-
Notifications
You must be signed in to change notification settings - Fork 292
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade to azuread v3 leads to azuread_application_password
recreation
#1502
Comments
Is it related to this one? As per documentation: the [end_date_relative] (https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application_password#end_date_relative) - (Optional) A relative duration for which the password is valid until, for example 240h (10 days) or 2400h30m. Changing this field forces a new resource to be created. And in azuread provider v3.0.1, i'm getting below deprecation message. If I remove the paramer: end_date_relative from resource definition, its trying to recreate the whole resource; azuread_application_password │ The do we have any fix for this deprecation to disable the resource recreation? |
For existing passwords, you'll need to use |
@manicminer, thanks for the update. I will use |
So in azuread 4 we can expect to have no decent way of managing relative expiration of passwords? Sure we can use Confused as to why we are removing functionality? |
@rlees85 You can use the Time provider to get a static datetime which will be persisted to state, or even use the time_rotating resource to automatically replace the password when it lapses. I can look to add examples to the documentation. |
thank you @manicminer . I am using |
Should the issue/discussion regarding the end_date_relative be taken to another issue? This issue is specific to the display_name, which is forceing replacement despite the only change being the azuread provider version moving to v3. I note the reference to use ignore_changes to prevent recreation of the password. It certainly works but I trust this is only a workaround and not the recommended fix?
|
I have tried the plan with debug and it's a bit weird! My password created through Terraform with AzureAd v2 shows in the console with display name "Terraform Managed" and the value is shown as "Hidden". I created a password with a display name "Delete Me" and the value is shown with a hint. Implies some differences depending on how the password was created. The Terraform debug output reveals the following:
What is particularly interesting is that the customKeyIdentifier "VGVycmFmb3JtIE1hbmFnZWQ=" is the base64 encoding of "Terraform Managed", i.e. it is the display name. Question is whether this can be used as the basis of a fix? Need to see what it looks like when the provider v3 is used to create a password. Tomorrow. |
Community Note
Terraform (and AzureAD Provider) Version
Affected Resource(s)
azuread_application_password
Terraform Configuration Files
Debug Output
Panic Output
Expected Behavior
When the
azuread_application_password
has been created under azuread v2, and we upgrade to azuread v3, theazuread_application_password
should not be recreated.Actual Behavior
Upgrading the provider to azuread v3 leads to recreating the resource:
Steps to Reproduce
terraform apply
to create theazuread_application_password
resourceterraform plan
will show that it wants to recreate the resourceImportant Factoids
References
The text was updated successfully, but these errors were encountered: