Receiving 'Failed to read data source' on `msgraph_update_resource` using OIDC authentication

[mpwaldhorst]

When using OIDC authentication for the provider in Azure DevOps we are receiving the following error that seems to be indicating a failure to retrieve a token and additionally a 405 HTTP status response during terraform plan.

This error seems slightly different from what is mentioned in #69 and using msgraph_resource_action does not seem to resolve the issue.

Provider versions: 0.2.0, 0.3.0

Observed behavior

The execution of the plan fails after about 10-20 seconds so it seems strange that a token error occurs in this timeframe.

The following error seems to occur for some of the users in the map but not for all. In addition, on every execution the error happens for different users.

╷
│ Error: Failed to read data source
│ 
│   with msgraph_update_resource.users_usage_location["<SOME_ID>"],
│   on main.tf line 6, in resource "msgraph_update_resource" "users_usage_location":
│    6: resource "msgraph_update_resource" "users_usage_location" {
│ 
│ ChainedTokenCredential: failed to acquire a token.
│ Attempted credentials:
│ 	ClientAssertionCredential: getAssertion: received HTTP status 405 with
│ response: {"count":1,"value":{"Message":"The requested resource does not
│ support http method 'GET'."}}
╵

Our pipeline template sets the authentication for the provider up as follows and this seems to work fine for azapi and azurerm providers:

    - task: AzureCLI@2
      name: ${{ parameters.name }}
      displayName: ${{ parameters.displayName }}
      condition: ${{ parameters.condition }}
      timeoutInMinutes: ${{ parameters.timeoutInMinutes }}
      inputs:
        azureSubscription: ${{ parameters.serviceConnection }}
        visibleAzLogin: false
        addSpnToEnvironment: true
        scriptLocation: 'inlineScript'
        scriptType: 'pscore'
        workingDirectory: ${{ parameters.workingDirectory }}
        inlineScript: |
          # Set-up Azure connection for terraform:
          $env:ARM_TENANT_ID=$env:AZURESUBSCRIPTION_TENANT_ID
          $env:ARM_CLIENT_ID=$env:AZURESUBSCRIPTION_CLIENT_ID
          # The following allows to omit the subscription id parameter for the azurerm provider (https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs#argument-reference)
          $env:ARM_SUBSCRIPTION_ID=(az account show --query "id" -o tsv)
          $env:ARM_USE_AZUREAD="true"
          $env:ARM_USE_OIDC="true"
          $env:ARM_OIDC_AZURE_SERVICE_CONNECTION_ID=$env:AZURESUBSCRIPTION_SERVICE_CONNECTION_ID
          $env:ARM_OIDC_REQUEST_TOKEN="$(System.AccessToken)"
          $env:ARM_OIDC_REQUEST_URL="$(System.OidcRequestUri)"

[ms-henglu]

Hi @mpwaldhorst ,

Thank you for taking time to report this issue.

Please remove the ARM_OIDC_REQUEST_URL config, because it enables the OIDC flow and I think you're using the azure devops pipline.

# Do NOT set ARM_OIDC_REQUEST_URL — that enables the GitHub Actions OIDC flow, not Azure Pipelines

[mpwaldhorst]

Hi @ms-henglu,
That does indeed fix the issue for us.

This does seem to be different behavior to azapi and azurerm providers as they did not have any issues when this value was set.
It might be good to either address this difference or otherwise clearly document this on the different providers if this is expected.

[ms-henglu]

@mpwaldhorst - You're right. The implementation is different between msgraph and azapi/azurerm providers, I'll improve it to be consistent with other providers. Thanks!