oci_identity_domains_app - unable to set granted_app_roles

[mhinds-alithya]

Hello. I am trying to deploy a confidential app via Terraform using the oci_identity_domains_app resource (oracle/oci v5.36.0), and I've figured out everything except the granted_app_roles. According to the documentation, granted_app_roles is optional and updatable, but when I set it in my Terraform, I get the following:

│ Error: Value for unconfigurable attribute
│ 
│   with oci_identity_domains_app.confidential_app,
│   on confidential-app.tf line 13, in resource "oci_identity_domains_app" "confidential_app":
│   13: resource "oci_identity_domains_app" "confidential_app" {
│ 
│ Can't configure a value for "granted_app_roles": its value will be decided automatically based on the result of applying this configuration.

Here is my terraform code. The granted_app_roles is currently hardcoded while I troubleshoot:

resource "oci_identity_domains_app" "confidential_app" {
  display_name  = "${var.confidential_app_display_name}-${var.stack}-confidential-app"
  idcs_endpoint = var.idcs_endpoint
  schemas       = ["urn:ietf:params:scim:schemas:oracle:idcs:App"]
  based_on_template {
    value = "CustomWebAppTemplateId"
  }
  client_type = var.confidential_app_client_type
  redirect_uris = var.confidential_app_redirect_uris
  post_logout_redirect_uris = var.confidential_app_post_logout_redirect_uris
  active = var.confidential_app_active
  allowed_grants = var.confidential_app_allowed_grants
  is_oauth_client = var.confidential_app_is_oauth_client
  granted_app_roles {
    admin_role = true
    app_id = "IDCSAppId"
    app_name = "IDCSApp"
    display = "Identity Domain Administrator"
    legacy_group_name = ""
    read_only = false
    ref = "https://idcs-<redacted>.identity.oraclecloud.com:443/admin/v1/AppRoles/<redacted>"
    type = "direct"
    value = "<redacted>"
  }
}

If I comment out granted_app_roles, the app deploys successfully. I can then manually add the app role, and if I run another plan, it notes the change made outside terraform:

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the last "terraform apply" which may have affected this plan:

  # oci_identity_domains_app.confidential_app has changed
  ~ resource "oci_identity_domains_app" "confidential_app" {
      ~ granted_app_roles         = [
          + {
              + admin_role        = true
              + app_id            = "IDCSAppId"
              + app_name          = "IDCSApp"
              + display           = "Identity Domain Administrator"
              + legacy_group_name = ""
              + read_only         = false
              + ref               = "https://idcs-<redacted>.identity.oraclecloud.com:443/admin/v1/AppRoles/<redacted>"
              + type              = "direct"
              + value             = "<redacted>"
            },
        ]
        id                        = "<redacted>"
      ~ meta                      = [
          ~ {
              ~ last_modified = "2024-04-16T22:55:33.812Z" -> "2024-04-16T22:58:18.867Z"
              ~ version       = "<redacted>" -> "<redacted>"
                # (3 unchanged attributes hidden)
            },
        ]
        name                      = "<redacted>"
        # (46 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }


Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to undo or respond to these
changes.

───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Changes to Outputs:
  ~ app = {
      ~ granted_app_roles                                                              = [
          + {
              + admin_role        = true
              + app_id            = "IDCSAppId"
              + app_name          = "IDCSApp"
              + display           = "Identity Domain Administrator"
              + legacy_group_name = ""
              + read_only         = false
              + ref               = "https://idcs-<redacted>.identity.oraclecloud.com:443/admin/v1/AppRoles/<redacted>"
              + type              = "direct"
              + value             = "<redacted>"
            },
        ]
        id                                                                             = "<redacted>"
      ~ meta                                                                           = [
          ~ {
              ~ last_modified = "2024-04-16T22:55:33.812Z" -> "2024-04-16T22:58:18.867Z"
              ~ version       = "<redacted>" -> "<redacted>"
                # (3 unchanged attributes hidden)
            },
        ]
        name                                                                           = "<redacted>"
        tags                                                                           = []
        # (118 unchanged attributes hidden)
    }

You can apply this plan to save these new output values to the Terraform state, without changing any real infrastructure.

Please let me know if there is something I can do to allow granted_app_roles to work.

[crackingbananas]

I'm encountering this issue too. Please fix as we need to be able to manage app roles with Terraform.