hashicorp · BrendanThompson · Apr 10, 2024 · Apr 10, 2024 · Apr 10, 2024 · Apr 10, 2024
diff --git a/.github/labeler-issue-triage.yaml b/.github/labeler-issue-triage.yaml
@@ -37,7 +37,10 @@ feature/policies:
   - '### (|New or )Affected Resource\(s\)\/Data Source\(s\)((.|\n)*)azuread_(authentication_strength_policy|claims_mapping_policy|group_role_management_policy)((.|\n)*)###'
 
 feature/service-principals:
-  - '### (|New or )Affected Resource\(s\)\/Data Source\(s\)((.|\n)*)azuread_(client_config|service_principal|synchronization_)((.|\n)*)###'
+  - '### (|New or )Affected Resource\(s\)\/Data Source\(s\)((.|\n)*)azuread_(client_config|service_principal)((.|\n)*)###'
+
+feature/synchronization:
+  - '### (|New or )Affected Resource\(s\)\/Data Source\(s\)((.|\n)*)azuread_synchronization_((.|\n)*)###'
 
 feature/user-flows:
   - '### (|New or )Affected Resource\(s\)\/Data Source\(s\)((.|\n)*)azuread_user_flow_attribute((.|\n)*)###'

diff --git a/.github/labeler-pull-request-triage.yaml b/.github/labeler-pull-request-triage.yaml
@@ -80,6 +80,10 @@ feature/service-principals:
 - changed-files:
   - any-glob-to-any-file:
     - internal/services/serviceprincipals/**/*
+
+feature/synchronization:
+- changed-files:
+  - any-glob-to-any-file:
     - internal/services/synchronization/**/*
 
 feature/user-flows:

diff --git a/.github/workflows/depscheck.yaml b/.github/workflows/depscheck.yaml
@@ -12,8 +12,8 @@ jobs:
   depscheck:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
-      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
           go-version-file: .go-version
       - run: bash scripts/gogetcookie.sh

diff --git a/.github/workflows/docs-lint.yaml b/.github/workflows/docs-lint.yaml
@@ -11,8 +11,8 @@ jobs:
   docs-lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
-      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
           go-version-file: .go-version
       - run: bash scripts/gogetcookie.sh

diff --git a/.github/workflows/gencheck.yaml b/.github/workflows/gencheck.yaml
@@ -17,10 +17,10 @@ concurrency:
 
 jobs:
   gencheck:
-    runs-on: [custom, linux, large]
+    runs-on: custom-linux-large
     steps:
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
-      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
           go-version-file: ./.go-version
       - run: bash scripts/gogetcookie.sh

diff --git a/.github/workflows/golint.yaml b/.github/workflows/golint.yaml
@@ -12,8 +12,8 @@ jobs:
   golint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
-      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
           go-version-file: .go-version
       - uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0

diff --git a/.github/workflows/increment-milestone.yaml b/.github/workflows/increment-milestone.yaml
@@ -14,7 +14,7 @@ jobs:
   increment-milestone:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           fetch-depth: 0
 

diff --git a/.github/workflows/issue-opened.yaml b/.github/workflows/issue-opened.yaml
@@ -12,7 +12,7 @@ jobs:
   issue_triage:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       - uses: github/issue-labeler@c1b0f9f52a63158c4adc09425e858e87b32e9685 # v3.4
         with:
           repo-token: "${{ secrets.GITHUB_TOKEN }}"

diff --git a/.github/workflows/link-milestone.yaml b/.github/workflows/link-milestone.yaml
@@ -15,7 +15,7 @@ jobs:
       pull-requests: write
       issues: write
     steps:
-      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
           go-version: '1.21.3'
 

diff --git a/.github/workflows/provider-test.yaml b/.github/workflows/provider-test.yaml
@@ -31,15 +31,15 @@ jobs:
           fi
 
   provider-tests:
-    runs-on: [custom, linux, large]
+    runs-on: custom-linux-large
     needs: [secrets-check]
     if: needs.secrets-check.outputs.available == 'true'
     steps:
       - name: Checkout
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
 
       - name: Install Go
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
           go-version-file: ./.go-version
 

diff --git a/.github/workflows/pull-request.yaml b/.github/workflows/pull-request.yaml
@@ -16,7 +16,7 @@ jobs:
           configuration-path: .github/labeler-pull-request-triage.yaml
           repo-token: "${{ secrets.GITHUB_TOKEN }}"
 
-      - uses: CodelyTV/pr-size-labeler@f2aafc4d8735009c6de18acefe15eecbfbfae56f # v1.9.0
+      - uses: CodelyTV/pr-size-labeler@56f6f0fc35c7cc0f72963b8467729e1120cb4bed # v1.10.0
         with:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           xs_label: 'size/XS'

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -13,7 +13,7 @@ jobs:
   release-notes:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           fetch-depth: 0
 
@@ -29,7 +29,7 @@ jobs:
   terraform-provider-release:
     name: 'Terraform Provider Release'
     needs: release-notes
-    uses: hashicorp/ghaction-terraform-provider-release/.github/workflows/hashicorp.yml@9b5d2ca4b85f3a54d5c4d12e7690ddad1526ff6c # v3.0.1
+    uses: hashicorp/ghaction-terraform-provider-release/.github/workflows/hashicorp.yml@393dac4dd208c749b1622323f9f0e8d26a6f26cc # v4.0.1
     secrets:
       hc-releases-github-token: '${{ secrets.HASHI_RELEASES_GITHUB_TOKEN }}'
       hc-releases-host-staging: '${{ secrets.HC_RELEASES_HOST_STAGING }}'

diff --git a/.github/workflows/teamcity-test.yaml b/.github/workflows/teamcity-test.yaml
@@ -21,7 +21,7 @@ jobs:
   teamcity-test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       - uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1
         with:
           distribution: zulu

diff --git a/.github/workflows/tflint.yaml b/.github/workflows/tflint.yaml
@@ -20,8 +20,8 @@ jobs:
   tflint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
-      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
           go-version-file: ./.go-version
       - run: bash scripts/gogetcookie.sh

diff --git a/.github/workflows/thirty-two-bit.yaml b/.github/workflows/thirty-two-bit.yaml
@@ -21,8 +21,8 @@ jobs:
   compatibility-32bit-test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
-      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
           go-version-file: ./.go-version
       - run: bash scripts/gogetcookie.sh

diff --git a/.github/workflows/unit-test.yaml b/.github/workflows/unit-test.yaml
@@ -19,10 +19,10 @@ concurrency:
 
 jobs:
   test:
-    runs-on: [custom, linux, large]
+    runs-on: custom-linux-large
     steps:
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
-      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
           go-version-file: ./.go-version
       - run: bash scripts/gogetcookie.sh

diff --git a/.github/workflows/validate-examples.yaml b/.github/workflows/validate-examples.yaml
@@ -20,8 +20,8 @@ jobs:
   validate-examples:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
-      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
           go-version-file: ./.go-version
       - run: bash scripts/gogetcookie.sh

diff --git a/.teamcity/components/generated/services.kt b/.teamcity/components/generated/services.kt
@@ -15,6 +15,7 @@ var services = mapOf(
         "invitations" to "Invitations",
         "policies" to "Policies",
         "serviceprincipals" to "Service Principals",
+        "synchronization" to "Synchronization",
         "userflows" to "User Flows",
         "users" to "Users"
 )
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,18 +1,64 @@
-## 2.49.0 (Unreleased)
+## 2.52.0 (June 13, 2024)
+
+BUG FIXES:
+
+* `azuread_application` - fix a bug that could prevent the `ignore_changes` lifecycle argument from working for the `app_role`, `oauth2_permission_scope`, `identifier_uris`, `optional_claims`, and `required_resource_access` properties ([#1403](https://github.com/hashicorp/terraform-provider-azuread/issues/1403))
+* `azuread_application` - add a workaround for an API bug when instantiating an application from template using the `template_id` property ([#1406](https://github.com/hashicorp/terraform-provider-azuread/issues/1406))
+
+## 2.51.0 (June 06, 2024)
+
+ENHANCEMENTS:
+
+* `data.azuread_users` - support for the `mails` property ([#1400](https://github.com/hashicorp/terraform-provider-azuread/issues/1400))
+
+BUG FIXES:
+
+* `azuread_access_package_assignment_policy` - fix a bug preventing removal of the `assignment_review_settings` block ([#1394](https://github.com/hashicorp/terraform-provider-azuread/issues/1394))
+
+## 2.50.0 (May 16, 2024)
+
+ENHANCEMENTS:
+
+* dependencies: updating to `v0.68.0` of `github.com/manicminer/hamilton` ([#1382](https://github.com/hashicorp/terraform-provider-azuread/issues/1382))
+* `data.azuread_application` - support looking up applications with the `identifier_uri` property [GH 1303]
+* `azuread_conditional_access_policy` - improve handling of the `session_controls` block ([#1382](https://github.com/hashicorp/terraform-provider-azuread/issues/1382))
+
+BUG FIXES:
+
+* `data.azuread_service_principal` - treat the `display_name` property case-insensitively ([#1381](https://github.com/hashicorp/terraform-provider-azuread/issues/1381))
+* `azuread_conditional_access_policy` - fix a bug that could cause a persistent diff when setting certain properties in the `session_controls` block ([#1382](https://github.com/hashicorp/terraform-provider-azuread/issues/1382))
+* `azuread_user` - don't overwrite the existing password in state, when a password change fails ([#1308](https://github.com/hashicorp/terraform-provider-azuread/issues/1308))
+
+## 2.49.1 (May 13, 2024)
+
+BUG FIXES:
+
+* `data.azuread_group_role_management_policy` - resolve a potential crash ([#1375](https://github.com/hashicorp/terraform-provider-azuread/issues/1375))
+* `azuread_group_role_management_policy` - resolve a number of potential crashes ([#1375](https://github.com/hashicorp/terraform-provider-azuread/issues/1375))
+* `azuread_privileged_access_group_assignment_schedule` - resolve a number of potential crashes ([#1375](https://github.com/hashicorp/terraform-provider-azuread/issues/1375))
+* `azuread_privileged_access_group_eligibility_schedule` - resolve a number of potential crashes ([#1375](https://github.com/hashicorp/terraform-provider-azuread/issues/1375))
+
+## 2.49.0 (May 09, 2024)
 
