empty client ID sent via Graph API to update oAuth2PermissionGrant

[Matioski]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform v1.9.7
on darwin_arm64

• provider registry.terraform.io/hashicorp/azuread v3.0.2

Affected Resource(s)

• azuread_service_principal_delegated_permission_grant

Terraform Configuration Files

resource "azuread_service_principal_delegated_permission_grant" "delegated_grant" {
    for_each =local.sps_map

  service_principal_object_id          = azuread_service_principal.sp[each.key].object_id
  resource_service_principal_object_id = azuread_service_principal.msgraph.object_id
  claim_values                         = each.value.roles
  
}

Debug Output

https://gist.github.com/Matioski/acd96ab3f722667f0be8fed402c06782

Panic Output

Expected Behavior

The azuread_service_principal_delegated_permission_grant should be updated and the clientId should not be sent in the body as per: https://learn.microsoft.com/en-us/graph/api/oauth2permissiongrant-update?view=graph-rest-1.0&tabs=http

Actual Behavior

│ unexpected status 400 (400 Bad Request) with error: Request_BadRequest: Property cannot be updated: clientId

as the request that is sent has this body:
{"@odata.type":"#microsoft.graph.oAuth2PermissionGrant","clientId":"","scope":"Directory.ReadWrite.All Application.ReadWrite.All Policy.Read.All Policy.ReadWrite.ApplicationConfiguration Synchronization.ReadWrite.All User.Read.All Group.ReadWrite.All"}

Steps to Reproduce

Create a azuread_service_principal_delegated_permission_grant and try tu update the claim_values.

1. terraform apply

Important Factoids

References

* #1511

[joelp172]

Thats interesting, I have recently just configured a module to use the azuread_service_principal_delegated_permission_grant resoruce.

I applied a first run and it added the User.Read successfully, I then needed to update that and add another claim value but on Terraform apply I also get:

│ Property cannot be updated: clientId

Here is a snippet of the resource I am using

resource "azuread_service_principal_delegated_permission_grant" "this" {
  service_principal_object_id          = azuread_service_principal.this.object_id
  resource_service_principal_object_id = azuread_service_principal.msgraph.object_id
  claim_values                         = flatten([for resource in var.required_resource_access : resource.resource_access[*].id])
}

hashicorp/azurerm provider: 4.4.0

[bwrogo]

We enabled Terraform TRACE logging and we noticed that the clientId included in the body of the request is empty.

============================ Begin AzureAD Request ============================
Request ID: **********************

PATCH /v1.0/oauth2PermissionGrants/********************** HTTP/1.1
Host: graph.microsoft.com
User-Agent: HashiCorp Terraform/1.9.3 (+https://www.terraform.io) Terraform Plugin SDK/2.34.0 terraform-provider-azuread/3.0.2 HashiCorp/go-azure-sdk (Go-http-Client/1.1 MicrosoftGraph-oauth2permissiongrant/v1.0) pid-123**********
Content-Length: 95
Accept: application/json; charset=utf-8; IEEE754Compatible=false
Content-Type: application/json; charset=utf-8
Odata-Maxversion: 4.0
Odata-Version: 4.0
Accept-Encoding: gzip

{"@odata.type":"#microsoft.graph.oAuth2PermissionGrant","clientId":"","scope":"offline_access"}
============================= End AzureAD Request =============================

However this MSGraph reference shows that the only property that can only be updated with a PATCH is scope . Including an empty clientId in this request is causing the error.
https://learn.microsoft.com/en-us/graph/api/oauth2permissiongrant-update?view=graph-rest-1.0

[manicminer]

hashicorp/pandora#4594 should fix this upstream in the SDK