Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot destroy AppRegistration virtual resources #1352

Open
joaocc opened this issue Apr 8, 2024 · 0 comments
Open

Cannot destroy AppRegistration virtual resources #1352

joaocc opened this issue Apr 8, 2024 · 0 comments
Labels
bug feature/applications

Comments

@joaocc
Copy link

joaocc commented Apr 8, 2024

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform v1.5.7
on linux_arm64

"registry.terraform.io/hashicorp/azuread"
version = "2.47.0"

Affected Resource(s)

azuread_application_app_role
azuread_application_api_access
azuread_application_redirect_uris

Terraform Configuration Files

resource "azuread_application_app_role" "roles" {
  for_each = var.aad_sso_defs.app_roles

  application_id       = azuread_application_registration.this.id
  role_id              = random_uuid.role_id[(each.key)].id
  allowed_member_types = sort(coalesce((each.value).allowed_member_types, ["User"]))
  description          = (each.value).description
  display_name         = coalesce((each.value).name, (each.key))
  value                = (each.value).value
}

resource "azuread_application_api_access" "this" {
  for_each = try(var.aad_sso_defs.api_permissions, {})

  application_id = azuread_application_registration.this.id
  api_client_id  = data.azuread_application_published_app_ids.aad_all.result["${(each.value).service_name}"]

  scope_ids = [
    for v in (each.value).claim_values : data.azuread_service_principal.aad_all[each.key].oauth2_permission_scope_ids[v]
  ]
}
resource "azuread_application_redirect_uris" "this_web" {

  count = local.redirect_uris_web_enabled ? 1 : 0

  application_id = azuread_application_registration.this.id
  type           = "Web"

  redirect_uris = local.redirect_uris_web
}

Debug Output


─────────────────────────────────────────────────────────────────────────────

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place
  - destroy

Terraform planned the following actions, but then encountered a problem:

  # module.k_app.module.aad_sso_keycloak[0].random_uuid.role_id["role-33"] will be destroyed
  # (because module.k_app.module.aad_sso_keycloak[0] is not in configuration)
  - resource "random_uuid" "role_id" {
      - id     = "00000000-1111-0000-0000-000000000033" -> null
      - result = "00000000-1111-0000-0000-000000000033" -> null
    }

  # module.k_app.module.aad_sso_keycloak[0].random_uuid.role_id["role-11"] will be destroyed
  # (because module.k_app.module.aad_sso_keycloak[0] is not in configuration)
  - resource "random_uuid" "role_id" {
      - id     = "00000000-1111-0000-0000-000000000011" -> null
      - result = "00000000-1111-0000-0000-000000000011" -> null
    }

  # module.k_app.module.aad_sso_keycloak[0].random_uuid.role_id["role-22"] will be destroyed
  # (because module.k_app.module.aad_sso_keycloak[0] is not in configuration)
  - resource "random_uuid" "role_id" {
      - id     = "00000000-1111-0000-0000-000000000022" -> null
      - result = "00000000-1111-0000-0000-000000000022" -> null
    }

  # module.k_app.module.aad_sso_keycloak[0].random_uuid.role_id["role-44"] will be destroyed
  # (because module.k_app.module.aad_sso_keycloak[0] is not in configuration)
  - resource "random_uuid" "role_id" {
      - id     = "00000000-1111-0000-0000-000000000044" -> null
      - result = "00000000-1111-0000-0000-000000000044" -> null
    }