 FEATURES:
 
-* **New Data Source:** `azuread_group_role_management_policy` [GH-1327]
-* **New Resource:** `azuread_group_role_management_policy` [GH-1327]
-* **New Resource:** `azuread_privileged_access_group_assignment_schedule` [GH-1327]
-* **New Resource:** `azuread_privileged_access_group_eligibility_schedule` [GH-1327]
+* **New Data Source:** `azuread_group_role_management_policy` ([#1327](https://github.com/hashicorp/terraform-provider-azuread/issues/1327))
+* **New Resource:** `azuread_group_role_management_policy` ([#1327](https://github.com/hashicorp/terraform-provider-azuread/issues/1327))
+* **New Resource:** `azuread_privileged_access_group_assignment_schedule` ([#1327](https://github.com/hashicorp/terraform-provider-azuread/issues/1327))
+* **New Resource:** `azuread_privileged_access_group_eligibility_schedule` ([#1327](https://github.com/hashicorp/terraform-provider-azuread/issues/1327))
+* **New Resource:** `azuread_synchronization_job_provision_on_demand` ([#1032](https://github.com/hashicorp/terraform-provider-azuread/issues/1032))
 
 ENHANCEMENTS:
 
-* `data.azuread_group` - support for the `include_transitive_members` property [GH-1300]
-* `azuread_application` - relax validation for the `identifier_uris` property to allow more values [GH-1351]
-* `azuread_application_identifier_uri` - relax validation for the `identifier_uri` property to allow more values [GH-1351]
-* `azuread_user` - relax validation for the `employee_type` property to allow more values [GH-1328]
+* `data.azuread_group` - support for the `include_transitive_members` property ([#1300](https://github.com/hashicorp/terraform-provider-azuread/issues/1300))
+* `azuread_application` - relax validation for the `identifier_uris` property to allow more values ([#1351](https://github.com/hashicorp/terraform-provider-azuread/issues/1351))
+* `azuread_application_identifier_uri` - relax validation for the `identifier_uri` property to allow more values ([#1351](https://github.com/hashicorp/terraform-provider-azuread/issues/1351))
+* `azuread_group` - support the `SkipExchangeInstantOn` value for the `behaviors` property ([#1370](https://github.com/hashicorp/terraform-provider-azuread/issues/1370))
+* `azuread_user` - relax validation for the `employee_type` property to allow more values ([#1328](https://github.com/hashicorp/terraform-provider-azuread/issues/1328))
+
+BUG FIXES:
+
+* `azuread_application_pre_authorized` - fix a destroy-time bug that could prevent deletion of the resource ([#1299](https://github.com/hashicorp/terraform-provider-azuread/issues/1299))
 
 ## 2.48.0 (April 11, 2024)
 

diff --git a/GNUmakefile b/GNUmakefile
@@ -21,6 +21,10 @@ tools:
 build: fmtcheck
 	go install
 
+debug: fmtcheck
+	go build -gcflags="all=-N -l" -trimpath -o terraform-provider-azuread
+	dlv exec --listen=:51000 --headless=true --api-version=2 --accept-multiclient --continue terraform-provider-azuread -- -debug
+
 fumpt:
 	@echo "==> Fixing source code with gofmt..."
 	# This logic should match the search logic in scripts/gofmtcheck.sh

diff --git a/README.md b/README.md
@@ -102,6 +102,18 @@ $ $GOPATH/bin/terraform-provider-azuread
 ...
 ```
 
+To compile the provider for attached debugging run `make debug`. 
+
+```sh
+$ make debug
+...
+Provider started. To attach Terraform CLI, set the TF_REATTACH_PROVIDERS environment variable with the following:
+    TF_REATTACH_PROVIDERS='{"registry.terraform.io/hashicorp/azuread":{"Protocol":"grpc","ProtocolVersion":5,"Pid":16227,"Test":true,"Addr":{"Network":"unix","String":"/var/folders/dy/r91ps1bx7fscm_v64qbwd0nh0000gn/T/plugin1540622971"}}}'
+```
+
+See the [documentation](https://developer.hashicorp.com/terraform/plugin/debugging#starting-a-provider-in-debug-mode) for attaching a debugger.
+
+
 In order to test the provider, you can simply run `make test`.
 
