Enable removal of Application owners

internal/services/aadgraph/application_resource.go

@@ -212,7 +212,6 @@ func applicationResource() *schema.Resource {
 				Type:     schema.TypeSet,
 				Optional: true,
 				Computed: true,
-				MinItems: 1,
 				Elem: &schema.Schema{
 					Type:         schema.TypeString,
 					ValidateFunc: validate.NoEmptyStrings,
@@ -404,9 +403,9 @@ func applicationResourceCreate(d *schema.ResourceData, meta interface{}) error {
 	}
 
 	// there is a default owner that we must account so use this shared function
-	if v, ok := d.GetOk("owners"); ok {
-		members := *tf.ExpandStringSlicePtr(v.(*schema.Set).List())
-		if err := applicationSetOwnersTo(ctx, client, *app.ObjectID, members); err != nil {
+	if v, ok := d.GetOkExists("owners"); ok {
+		desiredOwners := *tf.ExpandStringSlicePtr(v.(*schema.Set).List())
+		if err := applicationSetOwnersTo(ctx, client, *app.ObjectID, desiredOwners); err != nil {
 			return err
 		}
 	}

internal/services/aadgraph/application_resource_test.go

@@ -522,6 +522,51 @@ func TestAccApplication_duplicateAppRolesOauth2PermissionsValues(t *testing.T) {
 	})
 }
 
+func TestAccApplication_ownersUpdate(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azuread_application", "test")
+	pw := "utils@$$wR2" + acctest.RandStringFromCharSet(7, acctest.CharSetAlphaNum)
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { acceptance.PreCheck(t) },
+		Providers:    acceptance.SupportedProviders,
+		CheckDestroy: testCheckApplicationDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccApplication_removeOwners(data.RandomInteger, pw),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckApplicationExists(data.ResourceName),
+					resource.TestCheckResourceAttr(data.ResourceName, "owners.#", "0"),
+				),
+			},
+			data.ImportStep(),
+			{
+				Config: testAccApplication_singleOwner(data.RandomInteger, pw),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckApplicationExists(data.ResourceName),
+					resource.TestCheckResourceAttr(data.ResourceName, "owners.#", "1"),
+				),
+			},
+			data.ImportStep(),
+			{
+				Config: testAccApplication_threeOwners(data.RandomInteger, pw),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckApplicationExists(data.ResourceName),
+					resource.TestCheckResourceAttr(data.ResourceName, "owners.#", "3"),
+				),
+			},
+			data.ImportStep(),
+			{
+				Config: testAccApplication_removeOwners(data.RandomInteger, pw),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckApplicationExists(data.ResourceName),
+					resource.TestCheckResourceAttr(data.ResourceName, "owners.#", "0"),
+				),
+			},
+			data.ImportStep(),
+		},
+	})
+}
+
 func testCheckApplicationExists(name string) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		rs, ok := s.RootModule().Resources[name]
@@ -887,3 +932,42 @@ resource "azuread_application" "test" {
 }
 `, ri)
 }
+
+func testAccApplication_singleOwner(ri int, pw string) string {
+	return fmt.Sprintf(`
+%[1]s
+
+resource "azuread_application" "test" {
+  name = "acctest-APP-%[2]d"
+  owners = [
+    azuread_user.testA.object_id,
+  ]
+}
+`, testAccUser_threeUsersABC(ri, pw), ri)
+}
+
+func testAccApplication_threeOwners(ri int, pw string) string {
+	return fmt.Sprintf(`
+%[1]s
+
+resource "azuread_application" "test" {
+  name = "acctest-APP-%[2]d"
+  owners = [
+    azuread_user.testA.object_id,
+    azuread_user.testB.object_id,
+    azuread_user.testC.object_id,
+  ]
+}
+`, testAccUser_threeUsersABC(ri, pw), ri)
+}
+
+func testAccApplication_removeOwners(ri int, pw string) string {
+	return fmt.Sprintf(`
+%[1]s
+
+resource "azuread_application" "test" {
+  name   = "acctest-APP-%[2]d"
+  owners = []
+}
+`, testAccUser_threeUsersABC(ri, pw), ri)
+}