Cannot destroy AppRegistration virtual resources

[joaocc]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform v1.5.7
on linux_arm64

"registry.terraform.io/hashicorp/azuread"
version = "2.47.0"

Affected Resource(s)

azuread_application_app_role
azuread_application_api_access
azuread_application_redirect_uris

Terraform Configuration Files

resource "azuread_application_app_role" "roles" {
  for_each = var.aad_sso_defs.app_roles

  application_id       = azuread_application_registration.this.id
  role_id              = random_uuid.role_id[(each.key)].id
  allowed_member_types = sort(coalesce((each.value).allowed_member_types, ["User"]))
  description          = (each.value).description
  display_name         = coalesce((each.value).name, (each.key))
  value                = (each.value).value
}

resource "azuread_application_api_access" "this" {
  for_each = try(var.aad_sso_defs.api_permissions, {})

  application_id = azuread_application_registration.this.id
  api_client_id  = data.azuread_application_published_app_ids.aad_all.result["${(each.value).service_name}"]

  scope_ids = [
    for v in (each.value).claim_values : data.azuread_service_principal.aad_all[each.key].oauth2_permission_scope_ids[v]
  ]
}
resource "azuread_application_redirect_uris" "this_web" {

  count = local.redirect_uris_web_enabled ? 1 : 0

  application_id = azuread_application_registration.this.id
  type           = "Web"

  redirect_uris = local.redirect_uris_web
}

Debug Output

─────────────────────────────────────────────────────────────────────────────

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place
  - destroy

Terraform planned the following actions, but then encountered a problem:

  # module.k_app.module.aad_sso_keycloak[0].random_uuid.role_id["role-33"] will be destroyed
  # (because module.k_app.module.aad_sso_keycloak[0] is not in configuration)
  - resource "random_uuid" "role_id" {
      - id     = "00000000-1111-0000-0000-000000000033" -> null
      - result = "00000000-1111-0000-0000-000000000033" -> null
    }

  # module.k_app.module.aad_sso_keycloak[0].random_uuid.role_id["role-11"] will be destroyed
  # (because module.k_app.module.aad_sso_keycloak[0] is not in configuration)
  - resource "random_uuid" "role_id" {
      - id     = "00000000-1111-0000-0000-000000000011" -> null
      - result = "00000000-1111-0000-0000-000000000011" -> null
    }

  # module.k_app.module.aad_sso_keycloak[0].random_uuid.role_id["role-22"] will be destroyed
  # (because module.k_app.module.aad_sso_keycloak[0] is not in configuration)
  - resource "random_uuid" "role_id" {
      - id     = "00000000-1111-0000-0000-000000000022" -> null
      - result = "00000000-1111-0000-0000-000000000022" -> null
    }

  # module.k_app.module.aad_sso_keycloak[0].random_uuid.role_id["role-44"] will be destroyed
  # (because module.k_app.module.aad_sso_keycloak[0] is not in configuration)
  - resource "random_uuid" "role_id" {
      - id     = "00000000-1111-0000-0000-000000000044" -> null
      - result = "00000000-1111-0000-0000-000000000044" -> null
    }

