Inconsistent behavior when configuring Owners of an Application through ApplicationOwner

[michizubi-SRF]

What happened?

We are managing an AAD App Registration via Pulumi to configure things like callback URLs, permissions etc.
When changing for example the callback URL, it can happen that for some reason the owners of the app have a diff even though nothing changed in the code.

The following describes a sample workflow:

1. Callback URL is changed and pulumi up is run
   update [diff: ~web]
2. Callback URL is changed again, because of a typo and again pulumi up is run:
   update [diff: ~owners,web]

Even though the owners haven't changed, pulumi sees a diff. If I run the pulumi up now, the owners get deleted from the app, but the ApplicationOwner resources remain but are not "linked" to the app anymore.

The owners can again be added using the following workflow:

1. Delete ApplicationOwners in code and run pulumi up (ApplicationOwner resources are deleted)
2. Add ApplicationOwners in code again and run pulumi up (ApplicationOwner resources are created)

Example

Some code snippets:

app = azuread.Application(
            appName,
            owners=[currentClient.object_id],
            display_name=appName,
            web=web,
            tags=["monitored"],
            optional_claims=azuread.ApplicationOptionalClaimsArgs(
                access_tokens=access_tokens,
                id_tokens=id_tokens,
                saml2_tokens=saml2_tokens,
            ),
            group_membership_claims=group_claims
        )

for owner in self.owners:
            azuread.ApplicationOwner(
                f"{appName}-{owner}",
                application_id=app.id,
                owner_object_id=owner
            )

Output of pulumi about

CLI
Version 3.107.0
Go Version go1.22.0
Go Compiler gc

Plugins
NAME VERSION
aws 6.22.2
aws-native 0.96.0
azuread 5.47.1
python unknown

Host
OS darwin
Version 14.3.1
Arch x86_64

This project is written in python: executable='/usr/local/bin/python3' version='3.12.2'

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[iwahbe]

Hi @michizubi-SRF. I'm sorry this is happening to you.

When changing for example the callback URL, it can happen that for some reason the owners of the app have a diff even though nothing changed in the code.

To clarify, are you saying that owners always changes on the pulumi up after you edit web, or that it sometimes (randomly) changes after you edit web?

[mms-bruno]

Hi @michizubi-SRF. I'm sorry this is happening to you.

When changing for example the callback URL, it can happen that for some reason the owners of the app have a diff even though nothing changed in the code.

To clarify, are you saying that owners always changes on the pulumi up after you edit web, or that it sometimes (randomly) changes after you edit web?

Hi @iwahbe
I can confirm that this always happens.

[lukehoban]

I believe this is a known part of the design of these resources that they can't be used together, since they manage parts of each others' state. See the note at the top of https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application_owner about these resources being incompatible. You can use azuread.ApplicationRegistration instead.

Opened #1504 to track the docs warning not being surfaced correctly in the Pulumi docs.