Deprecation notices for application_oauth2_permission{,_scope} and azuread_application_app_role resources #465
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…uread_application_app_role resources Both the azuread_application_app_role and azuread_application_oauth2_permission resources were added to the provider as a workaround for several bugs in our implementations of the corresponding properties in the azuread_application resource. - Both these properties (blocks) are TypeSet, and currently Optional + Computed, which stems from API inconsistencies and (in the case of oauth2 permissions) default values applied by the AAD Graph API. - The `id` field in each of these blocks is Computed (read-only), however there are use cases where it's necessary to be able to specify this field. We couldn't make this field Optional + Computed inside a TypeSet that is also Optional + Computed, due to an upstream limitation / bug. We therefore introduced these virtual resources to enable users to specify an `id` for a role/scope. In version 2.0 both these blocks in the azuread_application resource will lose their Computed field, to eliminate these problems for users: - Although we use `ConfigMode: schema.SchemaConfigModeAttr`, it's not always possible to clear the values of these properties because the actual value in configuration is not exposed to the provider (via either schema.ResourceData or schema.ResourceDiff). - Changes to these properties are not always detected by Terraform when there are no other changes to that same resource, and then the UpdateFunc is never actually invoked. - When updating these fields, the API requires them to be orchestrated so that each role/scope is first disabled before updating or removing it. With `id` being Computed, we have no way to identify which role/scope was updated by the user and so we have no choice but to disable all of them, before making our changes and quickly re-enabling them. This causes momentary outages for users and has sometimes left roles/scopes disabled after the fact due to an API bug ignoring our re-enable request (breaking customers' applications). All of these issues are fixed in v2.0, by way of removing the Computed field from these properties. This means we can no longer support these virtual resources, but also that they are no longer needed, so in v2.0 they will be removed.
…2_permission{,_scope} resources
|
This functionality has been released in v1.6.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you! |
|
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Both the
azuread_application_app_roleandazuread_application_oauth2_permissionresources were added to the provider as a workaround for several bugs in our
implementations of the corresponding properties in the
azuread_applicationresource.which stems from API inconsistencies and (in the case of oauth2 permissions)
default values applied by the AAD Graph API.
idfield in each of these blocks is Computed (read-only),however there are use cases where it's necessary to be able to specify
this field. We couldn't make this field Optional + Computed inside a TypeSet
that is also Optional + Computed, due to an upstream limitation / bug.
We therefore introduced these virtual resources to enable users to specify an
idfor a role/scope.In version 2.0 both these blocks in the azuread_application resource
will lose their Computed field, to eliminate these problems for users:
ConfigMode: schema.SchemaConfigModeAttr, it's notalways possible to clear the values of these properties because the
actual value in configuration is not exposed to the provider (via
either schema.ResourceData or schema.ResourceDiff).
there are no other changes to that same resource, and then the
UpdateFunc is never actually invoked.
so that each role/scope is first disabled before updating or removing
it. With
idbeing Computed, we have no way to identify whichrole/scope was updated by the user and so we have no choice but to
disable all of them, before making our changes and quickly re-enabling
them. This causes momentary outages for users and has sometimes left
roles/scopes disabled after the fact due to an API bug ignoring our
re-enable request (breaking customers' applications).
All of these issues will be fixed in v2.0, by way of removing the Computed
field from these properties. This means we can no longer support these
virtual resources, but also that they are no longer needed, so in v2.0
they will be removed.