azuread_application: app_role id can't be specified manually

[ohuk2]

I'm trying to provision AD groups and applications in Azure AD for AWS accounts, as described for example in the following document
https://www.cloudreach.com/en/insights/blog/multi-aws-account-federation-with-microsoft-azure-active-directory-as-idp/

Unfortunately, if I specify the AD group I create in the "app_role" block below (see the line highlighted in my template below) I get: Error: "app_role.0.id": this field cannot be set

Looking at the source on https://github.com/terraform-providers/terraform-provider-azuread/blob/1fcdc7197dbf0303d6111d0663c04aa56c3e9684/azuread/resource_application.go (line 103-106) I see that it is "computed", which I guess is why it can't be set manually.

Should the logic here not rather be that if "id" is provided in the terraform template then that id should be used, instead of the computed one?

[root@5578ed8c70dd /]# terraform -v
Terraform v0.12.9
+ provider.aws v2.28.1
+ provider.azuread v0.6.0

=====
provider "azuread" {}
provider "aws" {region = "eu-west-1"}

variable "aws-account-id" {}
variable "aws-role-name" {}

locals {
   group = "AWS-${var.aws-account-id}-${var.aws-role-name}"
}

resource "azuread_group" "example" {
   name = "${local.group}"
}


resource "azuread_application" "example" {
  name                       = "AWS-${var.aws-account-id}"
  homepage                   = "https://signin.aws.amazon.com/all_role"
  identifier_uris            = ["https://signin.aws.amazon.com/saml#${var.aws-account-id}"]
  reply_urls                 = ["https://signin.aws.amazon.com/saml"]
  available_to_other_tenants = false
  oauth2_allow_implicit_flow = true
  type                       = "webapp/api"

  required_resource_access {
    resource_app_id = "00000003-0000-0000-c000-000000000000"

    resource_access {
      id   = "${azuread_group.example.id}"
      type = "Role"
    }
  }

  app_role {
      allowed_member_types = [ "User" ]
      description = "Role mapped from AD group AWS-${var.aws-account-id}-${var.aws-role-name}"
      display_name = "10x-test-adminaccess,Azure-AD-2"
      is_enabled = true
#      id   = "${azuread_group.example.id}" .        <<<<====== OFFENDING LINE =======
      value = "arn:aws:iam::${var.aws-account-id}:role/${var.aws-role-name},arn:aws:iam::${var.aws-account-id}:saml-provider/Azure-AD-2"
  }
}

resource "azuread_service_principal" "example" {
   application_id = azuread_application.example.application_id
   tags = [
    "WindowsAzureActiveDirectoryIntegratedApp",
  ]
}

Below is the Manifest entry I would have liked to see (used "output" to format for the example), where "id": "60ab57eb-2773-4f17-8ed6-e6cab69951b9" is the Azure object ID for the AD group I created:

azuread_group.example: Creation complete after 10s [id=60ab57eb-2773-4f17-8ed6-e6cab69951b9]
...
azure-appreg-manifest = {
   "allowedMemberTypes": [
       "User"
   ],
   "description": "Role mapped from AD group AWS-000000000000-x10-test-adminaccess",
   "displayName": "10x-test-adminaccess,Azure-AD-2",
   "id": "60ab57eb-2773-4f17-8ed6-e6cab69951b9",
   "isEnabled": true,
   "lang": null,
   "origin": "Application",
   "value": "arn:aws:iam::000000000000:role/x10-test-adminaccess,arn:aws:iam::000000000000:saml-provider/Azure-AD-2"
}

However this is what my Manifest contains, not sure what Azure object the id below references:

	"appRoles": [
		{
			"allowedMemberTypes": [
				"User"
			],
			"description": "Role mapped from AD group AWS-000000000000-x10-test-adminaccess",
			"displayName": "10x-test-adminaccess,Azure-AD-2",
			"id": "c2dd5cdd-4015-4902-8da8-e9137b49635e",
			"isEnabled": true,
			"lang": null,
			"origin": "Application",
			"value": "arn:aws:iam::000000000000:role/x10-test-adminaccess,arn:aws:iam::000000000000:saml-provider/Azure-AD-2"
		}
	]

    .....