Plan: 0 to add, 0 to change, 5 to destroy.
╷
│ Error: retrieving App Role (Application ID: "12345678-1234-1234-1234-123456789012", Role ID: "00000000-1111-0000-0000-000000000011"): ApplicationsClient.BaseClient.Get(): Get "https://graph.microsoft.com/v1.0/applications/12345678-1234-1234-1234-123456789012": context deadline exceeded
│ 
│   with module.k_app.module.aad_sso_keycloak[0].azuread_application_app_role.roles["role-11"],
│   on ../../../azure/aad/aad_sso_external/main.tf line 70, in resource "azuread_application_app_role" "roles":
│   70: resource "azuread_application_app_role" "roles" {
│ 
│ retrieving App Role (Application ID:
│ "12345678-1234-1234-1234-123456789012", Role ID:
│ "00000000-1111-0000-0000-000000000011"):
│ ApplicationsClient.BaseClient.Get(): Get
│ "https://graph.microsoft.com/v1.0/applications/12345678-1234-1234-1234-123456789012":
│ context deadline exceeded
╵
╷
│ Error: retrieving App Role (Application ID: "12345678-1234-1234-1234-123456789012", Role ID: "00000000-1111-0000-0000-000000000022"): ApplicationsClient.BaseClient.Get(): Get "https://graph.microsoft.com/v1.0/applications/12345678-1234-1234-1234-123456789012": http: RoundTripper implementation (*retryablehttp.RoundTripper) returned a nil *Response with a nil error
│ 
│   with module.k_app.module.aad_sso_keycloak[0].azuread_application_app_role.roles["role-22"],
│   on ../../../azure/aad/aad_sso_external/main.tf line 70, in resource "azuread_application_app_role" "roles":
│   70: resource "azuread_application_app_role" "roles" {
│ 
│ retrieving App Role (Application ID:
│ "12345678-1234-1234-1234-123456789012", Role ID:
│ "00000000-1111-0000-0000-000000000022"):
│ ApplicationsClient.BaseClient.Get(): Get
│ "https://graph.microsoft.com/v1.0/applications/12345678-1234-1234-1234-123456789012":
│ http: RoundTripper implementation (*retryablehttp.RoundTripper) returned a
│ nil *Response with a nil error
╵
╷
│ Error: retrieving Application API Access (Application ID: "12345678-1234-1234-1234-123456789012", API Client ID: "00000003-0000-0000-c000-000000000000"): ApplicationsClient.BaseClient.Get(): Get "https://graph.microsoft.com/v1.0/applications/12345678-1234-1234-1234-123456789012": http: RoundTripper implementation (*retryablehttp.RoundTripper) returned a nil *Response with a nil error
│ 
│   with module.k_app.module.aad_sso_keycloak[0].azuread_application_api_access.this["sso-read"],
│   on ../../../azure/aad/aad_sso_external/main.tf line 89, in resource "azuread_application_api_access" "this":
│   89: resource "azuread_application_api_access" "this" {
│ 
│ retrieving Application API Access (Application ID:
│ "12345678-1234-1234-1234-123456789012", API Client ID:
│ "00000003-0000-0000-c000-000000000000"):
│ ApplicationsClient.BaseClient.Get(): Get
│ "https://graph.microsoft.com/v1.0/applications/12345678-1234-1234-1234-123456789012":
│ http: RoundTripper implementation (*retryablehttp.RoundTripper) returned a
│ nil *Response with a nil error
╵
╷
│ Error: retrieving Application Redirect URIs (Application ID: "12345678-1234-1234-1234-123456789012", URI Type: "Web"): ApplicationsClient.BaseClient.Get(): Get "https://graph.microsoft.com/v1.0/applications/12345678-1234-1234-1234-123456789012": http: RoundTripper implementation (*retryablehttp.RoundTripper) returned a nil *Response with a nil error
│ 
│   with module.k_app.module.aad_sso_keycloak[0].azuread_application_redirect_uris.this_web[0],
│   on ../../../azure/aad/aad_sso_external/main.tf line 120, in resource "azuread_application_redirect_uris" "this_web":
│  120: resource "azuread_application_redirect_uris" "this_web" {
│ 
│ retrieving Application Redirect URIs (Application ID:
│ "12345678-1234-1234-1234-123456789012", URI Type: "Web"):
│ ApplicationsClient.BaseClient.Get(): Get
│ "https://graph.microsoft.com/v1.0/applications/12345678-1234-1234-1234-123456789012":
│ http: RoundTripper implementation (*retryablehttp.RoundTripper) returned a
│ nil *Response with a nil error
╵
Releasing state lock. This may take a few moments...
ERRO[0434] terraform invocation failed in /root/.cache/terragrunt/dl/Sb3NNIh7r74vh_1_Gk8f5L9T_zo/75uKXgpfhQuQUTjChPufc55-7u8/modules/d1/d2/tg-001  prefix=[/xxxxxxxx/yyyyyyy/] 
ERRO[0434] Module /xxxxxxxx/yyyyyyy/ has finished with an error: 1 error occurred:
        * [/root/.cache/terragrunt/dl/Sb3NNIh7r74vh_1_Gk8f5L9T_zo/75uKXgpfhQuQUTjChPufc55-7u8/modules/d1/d2/tg-001] exit status 1
  prefix=[/xxxxxxxx/yyyyyyy/] 
ERRO[0434] 1 error occurred:
        * [/root/.cache/terragrunt/dl/Sb3NNIh7r74vh_1_Gk8f5L9T_zo/75uKXgpfhQuQUTjChPufc55-7u8/modules/d1/d2/tg-001] exit status 1

Expected Behavior

Remove the objects that were created
@manicminer manicminer changed the title Cannot delete EnterpriseApplication + AppRegistration Cannot destroy AppRegistration virtual resources May 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug feature/applications
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@manicminer @joaocc