 ```sh

diff --git a/docs/data-sources/application.md b/docs/data-sources/application.md
@@ -33,8 +33,9 @@ The following arguments are supported:
 * `client_id` - (Optional) Specifies the Client ID of the application.
 * `display_name` - (Optional) Specifies the display name of the application.
 * `object_id` - (Optional) Specifies the Object ID of the application.
+* `identifier_uri` - (Optional) Specifies any identifier URI of the application. See also the `identifier_uris` attribute which contains a list of all identifier URIs for the application.
 
-~> One of `client_id`, `display_name`, or `object_id` must be specified.
+~> One of `client_id`, `display_name`, `object_id`, or `identifier_uri` must be specified.
 
 ## Attributes Reference
 

diff --git a/docs/data-sources/users.md b/docs/data-sources/users.md
@@ -29,18 +29,20 @@ The following arguments are supported:
 * `employee_ids` - (Optional) The employee identifiers assigned to the users by the organisation.
 * `ignore_missing` - (Optional) Ignore missing users and return users that were found. The data source will still fail if no users are found. Cannot be specified with `return_all`. Defaults to `false`.
 * `mail_nicknames` - (Optional) The email aliases of the users.
+* `mails` - (Optional) The SMTP email addresses of the users.
 * `object_ids` - (Optional) The object IDs of the users.
 * `return_all` - (Optional) When `true`, the data source will return all users. Cannot be used with `ignore_missing`. Defaults to `false`.
 * `user_principal_names` - (Optional) The user principal names (UPNs) of the users.
 
-~> Either `return_all`, or one of `user_principal_names`, `object_ids`, `mail_nicknames` or `employee_ids` must be specified. These _may_ be specified as an empty list, in which case no results will be returned.
+~> Either `return_all`, or one of `user_principal_names`, `object_ids`, `mail_nicknames`, `mails`, or `employee_ids` must be specified. These _may_ be specified as an empty list, in which case no results will be returned.
 
 ## Attributes Reference
 
 The following attributes are exported:
 
 * `employee_ids` - The employee identifiers assigned to the users by the organisation.
 * `mail_nicknames` - The email aliases of the users.
+* `mails` - The SMTP email addresses of the users.
 * `object_ids` - The object IDs of the users.
 * `user_principal_names` - The user principal names (UPNs) of the users.
 * `users` - A list of users. Each `user` object provides the attributes documented below.
@@ -49,11 +51,11 @@ The following attributes are exported:
 
 `user` object exports the following:
 
-* `account_enabled` - Whether or not the account is enabled.
+* `account_enabled` - Whether the account is enabled.
 * `display_name` - The display name of the user.
 * `employee_id` - The employee identifier assigned to the user by the organisation.
 * `mail_nickname` - The email alias of the user.
-* `mail` - The primary email address of the user.
+* `mail` - The SMTP email address of the user.
 * `object_id` - The object ID of the user.
 * `onpremises_immutable_id` - The value used to associate an on-premises Active Directory user account with their Azure AD user object.
 * `onpremises_sam_account_name` - The on-premise SAM account name of the user.

diff --git a/docs/resources/administrative_unit.md b/docs/resources/administrative_unit.md
@@ -32,6 +32,8 @@ The following arguments are supported:
 * `display_name` - (Required) The display name of the administrative unit.
 * `members` - (Optional) A set of object IDs of members who should be present in this administrative unit. Supported object types are Users or Groups.
 
+~> **Caution** When using the `members` property of the [azuread_administrative_unit](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/administrative_unit#members) resource, to manage Administrative Unit membership for a group, you will need to use an `ignore_changes = [administrative_unit_ids]` lifecycle meta argument for the `azuread_group` resource, in order to avoid a persistent diff.
+
 !> **Warning** Do not use the `members` property at the same time as the [azuread_administrative_unit_member](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/administrative_unit_member) resource for the same administrative unit. Doing so will cause a conflict and administrative unit members will be removed.
 
 * `hidden_membership_enabled` - (Optional) Whether the administrative unit and its members are hidden or publicly viewable in the directory.