The resource is successfully created, but it is not written to the Terraform state.

[delikvent]

Recently, I attempted to use the msgraph Terraform provider to provision the /identityGovernance/entitlementManagement/accessPackages/{accessPackageId}/accessPackageResourceRoleScopes resource via the Microsoft Graph Beta API.

Aside from the fact that the Microsoft Graph Beta API returns an invalid URL in the Location header during resource creation (in this specific case), there also appears to be an issue with how the msgraph Terraform provider handles the 201 Created HTTP status code.

Based on my limited experience, the msgraph Terraform provider appears to assume that every resource supports the GET by ID operation
and constructs the verification request using the original request URL and the resource ID returned in the POST response.
However, in reality, many resources in the Microsoft Graph API only support the LIST operation — as was the case in my situation — which leads to resource creation verification failures.

As a result, the resource is successfully created, but it is not written to the Terraform state.

Possible solutions:

1. Preferably, a response with 201 Created status code should always include a valid URL in the Location header, so it can be used as intended. Therefore, we should report any invalid Location header issues to the upstream.
2. If possible, implement client-side logic to determine whether the resource supports the GET by ID operation — for example, by analyzing the OpenAPI specification — and construct the verification request accordingly. If not, use appropriate fallback logic.

Related links:

• https://learn.microsoft.com/en-us/graph/api/accesspackage-post-accesspackageresourcerolescopes?view=graph-rest-beta&tabs=http#example-1-add-group-membership-as-a-resource-role-to-an-access-package
• https://registry.terraform.io/providers/microsoft/msgraph/latest/docs/resources/resource

[ms-henglu]

Hi @delikvent ,

Thank you for taking time to report this issue.

Yes, this kind of URL is not supported by the msgraph provider yet, as mentioned in the doc: https://registry.terraform.io/providers/microsoft/msgraph/latest/docs/resources/resource#url-1

For this API, I think you could the msgraph_resource_action as a workaround, because it supports "Create/Delete/List" methods and you don't need to monitor its state.

[delikvent]

Hello @ms-henglu,

Thank you for looking into this. I'm glad to hear that this is a known limitation—this wasn't obvious to me at first glance from the documentation.

Unfortunately, the msgraph_resource_action resource isn't suitable for my use case, as I need to be able to monitor the state of the resource as well.

Is there any timeline for when this functionality might be supported?

[ms-henglu]

Hi @delikvent , currently it's not planned to support this kind of API. I'll put it in the backlog.