Plan: 0 to add, 0 to change, 5 to destroy.
╷
│ Error: retrieving App Role (Application ID: "12345678-1234-1234-1234-123456789012", Role ID: "00000000-1111-0000-0000-000000000011"): ApplicationsClient.BaseClient.Get(): Get "https://graph.microsoft.com/v1.0/applications/12345678-1234-1234-1234-123456789012": context deadline exceeded
│ 
│   with module.k_app.module.aad_sso_keycloak[0].azuread_application_app_role.roles["role-11"],
│   on ../../../azure/aad/aad_sso_external/main.tf line 70, in resource "azuread_application_app_role" "roles":
│   70: resource "azuread_application_app_role" "roles" {
│ 
│ retrieving App Role (Application ID:
│ "12345678-1234-1234-1234-123456789012", Role ID:
│ "00000000-1111-0000-0000-000000000011"):
│ ApplicationsClient.BaseClient.Get(): Get
│ "https://graph.microsoft.com/v1.0/applications/12345678-1234-1234-1234-123456789012":
│ context deadline exceeded
╵
╷
│ Error: retrieving App Role (Application ID: "12345678-1234-1234-1234-123456789012", Role ID: "00000000-1111-0000-0000-000000000022"): ApplicationsClient.BaseClient.Get(): Get "https://graph.microsoft.com/v1.0/applications/12345678-1234-1234-1234-123456789012": http: RoundTripper implementation (*retryablehttp.RoundTripper) returned a nil *Response with a nil error
│ 
│   with module.k_app.module.aad_sso_keycloak[0].azuread_application_app_role.roles["role-22"],
│   on ../../../azure/aad/aad_sso_external/main.tf line 70, in resource "azuread_application_app_role" "roles":
│   70: resource "azuread_application_app_role" "roles" {
│ 
│ retrieving App Role (Application ID:
│ "12345678-1234-1234-1234-123456789012", Role ID:
│ "00000000-1111-0000-0000-000000000022"):
│ ApplicationsClient.BaseClient.Get(): Get
│ "https://graph.microsoft.com/v1.0/applications/12345678-1234-1234-1234-123456789012":
│ http: RoundTripper implementation (*retryablehttp.RoundTripper) returned a
│ nil *Response with a nil error
╵
╷
│ Error: retrieving Application API Access (Application ID: "12345678-1234-1234-1234-123456789012", API Client ID: "00000003-0000-0000-c000-000000000000"): ApplicationsClient.BaseClient.Get(): Get "https://graph.microsoft.com/v1.0/applications/12345678-1234-1234-1234-123456789012": http: RoundTripper implementation (*retryablehttp.RoundTripper) returned a nil *Response with a nil error
│ 
│   with module.k_app.module.aad_sso_keycloak[0].azuread_application_api_access.this["sso-read"],
│   on ../../../azure/aad/aad_sso_external/main.tf line 89, in resource "azuread_application_api_access" "this":
│   89: resource "azuread_application_api_access" "this" {
│ 
│ retrieving Application API Access (Application ID:
│ "12345678-1234-1234-1234-123456789012", API Client ID:
│ "00000003-0000-0000-c000-000000000000"):
│ ApplicationsClient.BaseClient.Get(): Get
│ "https://graph.microsoft.com/v1.0/applications/12345678-1234-1234-1234-123456789012":
│ http: RoundTripper implementation (*retryablehttp.RoundTripper) returned a
│ nil *Response with a nil error
╵
╷
│ Error: retrieving Application Redirect URIs (Application ID: "12345678-1234-1234-1234-123456789012", URI Type: "Web"): ApplicationsClient.BaseClient.Get(): Get "https://graph.microsoft.com/v1.0/applications/12345678-1234-1234-1234-123456789012": http: RoundTripper implementation (*retryablehttp.RoundTripper) returned a nil *Response with a nil error
│ 
│   with module.k_app.module.aad_sso_keycloak[0].azuread_application_redirect_uris.this_web[0],
│   on ../../../azure/aad/aad_sso_external/main.tf line 120, in resource "azuread_application_redirect_uris" "this_web":
│  120: resource "azuread_application_redirect_uris" "this_web" {
│ 
│ retrieving Application Redirect URIs (Application ID:
│ "12345678-1234-1234-1234-123456789012", URI Type: "Web"):
│ ApplicationsClient.BaseClient.Get(): Get
│ "https://graph.microsoft.com/v1.0/applications/12345678-1234-1234-1234-123456789012":
│ http: RoundTripper implementation (*retryablehttp.RoundTripper) returned a
│ nil *Response with a nil error
╵
Releasing state lock. This may take a few moments...
ERRO[0434] terraform invocation failed in /root/.cache/terragrunt/dl/Sb3NNIh7r74vh_1_Gk8f5L9T_zo/75uKXgpfhQuQUTjChPufc55-7u8/modules/d1/d2/tg-001  prefix=[/xxxxxxxx/yyyyyyy/] 
ERRO[0434] Module /xxxxxxxx/yyyyyyy/ has finished with an error: 1 error occurred:
        * [/root/.cache/terragrunt/dl/Sb3NNIh7r74vh_1_Gk8f5L9T_zo/75uKXgpfhQuQUTjChPufc55-7u8/modules/d1/d2/tg-001] exit status 1
  prefix=[/xxxxxxxx/yyyyyyy/] 
ERRO[0434] 1 error occurred:
        * [/root/.cache/terragrunt/dl/Sb3NNIh7r74vh_1_Gk8f5L9T_zo/75uKXgpfhQuQUTjChPufc55-7u8/modules/d1/d2/tg-001] exit status 1
 

Expected Behavior

Remove the objects that were created

[manicminer]

@joaocc Thanks for reporting this issue. Would you be able to provide a debug log for when this issue occurs, as I'm unfortunately not able to deduce what is happening based on the plan alone. Thanks!

[joaocc]

Hi
I am not at this moment, as we manually cleaned up the state file many weeks/months ago.
I think the easiest way to test is to manually remove the SP or some of the items corresponding to "dependant" terraform resources.
This also happened in other resources, where one of the resource types wasn't checking for cases where the "parent/root" resource was no longer available.
If this fails to reproduce, pls feel free to close as we are unlikely to be able to provide further info.
Thx