msgraph_resource fails to properly update resources when external changes are detected #58
Description
Problem Description
The msgraph_resource resource fails to properly manage and update properties when external changes are made outside of Terraform. While Terraform correctly detects the drift and shows the planned changes, the actual update operation doesn't apply the changes to the resource.
Steps to Reproduce
The steps below were using version 0.2.0 of the msgraph provider.
- Create a Conditional Access policy using the following configuration and run
terraform apply:
resource "msgraph_resource" "block_legacy_auth" {
url = "identity/conditionalAccess/policies"
body = {
displayName = "Via MSGraph - Block Legacy Authentication"
state = "enabledForReportingButNotEnforced"
conditions = {
users = {
includeUsers = ["All"]
excludeUsers = []
includeGroups = []
excludeGroups = []
includeRoles = []
excludeRoles = []
}
applications = {
includeApplications = ["All"]
excludeApplications = []
includeUserActions = []
includeAuthenticationContextClassReferences = []
applicationFilter = null
}
clientAppTypes = [
"exchangeActiveSync",
"other"
]
platforms = {
includePlatforms = ["all"]
excludePlatforms = []
}
locations = {
includeLocations = ["All"]
excludeLocations = []
}
authenticationFlows = {
transferMethods = "none"
}
signInRiskLevels = []
userRiskLevels = []
servicePrincipalRiskLevels = []
}
grantControls = {
operator = "OR"
builtInControls = ["block"]
customAuthenticationFactors = []
termsOfUse = []
authenticationStrength = null
}
sessionControls = {
applicationEnforcedRestrictions = null
cloudAppSecurity = null
signInFrequency = null
persistentBrowser = null
continuousAccessEvaluation = null
secureSignInSession = null
disableResilienceDefaults = null
}
}
}-
Make manual changes in the Entra ID portal (e.g., exclude a user role from the policy)
-
Run
terraform apply- The plan correctly shows the detected changes:
# msgraph_resource.block_legacy_auth will be updated in-place
~ resource "msgraph_resource" "block_legacy_auth" {
~ body = {
~ conditions = {
~ users = {
~ excludeRoles = [
- "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3",
]
# (5 unchanged attributes hidden)
}
# (8 unchanged attributes hidden)
}
# (4 unchanged attributes hidden)
}
id = "0d8d3ba0-6c38-4da4-af36-a98ae9a6fd9b"
~ output = {} -> (known after apply)
# (4 unchanged attributes hidden)
}
Plan: 0 to add, 1 to change, 0 to destroy.Expected Behavior
After running terraform apply, the resource should be updated to match the Terraform configuration, removing the manually added exclusions.
Actual Behavior
- The manual modifications made in the portal remain present on the resource after
terraform apply - Running
terraform applyagain detects the same drift and shows the same planned changes - The update operation appears to complete successfully but doesn't actually modify the resource
- This creates a persistent drift situation where Terraform always detects changes but never applies them
Impact
This prevents proper infrastructure-as-code management of Microsoft Graph resources, as manual changes cannot be reverted through Terraform operations.