azuread_application_password: end_date and end_date_relative parameter should calculate the end date of the application password based on the start_date but it is calculated based on the current timestamp when TF apply is executed

[ccsandhanshive]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform v1.0.0

• provider registry.terraform.io/hashicorp/azuread v2.20.0

Affected Resource(s)

• azuread_application_password

Terraform Configuration Files

resource "azuread_application" "example" {
  display_name = "example"
}
resource "time_rotating" "example" {
  rotation_days = 7
}

resource "azuread_application_password" "example" {
  application_object_id = azuread_application.example.object_id
  end_date_relative     = "10h"
  start_date        = "2022-09-13T23:27:23Z"
  rotate_when_changed = {
    rotation = time_rotating.example.id
  }
}

Debug Output

│ error: KeyCredentialsInvalidEndDate: Key credential end date is invalid. 

Expected Behavior

• As per Azure PowerShell, if start date is specified without any end date then the end-date would be calculated as 1 year after the start-date

• For example, if start date is 1/1/2024 1:02:03 AM then the end date would be 1/1/2025 1:02:03 AM

• However, in terraform, the end_date parameter is calculated based on the current timestamp (NOT the start_date)

  • If start_date is 2022-09-01T01:02:03Z and end_date_relative is "10h" then the calculated end_date is 2022-07-13T11:02:03Z (since the current timestamp is 2022-07-13T01:02:03Z)

  • The expected end_date is 2022-09-01T11:02:03Z

• Similarly, if both end_date and end_date_relative aren't specified, the calculated end_date should be based on the start_date not the current timestamp

Actual Behavior

• Terraform calculates end_date parameter based on the current timestamp and not the start_date parameter.

• This leads to an error during the apply command if the calculated end_date ends up being before the start_date

Steps to Reproduce

1. terraform apply

Important Factoids

References

• #0000

[ccsandhanshive]

Are there any updates on this?

[manicminer]

Thanks for requesting this @ccsandhanshive. I agree that setting an expiry date relative to the start date makes more sense. Whilst this technically constitutes a breaking behavioral change, in practice seems unlikely to break any existing workflows and will not affect any already-created credentials, so I think we're probably OK to update this.

Thanks @Threpio for picking this up and submitting a PR! ⭐

[github-actions]

This functionality has been released in v2.27.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[ccsandhanshive]

@manicminer Thank you for adding functionality for end_date_relative parameter now it calculates end_date based on start_date which we have specified for start_date parameter.

The end_date parameter in azuread_application_password is an optional parameter and its default value is still 2 years after the current timestamp, not 2 or 1 year after start_date

As per azure Powershell default value for end_date is 1 year after start_date

If both end_date and end_date_relative aren't specified, the calculated end_date should be based on the start_date not the current timestamp

Could you please let us know if this behavior is expected behavior, if not then what is the reason that terraform has not added this functionality

[chennagouda14]

@manicminer Thank you for adding this functionality for end_date_relative parameter in azuread_application_certificate resource, now the end_date_relative parameter calculates the end date of a certificate/key based on the start_date.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.