azuread_application_certificate resource can't find the Azure App (404 error)

[sgrunt91]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform v1.0.11
hashicorp/azuread v2.22.0

Affected Resource(s)

• azuread_application_certificate

Terraform Configuration Files

resource "tls_private_key" "myapp" {
  algorithm = "RSA"
  rsa_bits  = 4096
}

resource "tls_self_signed_cert" "myapp" {
  private_key_pem       = tls_private_key.myapp.private_key_pem
  validity_period_hours = 8760 # 1 year
  early_renewal_hours   = 730  # 1 month

  subject {
    common_name  = "myapp.myorg.org"
    organization = "myorg"
  }

  allowed_uses = [
    "key_encipherment",
    "digital_signature",
    "server_auth",
  ]
}

resource "azuread_application" "myapp" {
  display_name      = "myapp"
  sign_in_audience  = "AzureADMultipleOrgs"

  required_resource_access {
    resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph

    resource_access {
      id   = "df021288-bdef-4463-88db-98f22de89214" # User.Read.All
      type = "Role"
    }

    resource_access {
      id   = "b4e74841-8e56-480b-be8b-910348b18b4c" # User.ReadWrite
      type = "Scope"
    }
  }
}

resource "azuread_application_certificate" "myapp" {
  application_object_id = azuread_application.myapp.object_id
  type                  = "AsymmetricX509Cert"
  encoding              = "pem"
  value                 = tls_self_signed_cert.myapp.cert_pem
  start_date            = tls_self_signed_cert.myapp.validity_start_time
  end_date              = tls_self_signed_cert.myapp.validity_end_time
}

Debug Output

https://gist.github.com/sgrunt91/e8d3b43c6452919c3f1cea75f09cf8df

Panic Output

None

Expected Behavior

The certificate should be added to the Azure App in "Certificates & secrets" section.

Actual Behavior

The provider can't find the Azure App and don't add the certificate.
It works great for similar resource like azuread_application_password

It seems that the URL used to retriece Azure App data from graph.microsoft.com have a missing variable between /beta/ and /applications/: GET https://graph.microsoft.com/beta//applications/2a6f639e-4067-45f2-bc7b-a5dcdc850
Maybe the Tenant ID is required.

Steps to Reproduce

1. terraform apply

Important Factoids

None

References

• #0000

[manicminer]

Hi @sgrunt91, thanks for reporting this. Are you perhaps authenticating via Azure CLI? The missing tenant ID may be responsible here if your user account has access to multiple tenants and you are trying to manage a tenant other than your home tenant. However the fact you say you don't see this issue with the azuread_application_password resource is interesting and could mean the root cause is something else.

I will keep trying to reproduce and also fix the missing tenant ID - hopefully this will resolve the problem.

[sgrunt91]

Hello @manicminer , thanks for your answer ! :-)
Yes I'm using Azure CLI and my account have access to multiple tenants.

As you mention this, here are more information about my use case:

• I'm using Azure CLI to login to Azure and use Azure providers in Terraform
• My account have access to 2 tenants:

➜  ~ az account tenant list      
[
  {
    "id": "/tenants/b36acc7a-****-*****-****-faf2f0896d7f",
    "tenantId": "b36acc7a-****-****-****-faf2f0896d7f"
  },
  {
    "id": "/tenants/64473b4b-****-****-****-0333f2c26cea",
    "tenantId": "64473b4b-****-****-****-0333f2c26cea"
  }
]

• My same codebase have to create resources in both tenants:
  • It creates resources using azurerm provider on first tenant (everything works well)
  • It creates resources using azuread provider on second tenant (everything works well except for this issue)
• I specify tenant ids in provider config to distinguish where to create resources, like this:

provider "azurerm" {
  features {}
  tenant_id = "64473b4b-****-****-****-0333f2c26cea"
  subscription_id = "4eec8b4f-****-****-****-01220f44fc0d"
}

provider "azuread" {
  tenant_id = "b36acc7a-****-****-****-faf2f0896d7f"
}

Don't hesitate to ask me if you need more information and thank you again !

[manicminer]

@sgrunt91 Thanks for following up and validating my assumption :)

I've opened a PR to fix the missing tenant ID which I'm hoping will resolve your issue. If you're able to compile and test this any feedback would be appreciated. But otherwise this fix will go out in this week's release.

[github-actions]

This functionality has been released in v2.23.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[sgrunt91]

Hi @manicminer I'm just writing this comment to confirm the new release fixes my issue !
Thank you very much !

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.