azuread_access_package_assignment_policy runs into 409 (409 Conflict) with error: DuplicateKey: There is already a duplicated entity

[cveld]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

tf version
Terraform v1.14.7
on windows_amd64

• provider registry.terraform.io/hashicorp/azuread v3.8.0
• provider registry.terraform.io/hashicorp/azurerm v4.69.0

Affected Resource(s)

• azuread_access_package_assignment_policy

Terraform Configuration Files

resource "azuread_access_package_assignment_policy" "this" {
  for_each = var.access_packages

  access_package_id = azuread_access_package.this[each.key].id
  display_name      = coalesce(try(each.value.assignment_policy_display_name, null), "${each.value.display_name} Assignment Policy")
  description       = coalesce(try(each.value.assignment_policy_description, null), coalesce(try(each.value.description, null), ""))
  duration_in_days  = try(each.value.duration_in_days, null)
  extension_enabled = try(each.value.extension_enabled, false)

  lifecycle {
    precondition {
      condition     = !try(each.value.approval_required, false) || try(each.value.approval_stage, null) != null
      error_message = "Access package ${each.key} requires at least one approval_stage when approval_required is true."
    }
  }

  requestor_settings {
    requests_accepted = try(each.value.requests_accepted, true)
    scope_type        = coalesce(try(each.value.scope_type, null), "AllExistingDirectoryMemberUsers")

    dynamic "requestor" {
      for_each = try(each.value.requestor_subjects, {})
      content {
        subject_type = requestor.value.subject_type
        object_id    = try(requestor.value.object_id, null)
      }
    }
  }

  approval_settings {
    approval_required                = try(each.value.approval_required, false)
    approval_required_for_extension  = try(each.value.approval_required_for_extension, false)
    requestor_justification_required = try(each.value.requestor_justification_required, false)

    dynamic "approval_stage" {
      for_each = try(each.value.approval_stage, null) == null ? [] : [each.value.approval_stage]
      content {
        approval_timeout_in_days        = try(approval_stage.value.approval_timeout_in_days, 14)
        approver_justification_required = try(approval_stage.value.approver_justification_required, true)
        alternative_approval_enabled    = try(approval_stage.value.alternative_approval_enabled, false)

        dynamic "primary_approver" {
          for_each = try(approval_stage.value.primary_approvers, [])
          content {
            subject_type = coalesce(try(primary_approver.value.subject_type, null), "groupMembers")
            object_id = coalesce(
              try(primary_approver.value.object_id, null),
              try(azuread_group.this[coalesce(try(primary_approver.value.group_key, null), try(primary_approver.value.key, null), "")].object_id, null),
              try(azuread_group_without_members.this[coalesce(try(primary_approver.value.group_key, null), try(primary_approver.value.key, null), "")].object_id, null),
              try(data.azuread_group.this[coalesce(try(primary_approver.value.group_key, null), try(primary_approver.value.key, null), "")].object_id, null),
              try(var.external_groups[coalesce(try(primary_approver.value.group_key, null), try(primary_approver.value.key, null), "")], null)
            )
          }
        }
      }
    }
  }

  dynamic "assignment_review_settings" {
    for_each = try(each.value.assignment_review_settings, null) == null ? [] : [each.value.assignment_review_settings]
    content {
      enabled                        = assignment_review_settings.value.enabled
      review_frequency               = assignment_review_settings.value.review_frequency
      duration_in_days               = assignment_review_settings.value.duration_in_days
      review_type                    = assignment_review_settings.value.review_type
      access_review_timeout_behavior = assignment_review_settings.value.access_review_timeout_behavior

      dynamic "reviewer" {
        for_each = try(assignment_review_settings.value.reviewers, [])
        content {
          subject_type = coalesce(try(reviewer.value.subject_type, null), "groupMembers")
          object_id = coalesce(
            try(reviewer.value.object_id, null),
            try(azuread_group.this[coalesce(try(reviewer.value.group_key, null), try(reviewer.value.key, null), "")].object_id, null),
            try(azuread_group_without_members.this[coalesce(try(reviewer.value.group_key, null), try(reviewer.value.key, null), "")].object_id, null),
            try(data.azuread_group.this[coalesce(try(reviewer.value.group_key, null), try(reviewer.value.key, null), "")].object_id, null),
            try(var.external_groups[coalesce(try(reviewer.value.group_key, null), try(reviewer.value.key, null), "")], null)
          )
        }
      }
    }
  }
}

Debug Output

Panic Output

Expected Behavior

All azuread_access_package_assignment_policy resources should run without errors.

Actual Behavior

One azuread_access_package_assignment_policy failed with the error 409 (409 Conflict) with error: DuplicateKey: There is already a duplicated entity

Next plan run it was just consumed, and the plan did not include this failed resource.

Steps to Reproduce

1. terraform apply

Important Factoids

References