fix: reference msgraph application using data object

The terraform plan during upgrade to the latest meshplatform module version
can be confusing because it appears to try and deploy a new service principal,
when in fact the expected outcome is that it reads data about an existing one.

It's listed using the "resource" way on the official example for
> Manage a service principal for a first-party Microsoft application
https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal

Unless the provider behaves totally unexpected, "data" block seems to be much
safer

Author: JohannesRudolph

modules/meshcloud-idp-lookup-service-principal/module.tf

@@ -14,9 +14,8 @@ terraform {
 
 data "azuread_application_published_app_ids" "well_known" {}
 
-resource "azuread_service_principal" "msgraph" {
+data "azuread_service_principal" "msgraph" {
   application_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
-  use_existing   = true
 }
 
 resource "azuread_application" "meshcloud_idp_lookup" {
@@ -33,7 +32,7 @@ resource "azuread_application" "meshcloud_idp_lookup" {
     # We only require this User.Read.All permission to see all of the Users in the AAD https://docs.microsoft.com/en-us/graph/permissions-reference#microsoft-graph-permission-names
     # Since this is a role (and not a scope) permission, you also have to enable admin consent in azure portal
     resource_access {
-      id   = azuread_service_principal.msgraph.app_role_ids["User.Read.All"]
+      id   = data.azuread_service_principal.msgraph.app_role_ids["User.Read.All"]
       type = "Role"
     }
 
@@ -55,9 +54,9 @@ resource "azuread_service_principal" "meshcloud_idp_lookup" {
 }
 
 resource "azuread_app_role_assignment" "meshcloud_idp_lookup" {
-  app_role_id         = azuread_service_principal.msgraph.app_role_ids["User.Read.All"]
+  app_role_id         = data.azuread_service_principal.msgraph.app_role_ids["User.Read.All"]
   principal_object_id = azuread_service_principal.meshcloud_idp_lookup.object_id
-  resource_object_id  = azuread_service_principal.msgraph.object_id
+  resource_object_id  = data.azuread_service_principal.msgraph.object_id
 }
 
 resource "azuread_service_principal_password" "service_principal_pw" {

modules/meshcloud-replicator-service-principal/module.tf

@@ -55,9 +55,8 @@ resource "azurerm_role_definition" "meshcloud_replicator" {
 
 data "azuread_application_published_app_ids" "well_known" {}
 
-resource "azuread_service_principal" "msgraph" {
+data "azuread_service_principal" "msgraph" {
   application_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
-  use_existing   = true
 }
 
 resource "azuread_application" "meshcloud_replicator" {
@@ -72,17 +71,17 @@ resource "azuread_application" "meshcloud_replicator" {
     resource_app_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
 
     resource_access {
-      id   = azuread_service_principal.msgraph.app_role_ids["Directory.Read.All"]
+      id   = data.azuread_service_principal.msgraph.app_role_ids["Directory.Read.All"]
       type = "Role"
     }
 
     resource_access {
-      id   = azuread_service_principal.msgraph.app_role_ids["Group.ReadWrite.All"]
+      id   = data.azuread_service_principal.msgraph.app_role_ids["Group.ReadWrite.All"]
       type = "Role"
     }
 
     resource_access {
-      id   = azuread_service_principal.msgraph.app_role_ids["User.Invite.All"]
+      id   = data.azuread_service_principal.msgraph.app_role_ids["User.Invite.All"]
       type = "Role"
     }
   }
@@ -130,21 +129,21 @@ resource "azurerm_role_assignment" "meshcloud_replicator" {
 }
 
 resource "azuread_app_role_assignment" "meshcloud_replicator-directory" {
-  app_role_id         = azuread_service_principal.msgraph.app_role_ids["Directory.Read.All"]
+  app_role_id         = data.azuread_service_principal.msgraph.app_role_ids["Directory.Read.All"]
   principal_object_id = azuread_service_principal.meshcloud_replicator.object_id
-  resource_object_id  = azuread_service_principal.msgraph.object_id
+  resource_object_id  = data.azuread_service_principal.msgraph.object_id
 }
 
 resource "azuread_app_role_assignment" "meshcloud_replicator-group" {
-  app_role_id         = azuread_service_principal.msgraph.app_role_ids["Group.ReadWrite.All"]
+  app_role_id         = data.azuread_service_principal.msgraph.app_role_ids["Group.ReadWrite.All"]
   principal_object_id = azuread_service_principal.meshcloud_replicator.object_id
-  resource_object_id  = azuread_service_principal.msgraph.object_id
+  resource_object_id  = data.azuread_service_principal.msgraph.object_id
 }
 
 resource "azuread_app_role_assignment" "meshcloud_replicator-user" {
-  app_role_id         = azuread_service_principal.msgraph.app_role_ids["User.Invite.All"]
+  app_role_id         = data.azuread_service_principal.msgraph.app_role_ids["User.Invite.All"]
   principal_object_id = azuread_service_principal.meshcloud_replicator.object_id
-  resource_object_id  = azuread_service_principal.msgraph.object_id
+  resource_object_id  = data.azuread_service_principal.msgraph.object_id
 }
 
 resource "azuread_service_principal_password" "service_principal_pw" {

modules/meshcloud-sso/module.tf

@@ -14,9 +14,8 @@ terraform {
 
 data "azuread_application_published_app_ids" "well_known" {}
 
-resource "azuread_service_principal" "msgraph" {
+data "azuread_service_principal" "msgraph" {
   application_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
-  use_existing   = true
 }
 
 resource "azuread_application" "meshcloud_sso" {
@@ -26,7 +25,7 @@ resource "azuread_application" "meshcloud_sso" {
     resource_app_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
 
     resource_access {
-      id   = azuread_service_principal.msgraph.app_role_ids["User.Read"]
+      id   = data.azuread_service_principal.msgraph.app_role_ids["User.Read"]
       type = "Scope"
     }
   }