terraform-provider-azuread: Error: Deleting access package resource and catalog association

Context

When we try to delete our access package

Terraform (and AzureAD Provider) Version

2.37

Affected Resource(s)

azuread_access_package_resource_package_association

Terraform Configuration Files

resource "azuread_group" "membership_group" {
  display_name     = "TFMembershipGroup"
  security_enabled = true

  members = [
    data.azuread_user.user01.object_id,
    data.azuread_user.user02.object_id,
  ]
}

data "azuread_user" "user01" {
  mail_nickname = "AdeleV"
}

data "azuread_user" "user02" {
  mail_nickname = "AlexW"
}

resource "azuread_group" "elevated_approvers_group" {
  display_name     = "TFElevatedApproversGroup"
  security_enabled = true
}

data "azuread_groups" "security_groups" {
  display_names = ["DATALAKE_RO"]
}

resource "azuread_group" "security_created_group" {
  display_name     = "TFSecurityGroup01"
  security_enabled = true
  
}

# For existing group, spn needs to be owner of the group
data "azuread_group" "security_group" {
  display_name = "DATALAKE_RW"
}

data "azuread_group" "security_group_ro" {
  display_name = "DATALAKE_RO"
}

resource "azuread_access_package_catalog" "test_catalog" {
  display_name = "azuread_access_package_catalog"
  description  = "TestAcc Catalog %[1]d for access assignment policy"
}

resource "azuread_access_package" "test_access_package" {
  display_name = "azuread_access_package"
  description  = "TestAcc Access Package %[1]d for access assignment policy"
  catalog_id   = azuread_access_package_catalog.test_catalog.id
  # resource_role_scope_id = "/providers/Microsoft.Management/managementGroups/00000000-0000-0000-0000-000000000000"
}

resource "azuread_access_package_assignment_policy" "test_access_package_assignment_policy_3" {
  display_name      = "azuread_access_package_assignment_policy_3"
  description       = "TestAcc Access Package Assignnment Policy 3"
  duration_in_days  = 1
  access_package_id = azuread_access_package.test_access_package.id
  requestor_settings {
    scope_type      = "SpecificDirectorySubjects"
    requests_accepted = true
    requestor {
      object_id    = azuread_group.membership_group.object_id
      subject_type = "groupMembers"
    }
  }

  approval_settings {
    approval_required = true
    approval_stage {
      approval_timeout_in_days = 5
      primary_approver {
        object_id    = azuread_group.elevated_approvers_group.object_id
        subject_type = "groupMembers"
      }
    }
  }
}

# List of Approved resources 
resource "azuread_access_package_resource_catalog_association" "example" {
  catalog_id             = azuread_access_package_catalog.test_catalog.id
  resource_origin_id     = azuread_group.security_created_group.object_id
  resource_origin_system = "AadGroup"
  # subject_type           = "groupMembers"
}

resource "azuread_access_package_resource_catalog_association" "access_to_existing_group" {
  catalog_id             = azuread_access_package_catalog.test_catalog.id
  resource_origin_id     = data.azuread_group.security_group.object_id
  resource_origin_system = "AadGroup"
}

resource "azuread_access_package_resource_catalog_association" "access_to_existing_group_ro" {
  catalog_id             = azuread_access_package_catalog.test_catalog.id
  resource_origin_id     = data.azuread_group.security_group_ro.object_id
  resource_origin_system = "AadGroup"
}

resource "azuread_access_package_resource_package_association" "example" {
  access_package_id               = azuread_access_package.test_access_package.id
  catalog_resource_association_id = azuread_access_package_resource_catalog_association.example.id
}

Debug Output

│ Error: Deleting access package resource and catalog association with resource “GUID”@“AadGroup” and catalog id “GUID”. 288│ 289│ AccessPackageResourceRequestClient.BaseClient.Post(): unexpected status 400 290│ with OData error: InvalidDeleteResourceHasEntitlements: The resource: 291│ {ResourceName} can not be deleted because there are active 292│ entitlements.

Expected Behavior

terraform destroy all the resources

Actual Behavior

When resources are deleted, we have a 400 on the delation of the object azuread_access_package_resource_package_association

Steps to Reproduce

with code below do :

terraform apply
terraform destroy

Important Factoids

Azure public cloud Proper permission with role and permission

References

https://github.com/hashicorp/terraform-provider-azuread/pull/903

About this issue

Original URL
State: closed
Created a year ago
Reactions: 6
Comments: 22 (4 by maintainers)

Most upvoted comments

Hi @alexwilcox9,

I was able to test it in our environment and successfully deleted access package and catalog associations without assignments! Thank you for your contribution! Let’s hope this finds its way into the provider quickly 😃

gittyNico on Jun 21, 2023

The order of the resource deletion seems correct unfortunately. The issue is a missing msgraph API Endpoint for access_package_resource_package_association_resource “DELETE”. That’s why only the state is being/can be removed.

As you cannot remove a resource catalog association when it is still associated with an access package, terraform fails…

There is a hint in the go provider resource

@pmatthews05 It is enough to delete the resource association to the access package and run terraform afterwards.

We’ll have to wait for Microsoft to update the MSGraph beta i think or someone finds a workaround utilizing the API triggered when manually deleting associations in the portal to be used within a null resource. https://elm.iga.azure.com/api/v1/accessPackages(‘xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx’)/accessPackageResourceRoleScopes

gittyNico on May 26, 2023

Hello, here’s the answer of Microsoft support on the ticket I open few hours ago :

• Indeed, for you to be able to Delete an Access Package you need first to guarantee that there are no active assignments. • Now, to delete the Access Package Assignments it is true that we do not have a DELETE endpoint for that matter. Instead, you will be able to Delete the Access Package Assignment by adapting the CREATE Access Package Assignment Request to perform an “adminRemove” operation. o To get the list of AssignmentIds you can run the GET ListAssignments. Although I understand the solution is a bit confusing in the docs, I personally tested the actions described on the bullet points above and I’m very confident that they will be of good help for you!

Thanks

cedrox on May 30, 2023

Thanks all, since this is surfacing these errors I think we’ll look to add a warning note to the provider docs in the meantime.

manicminer on May 26, 2023

I too am having this problem. When developing it’s a bit annoying as I’m having to manually remove the entries in the state file, and manually remove in the portal before deploying again.

I know this isn’t a helpful comment, I can supply logs if you like, but it’s been covered above.

I’m using Service Principal with “EntitlementManagement.ReadWrite.All”.

It seems to be a problem in the order the resources are deleted in.

pmatthews05 on May 26, 2023

Hey, would any of you be able to see if the solution in my draft PR works for you?

I’ve given it a go in my environment and seem to be able delete pretty reliably https://github.com/hashicorp/terraform-provider-azuread/pull/1124

alexwilcox9 on Jun 17, 2023

291│ {ResourceName} can not be deleted because there are active 292│ entitlements.

I have had this error myself but I don’t believe it’s a bug in the provider. I was unable to delete the resource because there were users with active entitlements on those access packages. Mine was a bit weird though because the portal did not show any active assignments. It turned out that it was due to a recent deleted user that was still in the deleted users section of AAD. I restored the user, the assignment re-appeared in the portal allowing me to remove it and then I was able to delete the AP

Hope that helps

alexwilcox9 on May 24, 2023