Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create azuread_application failed: Property api.requestedAccessTokenVersion is invalid. #1374

Open
jakubslonxlab opened this issue May 10, 2024 · 1 comment
Open

Create azuread_application failed: Property api.requestedAccessTokenVersion is invalid. #1374

jakubslonxlab opened this issue May 10, 2024 · 1 comment
Labels
feature/applications

Comments

@jakubslonxlab
Copy link

Community Note

  • Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritise this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform 1.5.7 
Azuread provider:

Affected Resource(s)

  • azuread_application

We are not setting a property for api block on the resource. We have changed the permissions as part of our investigation, but this did not affect the behaviour.

Terraform Configuration Files

resource.tf 

resource "azuread_application" "sp_application" {
  display_name = "[${var.service_principal_name}"

  dynamic "required_resource_access" {
    for_each = length(concat(var.graph_api_application_permissions, var.graph_api_delegated_permissions)) == 0 ? [] : ["trigger create"]
    content {
      resource_app_id = local.microsoft_graph_resource_app_id
      dynamic "resource_access" {
        iterator = permission_name
        for_each = var.graph_api_delegated_permissions
        content {
          id   = local.delegated_permissions[permission_name.value]
          type = "Scope"
        }
      }
      dynamic "resource_access" {
        iterator = permission_name
        for_each = var.graph_api_application_permissions
        content {
          id   = local.application_permissions[permission_name.value]
          type = "Role"
        }
      }
    }
  }
}

Permissions that we assign:

graph_api_application_permissions = [
    "Application.ReadWrite.All",
    "Policy.ReadWrite.ApplicationConfiguration",
    "Policy.Read.All",
    "Group.ReadWrite.All",
    "User.Read.All"
  ]

Expected Behavior

Create the azuread_application resource:

+ resource "azuread_application" "azuread_application_name" {
      + app_role_ids                = (known after apply)
      + application_id              = (known after apply)
      + client_id                   = (known after apply)
      + disabled_by_microsoft       = (known after apply)
      + display_name                = "Display name goes here"
      + id                          = (known after apply)
      + logo_url                    = (known after apply)
      + oauth2_permission_scope_ids = (known after apply)
      + object_id                   = (known after apply)
      + prevent_duplicate_names     = false
      + publisher_domain            = (known after apply)
      + sign_in_audience            = "AzureADMyOrg"
      + tags                        = (known after apply)
      + template_id                 = (known after apply)

      + required_resource_access {
          + resource_app_id = "resource-app-id-goes-here"

          + resource_access {
              + id   = "resource-access-id-goes-here"
              + type = "Role"
            }
          + resource_access {
              + id   = "resource-access-id-goes-here"
              + type = "Role"
            }
          + resource_access {
              + id   = "resource-access-id-goes-here"
              + type = "Role"
            }
          + resource_access {
              + id   = "resource-access-id-goes-here"
              + type = "Role"
            }
          + resource_access {
              + id   = "resource-access-id-goes-here"
              + type = "Role"
            }
        }
    }

Actual Behavior

Error: Could not create application

  with module./azuread-application.azuread_application.azuread_application_name,
  on .terraform/modules/azuread-application/main.tf line 1, in resource "azuread_application" "azuread_application_name":
   1: resource "azuread_application" "azuread_application_name" {

ApplicationsClient.BaseClient.Post(): unexpected status 400 with OData error:
InvalidAccessTokenVersion: Property api.requestedAccessTokenVersion is
invalid.

Steps to Reproduce

  1. terraform plan
  2. terraform apply -> fails
@manicminer
Copy link
Member

Hi @jakubslonxlab, thanks for opening this issue. By default, the azuread_application resource sets requested_access_token_version = 1, which is the same default value as the API. If you are getting this error, it suggests that for one reason or another the application must have this property set to 2. Can you try adding the following to your configuration?

resource "azuread_application" "sp_application" {
  # ...

  api {
    requested_access_token_version = 2
  }
}

@manicminer manicminer removed the bug label May 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature/applications
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@manicminer @jakubslonxlab