Bug: msgraph_update_resource PATCH succeeds but changes don't persist for PIM rule #75
Description
Provider Version
microsoft/msgraph v0.2.x
Affected Resource
msgraph_update_resource with PATCH operations on PIM policy rules
Description
When using msgraph_update_resource to PATCH PIM policy rules (unifiedRoleManagementPolicyExpirationRule), the provider reports successful updates, but the API doesn't persist the changes. The state file shows desired values, but subsequent reads show the API still has old values, causing perpetual drift.
Reproduction
resource "msgraph_update_resource" "pim_rule" {
url = "policies/roleManagementPolicies/${policy_id}/rules/Expiration_Admin_Eligibility"
api_version = "beta"
body = {
"@odata.type" = "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule"
id = "Expiration_Admin_Eligibility"
isExpirationRequired = true
maximumDuration = "P90D" # Attempting to change from P365D
target = {
caller = "Admin"
operations = ["All"]
level = "Eligibility"
inheritableSettings = []
enforcedSettings = []
}
}
}Expected: After apply, API returns maximumDuration = "P90D"
Actual: Apply succeeds with no errors, but API still returns maximumDuration = "P365D"
Verification
Direct PATCH via PowerShell with identical body structure works correctly:
$policyId = 'Group_<redacted>'
$ruleId = 'Expiration_Admin_Eligibility'
$body = @{
'@odata.type' = '#microsoft.graph.unifiedRoleManagementPolicyExpirationRule'
id = 'Expiration_Admin_Eligibility'
isExpirationRequired = $true
maximumDuration = 'P90D'
target = @{
caller = 'Admin'
operations = @('All')
level = 'Eligibility'
inheritableSettings = @()
enforcedSettings = @()
}
}
Invoke-MgGraphRequest -Method PATCH `
-Uri "https://graph.microsoft.com/beta/policies/roleManagementPolicies/$policyId/rules/$ruleId" `
-Body ($body | ConvertTo-Json -Depth 10)
Result: API immediately reflects maximumDuration = "P90D". Terraform then correctly detects no drift.