"requiredResourceAccess": [
		{
			"resourceAppId": "00000003-0000-0000-c000-000000000000",
			"resourceAccess": [
				{
					"id": "60ab57eb-2773-4f17-8ed6-e6cab69951b9",
					"type": "Role"
				}
			]
		}
	],

[drdamour]

@ohuk2 i agree you should be able to set an id...but what you're doing doesn't make much sense. That id is the id of the role only. Having it be the same id as some group in your azure ad would be an unfortunate collision. The id is NOT used the value you set to assign a group to a role, if that's what you're trying.

[ohuk2]

Thanks @drdamour I was just trying to follow the manual AWS app configuration as shown in the link above. Looking at this again, I created an "Enterprise Application" manually in Azure (choosing the AWS gallery application), and compared the resulting App registrations/Manifest. With the Terraform code below I can create an app that gets exposed in "myapps", looks almostidentical in the manifest, and that has the SAML configuration exposed. However, when I try to test SSO it fails with "This functionality is not enabled or not available.", even if I tune the manifest to look exactly like the manually created AWS application (again this is where inserting the "id" would be required).

Googling a bit gives me a couple of links that suggest that doing this isn't supported, for example:
https://stackoverflow.com/questions/57083707/how-to-create-a-new-enterprise-application-with-saml-sso-in-azure-ad-using-graph

Do you know if creating a working SAML enabled "Enterprise Application" via Terraform is possible, and what might need additional scripting around it?

Thanks in advance!

provider "azuread" {}
provider "aws" {region = "eu-west-1"}

variable "aws-account-id" {
   type = string
   default="123456789012"
}

variable "aws-env-name" {
   type = string
   default="nonprod"
}

variable "aws-role-name-devops" {
   type = string
   default = "devops"
}

resource "azuread_application" "example" {
  name                       = "AWS (${var.aws-env-name})"
  homepage                   = "https://signin.aws.amazon.com/saml?metadata=aws|ISV9.1|primary|z"
  identifier_uris            = ["https://signin.aws.amazon.com/saml#${var.aws-account-id}"]
  reply_urls                 = ["https://signin.aws.amazon.com/saml"]
  available_to_other_tenants = false
  oauth2_allow_implicit_flow = true
  type                       = "webapp/api"

  app_role {
      allowed_member_types = [ "User" ]
      description = "Role for DevOps members - Administrative"
      display_name = "AWS-devops"
      is_enabled = true
      value = "arn:aws:iam::${var.aws-account-id}:role/devops-lab,arn:aws:iam::${var.aws-account-id}:saml-provider/AzureAD-lab"
  }

  app_role {
      allowed_member_types = [ "User" ]
      description = "msiam_access"
      display_name = "msiam_access"
      is_enabled = true
#      id = "7dfd756e-8c27-4472-b2b7-38c17fc5de5e"
      value = null
  }

}

resource "azuread_service_principal" "example" {
   application_id = azuread_application.example.application_id
# Tag usage:
#    "WindowsAzureActiveDirectoryCustomSingleSignOnApplication" exposes the SAML configuration panel
#    "WindowsAzureActiveDirectoryIntegratedApp" exposes the application in myapps
   tags = [
    "AppServiceIntegratedApp", 
    "WindowsAzureActiveDirectoryIntegratedApp", 
    "WindowsAzureActiveDirectoryCustomSingleSignOnApplication", 
    "WindowsAzureActiveDirectoryGalleryApplicationNonPrimaryV1"
  ]
}

[drdamour]

@ohuk2 again you wouldn't assign the id like that...but if there has been some progress on a workaround to get SAML working, read through #173

[ghost]

This has been released in version 1.0.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azuread" {
    version = "~> 1.0.0"
}
# ... other configuration ...

[rkitron]

Hi,

I double checked my provider version, but this does not appear in the latest version - I saw that the PR was merged.

I really need this functionality.

Thanks a lot,
Benoit

[manicminer]

Hi @benoitmenard, to manually specify an app role ID, you'll want to use the new azuread_application_app_role resource.

[rkitron]

Hi,

Oh, I missed it.

Thanks,
Benoit,

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!