azuread_group_role_management_policy does not apply all settings on the first run

[c-mehring]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

• Terraform Version: 1.5.7
• Azuread Version: 2.53.1 and 3.0.2

Affected Resource(s)

• azuread_group_role_management_policy

Terraform Configuration Files

resource "azuread_group" "example_group" {
  security_enabled        = true
  display_name            = "example-group"
}


resource "azuread_group_role_management_policy" "policycfg" {
  group_id   = azuread_group.example_group.object_id
  role_id    = "member"

  eligible_assignment_rules {
    expiration_required = false
  }

  # role activations by admin or user request
  activation_rules {
    maximum_duration      = "PT12H"
    require_approval      = true
    require_ticket_info   = false # text or ticket-url in justification text
    require_justification = true
    approval_stage {
      # user requests have to be approved
      primary_approver {
        object_id = "YYYY"
        type      = "groupMembers"
      }
    }
  }

  # assignments by admin without request
  active_assignment_rules {
    expire_after          = "P15D"
    require_ticket_info   = false # text or ticket-url in justification text
    require_justification = true
  }

  notification_rules {

    eligible_assignments {
      admin_notifications {
        default_recipients = false
        notification_level = "All"
      }
      approver_notifications {
        default_recipients = false
        notification_level = "All"
      }
      assignee_notifications {
        default_recipients = false
        notification_level = "All"
      }
    }

    eligible_activations {
      admin_notifications {
        default_recipients = true
        notification_level = "Critical"
      }
      approver_notifications {
        default_recipients = true
        notification_level = "All"
      }
      assignee_notifications {
        default_recipients = true
        notification_level = "All"
      }
    }

    active_assignments {
      admin_notifications {
        default_recipients = true
        notification_level = "Critical"
      }
      approver_notifications {
        default_recipients = true
        notification_level = "All"
      }
      assignee_notifications {
        default_recipients = true
        notification_level = "All"
      }
    }
  }
}

Debug Output

2024-10-02T11:53:43.800Z [INFO]  provider.terraform-provider-azuread_v2.53.1_x5: 2024/10/02 11:53:43 [DEBUG] ============================ Begin AzureAD Request ============================
Request ID: a3795a5b-5bf7-2e11-5fb4-f36c6f72b65c

PATCH /v1.0/policies/roleManagementPolicies/Group_XXX_YYYY HTTP/1.1
Host: graph.microsoft.com
User-Agent: HashiCorp Terraform/1.5.7 (+https://www.terraform.io) Terraform Plugin SDK/2.10.1 terraform-provider-azuread/2.53.1 Hamilton (Go-http-client/1.1) VSTS_65240061-4932-4714-8bc4-ea42635f82b2_build_15_0 pid-222c6c49-1b0a-5959-a213-6608f9eb8820
Content-Length: 5335
Accept: application/json; charset=utf-8; IEEE754Compatible=false
Content-Type: application/json; charset=utf-8
Odata-Maxversion: 4.0
Odata-Version: 4.0
Accept-Encoding: gzip

