`msgraph_resource` fails to properly update resources when external changes are detected

[bubbletroubles]

Problem Description

The msgraph_resource resource fails to properly manage and update properties when external changes are made outside of Terraform. While Terraform correctly detects the drift and shows the planned changes, the actual update operation doesn't apply the changes to the resource.

Steps to Reproduce

The steps below were using version 0.2.0 of the msgraph provider.

1. Create a Conditional Access policy using the following configuration and run terraform apply:

resource "msgraph_resource" "block_legacy_auth" {
  url = "identity/conditionalAccess/policies"
  body = {
    displayName = "Via MSGraph - Block Legacy Authentication"
    state       = "enabledForReportingButNotEnforced"
    conditions = {
      users = {
        includeUsers  = ["All"]
        excludeUsers  = []
        includeGroups = []
        excludeGroups = []
        includeRoles  = []
        excludeRoles  = []
      }
      applications = {
        includeApplications                         = ["All"]
        excludeApplications                         = []
        includeUserActions                          = []
        includeAuthenticationContextClassReferences = []
        applicationFilter                           = null
      }
      clientAppTypes = [
        "exchangeActiveSync",
        "other"
      ]
      platforms = {
        includePlatforms = ["all"]
        excludePlatforms = []
      }
      locations = {
        includeLocations = ["All"]
        excludeLocations = []
      }
      authenticationFlows = {
        transferMethods = "none"
      }
      signInRiskLevels           = []
      userRiskLevels             = []
      servicePrincipalRiskLevels = []
    }
    grantControls = {
      operator                    = "OR"
      builtInControls             = ["block"]
      customAuthenticationFactors = []
      termsOfUse                  = []
      authenticationStrength      = null
    }
    sessionControls = {
      applicationEnforcedRestrictions = null
      cloudAppSecurity                = null
      signInFrequency                 = null
      persistentBrowser               = null
      continuousAccessEvaluation      = null
      secureSignInSession             = null
      disableResilienceDefaults       = null
    }
  }
}

2. Make manual changes in the Entra ID portal (e.g., exclude a user role from the policy)

3. Run terraform apply - The plan correctly shows the detected changes:

  # msgraph_resource.block_legacy_auth will be updated in-place
  ~ resource "msgraph_resource" "block_legacy_auth" {
      ~ body                    = {
          ~ conditions      = {
              ~ users                      = {
                  ~ excludeRoles  = [
                      - "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3",
                    ]
                    # (5 unchanged attributes hidden)
                }
                # (8 unchanged attributes hidden)
            }
            # (4 unchanged attributes hidden)
        }
        id                      = "0d8d3ba0-6c38-4da4-af36-a98ae9a6fd9b"
      ~ output                  = {} -> (known after apply)
        # (4 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Expected Behavior

After running terraform apply, the resource should be updated to match the Terraform configuration, removing the manually added exclusions.

Actual Behavior

• The manual modifications made in the portal remain present on the resource after terraform apply
• Running terraform apply again detects the same drift and shows the same planned changes
• The update operation appears to complete successfully but doesn't actually modify the resource
• This creates a persistent drift situation where Terraform always detects changes but never applies them

Impact

This prevents proper infrastructure-as-code management of Microsoft Graph resources, as manual changes cannot be reverted through Terraform operations.

[ms-henglu]

Hi @bubbletroubles ,

Thank you for taking time to report this issue.

Would you please share the debug logs to help investigate? I think it could be an upstream-API issue.

Here's how to get the debug logs:

1. Add the below environment variables:
   TF_LOG=DEBUG
   TF_LOG_PATH=./terraform.log

2. Run terraform apply command, the debug logs will be stored in the ./terraform.log

[bubbletroubles]

Thanks @ms-henglu - The msgraph provider isn't sending the PATCH method to update the policy. You can see a few errors in the debug log.

Debug log is here.

[ms-henglu]

Hi @bubbletroubles ,

Thanks for sharing the debug logs.

