azuread_access_package_assignment_policy: change requestors type from List to Set

[bigwheel]

Resolve #1116

What I tested

• make test
• Fixed actual behavior and become expected hehavior (no diffs)

Test steps

1. Clone provider code
2. Change the code
3. make build
4. terraform init and terraform plan several times. Check plans show requestor diffs.
5. Override azuread provider

provider_installation {
  dev_overrides {
    "hashicorp/azuread" = "/home/kbigwheel/.asdf/installs/golang/1.19.4/packages/bin"
  }
  direct {}
}

6. terraform init and terraform plan several times. Check plans don't show requestor diffs.

[manicminer]

Thanks for suggesting this change @bigwheel. In my testing I have not been able to reproduce this as yet, can you confirm if this happens repeatably or intermittently? If you update your configuration to match the order of requestors, does the diff go away (and not return after a few plans)?

In principle I'd be happy to make this change, however changing a property from a TypeList to a TypeSet is usually considered a breaking change, since a property might be referenced elsewhere in users' configurations. This means we normally only make such a change with a new major version of a provider, e.g. v2.x -> v3.0.

[bigwheel]

@manicminer Thank you for reply!

In my testing I have not been able to reproduce this as yet, can you confirm if this happens repeatably or intermittently? If you update your configuration to match the order of requestors, does the diff go away (and not return after a few plans)?

No, it doesn't. I applied several times but diff still remained yet.

This means we normally only make such a change with a new major version of a provider, e.g. v2.x -> v3.0.

Agree. we were added requestor to ignore_changes list. Therefore, it is not ciritical problem at least now.

[manicminer]

Thanks for the feedback. Agreed this should be a TypeSet, as mentioned we'll fix this in v3.0.

[tjrobinson]

Thanks @manicminer. I don't suppose you have a rough ETA on v3.0 yet? Are we talking days/weeks/months?

[manicminer]

Unfortunately we don't have a timeframe as yet. There is a lot of ground work going on right now in preparation for it, but I'm afraid can't offer an estimate at this point in time.

[sklakegg]

Hey, any update on this? We are currently scaling up the use of terraformed access packages, and this is really messing up the plans :)

[seanhoughton]

This would be nice to get merged. I'd prefer not to have to use the ignore_changes workaround, especially with security related infra. Additionally, hashicorp/terraform#5666 means I have to ignore the entire requestor_settings block and not just the requestor field.

[kristeey]

Why was this removed from 3.0 milestone @manicminer ?

[akorp]

Hi @manicminer,

Any update on when this can be merged 🙏
We still have this issue in all our terraform runs in a repo.

[tatsuo48]

I'm also waiting for the same thing.
What methods are available to have the priority increased?

[akorp]

Hi @manicminer,

Any update on when this can be merged 🙏 We still have this issue in all our terraform runs in a repo.

Actually in our case seems like the tfplan does not changes the requestor's order in azuread_access_package_assignment_policy/requestor_settings any longer. It is consistently return the same order and with updating the code with don't have a diff any longer (after updating the order in the code with the one returned from tfplan).

We use hashicorp/azuread v3.3.0.

[AndersRunningen]

Hi @manicminer,
Any update on when this can be merged 🙏 We still have this issue in all our terraform runs in a repo.

Actually in our case seems like the tfplan does not changes the requestor's order in azuread_access_package_assignment_policy/requestor_settings any longer. It is consistently return the same order and with updating the code with don't have a diff any longer (after updating the order in the code with the one returned from tfplan).

We use hashicorp/azuread v3.3.0.

We use v3.5.0 and still experience this issue. Example from terraform output below:

# module.aad["data-plattform-dev-01"].azuread_access_package_assignment_policy.default-policy["contributor"] will be updated in-place
  ~ resource "azuread_access_package_assignment_policy" "default-policy" {
        id                = "27c39e98-b58c-49d3-bb3a-xxxxxxxxxxxxxxx"
        # (6 unchanged attributes hidden)

      ~ requestor_settings {
            # (2 unchanged attributes hidden)

