msgraph_resource applications/{application_id}/federatedIdentityCredentials tf state issues, causing graph api call errors when applying

[nicholaslanger]

Hi ms tf devs,

I'm attempting to create federated credentials for azure service principals using the the msgraph provider resource msgraph_resource making a request to applications/{application_id}/federatedIdentityCredentials beta version. We need to use the beta version to be able to create a claimsMatchingExpression on the federated credentials. Somehow this resource is being created but simply errors every time for some service principals (works fine for other sps) due to what we think to be a state tracking issue.

Our theory for this error is this...

1. Initial create happens, federated credential doesnt exist yet, federated credential gets created and put into state
2. TF refresh occurs on next run, due to some error in the API (were guessing), it attempts to see if the federated credential exists, it fails when calling some api to determine if it exists, attempts to recreate and errors

Since it's only happening to some service principals we think it might be something like a region issue? Or maybe something with us using the beta api?

Can someone look into this? Any ides? Let me know! Thanks.

example error:
`
Error: Failed to create resource

POST:
https://graph.microsoft.com/beta/applications/application_id/federatedIdentityCredentials

RESPONSE 409: 409 Conflict
ERROR CODE: Request_MultipleObjectsWithSameKeyValue

{
"error": {
"code": "Request_MultipleObjectsWithSameKeyValue",
"message": "FederatedIdentityCredential with name name already exists."
"innerError": {
"date": date
"request-id": request id
"client-request-id": client request id
}
}
`

example resource:
resource "msgraph_resource" "federated_identity_credential" { url = "applications/{var.application_id}/federatedIdentityCredentials" api_version = "beta" body = { name = "foo" description = "bar" audiences = ["api://AzureADTokenExchange"] issuer = "https://token.actions.githubusercontent.com" claimsMatchingExpression = "expression" } }

[ms-henglu]

Hi @nicholaslanger ,

Thank you for taking time to report this issue.

From the error message, it seems that the name field in the body is duplicated with an existing credential, would you please change the name and try again?

[nicholaslanger]

We are aware that we cannot name an FIC with the same name as another within an app registration. the issue were facing is that the resource is created in azure but not tracked in our remote tf state file in AWS. Is it known that state tracking is an issue with this provider? Maybe just an issue with the beta api? We need to use the beta api to be able to provision the claims matching expression

[ms-henglu]

Thanks for the clarification. I tried to reproduce the issue with https://github.com/microsoft/terraform-provider-msgraph/blob/main/examples/quickstarts/applications_federatedIdentityCredentials/main.tf, I also changed the api_version to "beta", the resource is successfully created and recorded in the terraform state.

Would you please share a complete config that reproduces the issue to help investigate? Thanks!