BadRequest when deleting approle/scope after registered both an approle and a scope with the same value

[hkrazure]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

azuread: 2.41.0

Terraform v1.5.6
on linux_amd64

Affected Resource(s)

azuread_application

oauth2_permission_scope

app_role

Terraform Configuration Files

resource "azuread_application" "hkr-test" {
  display_name     = "hkr-test"
  sign_in_audience = "AzureADandPersonalMicrosoftAccount"  

  api {
    requested_access_token_version = 2

    oauth2_permission_scope {
      admin_consent_description  = "hkr"
      admin_consent_display_name = "hkr"
      enabled                    = true
      id                         = "1e723a58-31c9-49d9-8c27-2d3482c1c661"
      type                       = "Admin"
      value                      = "Test.ReadWrite"
    }
}

  app_role {
    allowed_member_types = ["Application"]
    description          = "hkr"
    display_name         = "hkr"
    enabled              = true
    id                   = "1e723a58-31c9-49d9-8c27-2d3482c1c661"
    value                = "Test.ReadWrite"
  }
}

Debug Output

Terraform plan when i try to remove the scope produces the following output:

Terraform will perform the following actions:

  # azuread_application.hkr-test will be updated in-place
  ~ resource "azuread_application" "hkr-test" {
        id                             = "9346ab22-1a05-4825-bd77-23cf2936d20a"
      ~ oauth2_permission_scope_ids    = {
          - "Test.ReadWrite" = "1e723a58-31c9-49d9-8c27-2d3482c1c661"
        } -> (known after apply)
        tags                           = []
        # (14 unchanged attributes hidden)

      ~ api {
            # (3 unchanged attributes hidden)

          - oauth2_permission_scope {
              - admin_consent_description  = "hkr" -> null
              - admin_consent_display_name = "hkr" -> null
              - enabled                    = true -> null
              - id                         = "1e723a58-31c9-49d9-8c27-2d3482c1c661" -> null
              - type                       = "Admin" -> null
              - value                      = "Test.ReadWrite" -> null
            }
        }

        # (6 unchanged blocks hidden)
    }

Panic Output

Expected Behavior

The oauth2_permission_scope and/or app_role should be deleted.

Actual Behavior

I've run my pipeline where I tried to delete the scope, the approle or both the approle and the scope. But all runs fail with the same error in terraform apply:

│ Error: Could not disable OAuth2 Permission Scopes for application with object ID "9346ab22-1a05-4825-bd77-23cf2936d20a"
│ 
│   with azuread_application.hkr-test,
│   on main.tf line 10, in resource "azuread_application" "hkr-test":
│   10: resource "azuread_application" "hkr-test" {
│ 
│ disabling OAuth2 Permission Scopes for Application with object ID
│ "9346ab22-1a05-4825-bd77-23cf2936d20a":
│ ApplicationsClient.BaseClient.Patch(): unexpected status 400 with OData
│ error: Request_BadRequest: The following values must match for the
│ 'oauth2Permissions' and 'appRoles' properties with identifier
│ '1e723a58-31c9-49d9-8c27-2d3482c1c661': (description,
│ adminConsentDescription),(displayName, adminConsentDisplayName),(isEnabled,
│ isEnabled),(origin, origin),(value, value). Ensure that you are intending
│ to have entries with the same identifier, and if so, are updating them
│ together.

The problem seems to be some validation that is run at the wrong time. I read somewhere that terraform disables a scope or an approle before deleting them. I wonder if setting the scope to disabled runs some validation before the scope is eventually deleted. Then the validation would fail because there is an approle with the same value which is expected to have the same value for "isEnabled".

Steps to Reproduce

1. Create an azuread_application with a scope and an approle with the same value.
2. Attempt to remove either the approle, the scope or both of them.

Important Factoids

References

• #0000

[OmnipotentOwl]

This also occurs when using azuread_application_app_role and azuread_application_permission_scope resources in the same setup as above. Looking at the code for the azuread_application_permission_scope resource

terraform-provider-azuread/internal/services/applications/application_permission_scope_resource.go

Lines 381 to 384 in 412898f

	// Disable the existing scope prior to update
	if err = applicationDisableOauth2PermissionScopes(ctx, client, result, &newScopes); err != nil {
	return fmt.Errorf("disabling %s in preparation for deletion: %+v", id, err)
	}

It looks like a disable step occurs before the delete step, but there is no logic to consider if the same id is also an app role and to disable that app role at the same time and remove both simultaneously. Another scenario to consider would also be a case where you are removing either the app role or the permission scope but not both and intending to continue forward with one of them so you would then need to disable and delete the one to be removed and then re-enable the id that was previously shared.