I noticed the below logs, it seems that the resource matches with the configuration, so no update is needed.

2025-09-28T11:16:58.202+1000 [INFO]  provider.terraform-provider-msgraph_v0.2.0.exe: No changes detected in body, skipping update: tf_resource_type=msgraph_resource tf_rpc=ApplyResourceChange @caller=github.com/microsoft/terraform-provider-msgraph/internal/services/msgraph_resource.go:326 @module=msgraph tf_provider_addr=registry.terraform.io/microsoft/msgraph tf_req_id=2128481f-8104-c5bd-d41a-15760193a2ae timestamp="2025-09-28T11:16:58.202+1000"

[bubbletroubles]

Thanks @ms-henglu - I think that is part of the issue.

When I run terraform apply, the plan is as per the block below. There is a "excludeRole" configured in the policy which should be removed by the msgraph provider. The terraform apply does not remove the additional role.

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # msgraph_resource.block_legacy_auth will be updated in-place
  ~ resource "msgraph_resource" "block_legacy_auth" {
      ~ body                    = {
          ~ conditions      = {
              ~ users                      = {
                  ~ excludeRoles  = [
                      - "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3",
                    ]
                    # (5 unchanged attributes hidden)
                }
                # (8 unchanged attributes hidden)
            }
            # (4 unchanged attributes hidden)
        }
        id                      = "0d8d3ba0-6c38-4da4-af36-a98ae9a6fd9b"
      ~ output                  = {} -> (known after apply)
        # (4 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value:

[bubbletroubles]

@ms-henglu does this analysis help narrow down the issue?

Root Cause Analysis

Based on the debug logs and source code examination, here's what's happening:

The Issue (line 184 in terraform.log):

No changes detected in body, skipping update

The provider detects drift during the Read operation but then decides "No changes detected" during the Update operation, so it skips sending the PATCH request entirely.

Why This Happens:

1. During Read (lines 110-113 in log):
   - Provider fetches the policy from Graph API via GET
   - Graph API returns: "excludeRoles":["9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3"]
   - This is a role that was manually added in the portal

2. The Read function updates the state (msgraph_resource.go:389):
   body := utils.UpdateObject(requestBody, responseBody, option)

3. The UpdateObject function merges the Terraform config with the API response, keeping values from the API response. This causes the state to be updated with the drift (the excluded role).

4. Warning at line 113:
   Failed to parse payload: tuple element size not match: json=1, type=0

5. This indicates the provider is having trouble parsing the excludeRoles array because:
   - Terraform config defines: excludeRoles = [] (empty array with type tuple of 0 elements)
   - API returns: ["9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3"] (array with 1 element)

6. During Update (msgraph_resource.go:312):
   patchBody := utils.DiffObject(previousBody, requestBody, diffOption)

7. The DiffObject function compares:
   - previousBody (state after Read, which now includes the excluded role)
   - requestBody (the desired state from Terraform config)

However, because the Read operation updated the state with the drifted value, previousBody and requestBody now appear identical (or the comparison fails due to the type mismatch), so DiffObject returns an empty object.
8. Result: No PATCH request is sent, and the drift persists.

The Core Problem:

The issue is in msgraph_resource.go:389:
body := utils.UpdateObject(requestBody, responseBody, option)

This merges the Terraform config (requestBody) with the API response (responseBody), which overwrites the Terraform state with the API's current values, including manual changes. This defeats the purpose of detecting drift.

Additionally, there's a type mismatch issue where the Terraform schema expects an empty tuple [] but the API returns an array with one element ["..."], causing the parsing warning at line 398.

The Fix Would Involve:

1. Not updating the state with drifted values during Read - The Read operation should preserve the desired state from Terraform config, not merge it with API response
2. Properly handling tuple/array type mismatches - The dynamic type system needs to handle arrays with different lengths
3. Ensuring DiffObject compares desired state vs actual state - Currently it's comparing actual vs actual after the Read operation merged them