New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
azuread_application: app_role id can't be specified manually #150
Comments
@ohuk2 i agree you should be able to set an id...but what you're doing doesn't make much sense. That id is the id of the role only. Having it be the same id as some group in your azure ad would be an unfortunate collision. The id is NOT used the value you set to assign a group to a role, if that's what you're trying. |
Thanks @drdamour I was just trying to follow the manual AWS app configuration as shown in the link above. Looking at this again, I created an "Enterprise Application" manually in Azure (choosing the AWS gallery application), and compared the resulting App registrations/Manifest. With the Terraform code below I can create an app that gets exposed in "myapps", looks almostidentical in the manifest, and that has the SAML configuration exposed. However, when I try to test SSO it fails with "This functionality is not enabled or not available.", even if I tune the manifest to look exactly like the manually created AWS application (again this is where inserting the "id" would be required). Googling a bit gives me a couple of links that suggest that doing this isn't supported, for example: Do you know if creating a working SAML enabled "Enterprise Application" via Terraform is possible, and what might need additional scripting around it? Thanks in advance!
|
This has been released in version 1.0.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example: provider "azuread" {
version = "~> 1.0.0"
}
# ... other configuration ... |
Hi, I double checked my provider version, but this does not appear in the latest version - I saw that the PR was merged. I really need this functionality. Thanks a lot, |
Hi @benoitmenard, to manually specify an app role ID, you'll want to use the new azuread_application_app_role resource. |
Hi, Oh, I missed it. Thanks, |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks! |
I'm trying to provision AD groups and applications in Azure AD for AWS accounts, as described for example in the following document
https://www.cloudreach.com/en/insights/blog/multi-aws-account-federation-with-microsoft-azure-active-directory-as-idp/
Unfortunately, if I specify the AD group I create in the "app_role" block below (see the line highlighted in my template below) I get: Error: "app_role.0.id": this field cannot be set
Looking at the source on https://github.com/terraform-providers/terraform-provider-azuread/blob/1fcdc7197dbf0303d6111d0663c04aa56c3e9684/azuread/resource_application.go (line 103-106) I see that it is "computed", which I guess is why it can't be set manually.
Should the logic here not rather be that if "id" is provided in the terraform template then that id should be used, instead of the computed one?
Below is the Manifest entry I would have liked to see (used "output" to format for the example), where "id": "60ab57eb-2773-4f17-8ed6-e6cab69951b9" is the Azure object ID for the AD group I created:
However this is what my Manifest contains, not sure what Azure object the id below references:
The text was updated successfully, but these errors were encountered: