When update_method = "PUT" is set on a msgraph_resource, the provider correctly uses PUT for updates but still uses POST for the initial resource creation. This makes it impossible to manage Microsoft Graph API endpoints that only support PUT (not POST) for creating/upserting resources.
Example:
resource "msgraph_resource" "identity_sync_inbound" {
provider = msgraph.target
update_method = "PUT"
url = "policies/crossTenantAccessPolicy/partners/{tenantId}/identitySynchronization"
body = {
displayName = "My Sync"
userSyncInbound = { isSyncAllowed = true }
}
}
Actual behavior:
On first terraform apply, the provider sends:
POST https://graph.microsoft.com/v1.0/policies/crossTenantAccessPolicy/partners/{tenantId}/identitySynchronization
→ 405 Method Not Allowed
Expected behavior:
When update_method = "PUT" is set, the provider should also use PUT for resource creation (since PUT is idempotent and serves as both create and update for this endpoint). Alternatively, a separate create_method attribute should be supported.
Additional context:
A second related bug: POST /policies/crossTenantAccessPolicy/partners returns tenantId as the resource identifier instead of an id field. The provider fails with resource ID is empty because it only looks for id in the response body. A id_field or id_path attribute would allow users to specify which response field to use as the resource ID.
Workaround:
Use null_resource with az rest provisioner specifying the correct HTTP method directly.
When update_method = "PUT" is set on a msgraph_resource, the provider correctly uses PUT for updates but still uses POST for the initial resource creation. This makes it impossible to manage Microsoft Graph API endpoints that only support PUT (not POST) for creating/upserting resources.
Example:
resource "msgraph_resource" "identity_sync_inbound" {
provider = msgraph.target
update_method = "PUT"
url = "policies/crossTenantAccessPolicy/partners/{tenantId}/identitySynchronization"
body = {
displayName = "My Sync"
userSyncInbound = { isSyncAllowed = true }
}
}
Actual behavior:
On first terraform apply, the provider sends:
POST https://graph.microsoft.com/v1.0/policies/crossTenantAccessPolicy/partners/{tenantId}/identitySynchronization
→ 405 Method Not Allowed
Expected behavior:
When update_method = "PUT" is set, the provider should also use PUT for resource creation (since PUT is idempotent and serves as both create and update for this endpoint). Alternatively, a separate create_method attribute should be supported.
Additional context:
A second related bug: POST /policies/crossTenantAccessPolicy/partners returns tenantId as the resource identifier instead of an id field. The provider fails with resource ID is empty because it only looks for id in the response body. A id_field or id_path attribute would allow users to specify which response field to use as the resource ID.
Workaround:
Use null_resource with az rest provisioner specifying the correct HTTP method directly.