          ~ requestor {
              ~ object_id    = "a848ebcb-d0d6-4f96-a4aa-xxxxxxxxxxxxxxx" -> "b45d2570-6bcd-40be-802c-xxxxxxxxxxxxxxx"
                # (2 unchanged attributes hidden)
            }
          ~ requestor {
              ~ object_id    = "bcfa432f-00b2-47ef-8d8e-xxxxxxxxxxxxxxx" -> "a848ebcb-d0d6-4f96-a4aa-xxxxxxxxxxxxxxx"
              ~ subject_type = "SingleUser" -> "groupMembers"
                # (1 unchanged attribute hidden)
            }
          ~ requestor {
              ~ object_id    = "9f111a92-95ea-4d42-b355-xxxxxxxxxxxxxxx" -> "bcfa432f-00b2-47ef-8d8e-xxxxxxxxxxxxxxx"
              ~ subject_type = "GroupMembers" -> "singleUser"
                # (1 unchanged attribute hidden)
            }
          ~ requestor {
              ~ object_id    = "2a69eca9-7d3f-40d4-914d-xxxxxxxxxxxxxxx" -> "9f111a92-95ea-4d42-b355-xxxxxxxxxxxxxxx"
                # (2 unchanged attributes hidden)
            }
          ~ requestor {
              ~ object_id    = "5cb8213c-9ef1-4f57-9c4c-xxxxxxxxxxxxxxx" -> "2a69eca9-7d3f-40d4-914d-xxxxxxxxxxxxxxx"
                # (2 unchanged attributes hidden)
            }
          ~ requestor {
              ~ object_id    = "4d625069-aba7-42dd-8ab9-xxxxxxxxxxxxxxx" -> "5cb8213c-9ef1-4f57-9c4c-xxxxxxxxxxxxxxx"
                # (2 unchanged attributes hidden)
            }
          ~ requestor {
              ~ object_id    = "b45d2570-6bcd-40be-802c-xxxxxxxxxxxxxxx" -> "4d625069-aba7-42dd-8ab9-xxxxxxxxxxxxxxx"
                # (2 unchanged attributes hidden)
            }
        }

[akorp]

Hi @manicminer,
Any update on when this can be merged 🙏 We still have this issue in all our terraform runs in a repo.

Actually in our case seems like the tfplan does not changes the requestor's order in azuread_access_package_assignment_policy/requestor_settings any longer. It is consistently return the same order and with updating the code with don't have a diff any longer (after updating the order in the code with the one returned from tfplan).
We use hashicorp/azuread v3.3.0.

We use v3.5.0 and still experience this issue. Example from terraform output below:

# module.aad["data-plattform-dev-01"].azuread_access_package_assignment_policy.default-policy["contributor"] will be updated in-place
  ~ resource "azuread_access_package_assignment_policy" "default-policy" {
        id                = "27c39e98-b58c-49d3-bb3a-xxxxxxxxxxxxxxx"
        # (6 unchanged attributes hidden)

      ~ requestor_settings {
            # (2 unchanged attributes hidden)

          ~ requestor {
              ~ object_id    = "a848ebcb-d0d6-4f96-a4aa-xxxxxxxxxxxxxxx" -> "b45d2570-6bcd-40be-802c-xxxxxxxxxxxxxxx"
                # (2 unchanged attributes hidden)
            }
          ~ requestor {
              ~ object_id    = "bcfa432f-00b2-47ef-8d8e-xxxxxxxxxxxxxxx" -> "a848ebcb-d0d6-4f96-a4aa-xxxxxxxxxxxxxxx"
              ~ subject_type = "SingleUser" -> "groupMembers"
                # (1 unchanged attribute hidden)
            }
          ~ requestor {
              ~ object_id    = "9f111a92-95ea-4d42-b355-xxxxxxxxxxxxxxx" -> "bcfa432f-00b2-47ef-8d8e-xxxxxxxxxxxxxxx"
              ~ subject_type = "GroupMembers" -> "singleUser"
                # (1 unchanged attribute hidden)
            }
          ~ requestor {
              ~ object_id    = "2a69eca9-7d3f-40d4-914d-xxxxxxxxxxxxxxx" -> "9f111a92-95ea-4d42-b355-xxxxxxxxxxxxxxx"
                # (2 unchanged attributes hidden)
            }
          ~ requestor {
              ~ object_id    = "5cb8213c-9ef1-4f57-9c4c-xxxxxxxxxxxxxxx" -> "2a69eca9-7d3f-40d4-914d-xxxxxxxxxxxxxxx"
                # (2 unchanged attributes hidden)
            }
          ~ requestor {
              ~ object_id    = "4d625069-aba7-42dd-8ab9-xxxxxxxxxxxxxxx" -> "5cb8213c-9ef1-4f57-9c4c-xxxxxxxxxxxxxxx"
                # (2 unchanged attributes hidden)
            }
          ~ requestor {
              ~ object_id    = "b45d2570-6bcd-40be-802c-xxxxxxxxxxxxxxx" -> "4d625069-aba7-42dd-8ab9-xxxxxxxxxxxxxxx"
                # (2 unchanged attributes hidden)
            }
        }

Try to switch requestor order in your terraform code as it is shows in your tf plan. After doing this, tf plan no longer showing changes for us.