{"id":"Group_XXX_YYY","rules":[{"id":"Expiration_Admin_Eligibility","@odata.type":"#microsoft.graph.unifiedRoleManagementPolicyExpirationRule","target":{"caller":"Admin","enforcedSettings":[],"inheritableSettings":[],"level":"Eligibility","operations":["all"]},"isExpirationRequired":false,"maximumDuration":"P365D"},{"id":"Enablement_Admin_Assignment","@odata.type":"#microsoft.graph.unifiedRoleManagementPolicyEnablementRule","target":{"caller":"Admin","enforcedSettings":[],"inheritableSettings":[],"level":"Assignment","operations":["all"]},"enabledRules":["Justification"]},{"id":"Expiration_Admin_Assignment","@odata.type":"#microsoft.graph.unifiedRoleManagementPolicyExpirationRule","target":{"caller":"Admin","enforcedSettings":[],"inheritableSettings":[],"level":"Assignment","operations":["all"]},"isExpirationRequired":false,"maximumDuration":"P15D"},{"id":"Expiration_EndUser_Assignment","@odata.type":"#microsoft.graph.unifiedRoleManagementPolicyExpirationRule","target":{"caller":"EndUser","enforcedSettings":[],"inheritableSettings":[],"level":"Assignment","operations":["all"]},"maximumDuration":"PT12H"},{"id":"Approval_EndUser_Assignment","@odata.type":"#microsoft.graph.unifiedRoleManagementPolicyApprovalRule","target":{"caller":"EndUser","enforcedSettings":[],"inheritableSettings":[],"level":"Assignment","operations":["all"]},"setting":{"isApprovalRequired":true,"approvalStages":[{"primaryApprovers":[{"@odata.type":"#microsoft.graph.groupMembers","groupId":"YYYY"}]}]}},{"id":"Enablement_EndUser_Assignment","@odata.type":"#microsoft.graph.unifiedRoleManagementPolicyEnablementRule","target":{"caller":"EndUser","enforcedSettings":[],"inheritableSettings":[],"level":"Assignment","operations":["all"]},"enabledRules":["Justification"]},{"id":"Notification_Admin_Admin_Eligibility","@odata.type":"#microsoft.graph.unifiedRoleManagementPolicyNotificationRule","target":{"caller":"Admin","enforcedSettings":[],"inheritableSettings":[],"level":"Eligibility","operations":["all"]},"isDefaultRecipientsEnabled":false,"notificationLevel":"All","notificationRecipients":[],"notificationType":"Email","recipientType":"Admin"},{"id":"Notification_Admin_Admin_Assignment","@odata.type":"#microsoft.graph.unifiedRoleManagementPolicyNotificationRule","target":{"caller":"Admin","enforcedSettings":[],"inheritableSettings":[],"level":"Assignment","operations":["all"]},"isDefaultRecipientsEnabled":true,"notificationLevel":"Critical","notificationRecipients":[],"notificationType":"Email","recipientType":"Admin"},{"id":"Notification_Admin_EndUser_Assignment","@odata.type":"#microsoft.graph.unifiedRoleManagementPolicyNotificationRule","target":{"caller":"EndUser","enforcedSettings":[],"inheritableSettings":[],"level":"Assignment","operations":["all"]},"isDefaultRecipientsEnabled":true,"notificationLevel":"Critical","notificationRecipients":[],"notificationType":"Email","recipientType":"Admin"},{"id":"Notification_Approver_Admin_Eligibility","@odata.type":"#microsoft.graph.unifiedRoleManagementPolicyNotificationRule","target":{"caller":"Admin","enforcedSettings":[],"inheritableSettings":[],"level":"Eligibility","operations":["all"]},"isDefaultRecipientsEnabled":false,"notificationLevel":"All","notificationRecipients":[],"notificationType":"Email","recipientType":"Approver"},{"id":"Notification_Approver_Admin_Assignment","@odata.type":"#microsoft.graph.unifiedRoleManagementPolicyNotificationRule","target":{"caller":"Admin","enforcedSettings":[],"inheritableSettings":[],"level":"Assignment","operations":["all"]},"isDefaultRecipientsEnabled":true,"notificationLevel":"All","notificationRecipients":[],"notificationType":"Email","recipientType":"Approver"},{"id":"Notification_Approver_EndUser_Assignment","@odata.type":"#microsoft.graph.unifiedRoleManagementPolicyNotificationRule","target":{"caller":"EndUser","enforcedSettings":[],"inheritableSettings":[],"level":"Assignment","operations":["all"]},"isDefaultRecipientsEnabled":true,"notificationLevel":"All","notificationRecipients":[],"notificationType":"Email","recipientType":"Approver"},{"id":"Notification_Requestor_Admin_Eligibility","@odata.type":"#microsoft.graph.unifiedRoleManagementPolicyNotificationRule","target":{"caller":"Admin","enforcedSettings":[],"inheritableSettings":[],"level":"Eligibility","operations":["all"]},"isDefaultRecipientsEnabled":false,"notificationLevel":"All","notificationRecipients":[],"notificationType":"Email","recipientType":"Requestor"},{"id":"Notification_Requestor_Admin_Assignment","@odata.type":"#microsoft.graph.unifiedRoleManagementPolicyNotificationRule","target":{"caller":"Admin","enforcedSettings":[],"inheritableSettings":[],"level":"Assignment","operations":["all"]},"isDefaultRecipientsEnabled":true,"notificationLevel":"All","notificationRecipients":[],"notificationType":"Email","recipientType":"Requestor"},{"id":"Notification_Requestor_EndUser_Assignment","@odata.type":"#microsoft.graph.unifiedRoleManagementPolicyNotificationRule","target":{"caller":"EndUser","enforcedSettings":[],"inheritableSettings":[],"level":"Assignment","operations":["all"]},"isDefaultRecipientsEnabled":true,"notificationLevel":"All","notificationRecipients":[],"notificationType":"Email","recipientType":"Requestor"}]}
============================= End AzureAD Request =============================: timestamp=2024-10-02T11:53:43.799Z
2024-10-02T11:53:44.044Z [INFO]  provider.terraform-provider-azuread_v2.53.1_x5: 2024/10/02 11:53:44 [DEBUG] ============================ Begin AzureAD Response ===========================
GET https://graph.microsoft.com/v1.0/policies/roleManagementPolicyAssignments?%24expand=%2A&%24filter=scopeType+eq+%27Group%27+and+scopeId+eq+%27XXX%27+and+policyId+eq+%27Group_XXX_YYYY%27
Request ID: a642659a-235f-42e3-ca62-1811a030b5b1

