes the resource is updated as a whole. Since Application resource and ApplicationIdentifierUri resource maintain separate states, there is no record of the identifier URIs value in the application state, so it is removed.

At the moment I am using the second approach and manage application identifier URIs in the Application resource, but this prevents us from using the standart URI format api://CLIENT_ID, because the client ID is not known at the time of application creation.

@thomas11
Copy link
Contributor

thomas11 commented May 7, 2024

Hi @lukaskabrt, it looks like I made a small mistake in my code snippet. It should be { IgnoreChanges = { "identifierUris" } } (camelCase identifier). Could you try again with that?

My understanding is that IgnoreChanges prevents Pulumi from triggering an update when the property changes, but when some other property changes the resource is updated as a whole.

Not quite. When some other property changes and the resource is updated, the property marked with ignoreChanges will be updated with its original value from creation, if any. So if it wasn't specified at all at creation, it should be ignored.

@thomas11 thomas11 mentioned this issue May 8, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/docs Improvements or additions to documentation kind/bug Some behavior is incorrect or out of spec
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@thomas11 @lukaskabrt