Error handling improvement for new `azuread_application_flexible_federated_identity_credential`

[danquack]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Affected Resource(s)

• azuread_application_flexible_federated_identity_credential

Terraform Configuration Files

I was trying to see if I could create the new Flexible FIC but learned that this only works for Terraform Cloud, not TFE. As a result, troubleshooting was a little difficult due to the way the resource errored. Using the Graph API exposed the information I needed.

resource "azuread_application_flexible_federated_identity_credential" "hcp_terraform" {
   application_id             = azuread_application.hcp_terraform.id
   claims_matching_expression = "claims['sub'] matches '${local.sub}'"
   display_name               = "hcp-terraform-workspace"
   audience                   = "api://AzureADTokenExchange"
   issuer                     = "https://tfe.private-instance.com"
 }

resource "msgraph_resource" "flexibile_federated_identity_credential" {
  url         = "applications/${azuread_application.hcp_terraform.object_id}/federatedIdentityCredentials"
  api_version = "beta"

  body = {
    name      = "tfe-application-test"
    issuer    = "https://tfe.private-instance.com"
    audiences = ["api://AzureADTokenExchange"]
    claimsMatchingExpression = {
      value           = "claims['sub'] matches '${local.sub}'"
      languageVersion = 1
    }
  }
}

Debug Output

Error with azuread_application_flexible_federated_identity_credential

╷
│ Error: adding flexible federated identity credential for Application (Application: "redacted")
│ 
│   with azuread_application_flexible_federated_identity_credential.hcp_terraform,
│   on main.tf line 126, in resource "azuread_application_flexible_federated_identity_credential" "hcp_terraform":
│  126: resource "azuread_application_flexible_federated_identity_credential" "hcp_terraform" {
│ 
│ adding flexible federated identity credential for Application (Application: "redacted")

Error with msgraph_resource

 {
│   "error": {
│     "code": "InvalidFederatedIdentityCredentialValue",
│     "message": "The FederatedIdentityCredential.ClaimsMatchingExpression.Value is invalid. Rule exception: Expression is not supported for applications in this cloud 'Public' using issuer 'https://tfe.private-instance.com'. paramName: FederatedIdentityCredential.ClaimsMatchingExpression.Value, paramValue: claims['sub'] matches 'redacted:*', objectType: Microsoft.Online.DirectoryServices.Application",
│   }
│ }

Panic Output

Expected Behavior

• The error on the azuread_application_flexible_federated_identity_credential would align to the error from the Graph API

Actual Behavior

• The error just prints my application id with no additional guidance. The actual error is not returned to the user.
  

  terraform-provider-azuread/internal/services/applications/application_flexible_federated_identity_credential_resource.go

  Lines 150 to 153 in 72ee4ff

  	if err != nil {
  	return fmt.Errorf("adding flexible federated identity credential for %s", applicationId)
  	}

Steps to Reproduce

1. terraform apply

Important Factoids

References

• New Resource: azuread_flexible_federated_identity_credential #1788