HTTP/2.0 200 OK
Cache-Control: private
Client-Request-Id: ebe4bb4f-c63e-4092-ad2d-76b7388dd323
Content-Type: application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8
Date: Wed, 02 Oct 2024 11:53:43 GMT
Odata-Version: 4.0
Request-Id: ebe4bb4f-c63e-4092-ad2d-76b7388dd323
Strict-Transport-Security: max-age=31536000
Vary: Accept-Encoding
X-Ms-Ags-Diagnostic: {"ServerInfo":{"DataCenter":"West Europe","Slice":"E","Ring":"5","ScaleUnit":"006","RoleInstance":"AM1PEPF00027E55"}}

{"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#policies/roleManagementPolicyAssignments(policy())","value":[{"id":"Group_XXX_YYYY_member","policyId":"Group_XXX_YYYY","scopeId":"XXX","scopeType":"Group","roleDefinitionId":"member","policy":{"id":"Group_XXX_YYYY","displayName":"Group","description":"Group","isOrganizationDefault":false,"scopeId":"XXX","scopeType":"Group","lastModifiedDateTime":null,"lastModifiedBy":{"displayName":null,"id":null}}}]}
============================= End AzureAD Response ============================: timestamp=2024-10-02T11:53:44.044Z
2024-10-02T11:53:44.047Z [WARN]  Provider "provider[\"registry.terraform.io/hashicorp/azuread\"]" produced an unexpected new value for module.appcontainer-support_group-pim.azuread_group_role_management_policy.policycfg["member"], but we are tolerating it because it is using the legacy plugin SDK.
    The following problems may be the cause of any confusing errors from downstream operations:
      - .activation_rules[0].maximum_duration: was cty.StringVal("PT12H"), but now cty.StringVal("PT8H")
      - .activation_rules[0].require_approval: was cty.True, but now cty.False
      - .active_assignment_rules[0].expire_after: was cty.StringVal("P15D"), but now cty.StringVal("P180D")
      - .eligible_assignment_rules[0].expiration_required: was cty.False, but now cty.True
      - .notification_rules[0].active_assignments[0].admin_notifications[0].notification_level: was cty.StringVal("Critical"), but now cty.StringVal("All")
      - .notification_rules[0].eligible_activations[0].admin_notifications[0].notification_level: was cty.StringVal("Critical"), but now cty.StringVal("All")
      - .notification_rules[0].eligible_assignments[0].admin_notifications[0].default_recipients: was cty.False, but now cty.True
      - .notification_rules[0].eligible_assignments[0].approver_notifications[0].default_recipients: was cty.False, but now cty.True
      - .notification_rules[0].eligible_assignments[0].assignee_notifications[0].default_recipients: was cty.False, but now cty.True
azuread_group_role_management_policy.policycfg: Creation complete after 5s [id=Group_XXX_YYYY]

Panic Output

Expected Behavior

Policy with all configured properties should be created on the first apply.

Actual Behavior

A lot of fields are not set to their expected values. See end of debug output

Steps to Reproduce

1. Ensure to create a new, non-existing group.
2. initial terraform apply produces the warning seen in debug output.
3. running terraform apply again will update the policy to its expected values.

Am I missing something here? Because running apply again corrects state to the expected result. So I assume something during object creation goes wrong?

I would appreciate any help to create a stable pipeline.

Important Factoids

References

[mirone85]

same issue here

[Bezzingo]

Same problem here

[DevopsMercenary]

Similar problem, maybe the same. Though my Entra isn't updated and this is every time

https://gist.github.com/DevopsMercenary/e96658903d5aead862c9a47d1226fa1f

Terraform v1.9.7
on darwin_arm64
+ provider registry.terraform.io/hashicorp/azuread v3.0.2
+ provider registry.terraform.io/hashicorp/azurerm v4.5.0
+ provider registry.terraform.io/hashicorp/random v3.6.3