Azuread_application with required_resource_access throws a 400 error

I’m trying to create an azuread_application with application permissions over the Graph API. I’m doing it just as it says in the documentation:

resource "azuread_application" "sp_app" {
  provider = azuread.myprovider

  name                       = "myapplicationname"
  available_to_other_tenants = true
  type                       = "native"
  required_resource_access {
    resource_app_id = "00000003-0000-0000-c000-000000000000"
    resource_access {
      id = "1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9"
      type = "Role"
    }
  }
}

And I’m getting the following error:

graphrbac.ApplicationsClient#Patch: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="Unknown"
Message="Unknown service error" Details=[{"odata.error":{"code":"Request_BadRequest","date":"2020-01-13T17:10:00","message":{"lang":"en","value":"Property requiredResourceAcce
ss.resourceAccess is invalid."},"requestId":"84401250-b2dc-4c6c-baa9-910ac1546158","values":[{"item":"PropertyName","value":"requiredResourceAccess.resourceAccess"},{"item":"Pr
opertyErrorCode","value":"GenericError"}]}}]

I thought it was a permissions issue, since I’m logging in with a Service Principal, but it has the permissions specified in the documentation as well:

NOTE: If you’re authenticating using a Service Principal then it must have permissions to both Read and write owned by applications and Sign in and read user profile within the Windows Azure Active Directory API.

Any ideas why it’s not working?

Thanks!

UPDATE:

I was able to make it work by using a webapp/api application instead of native.

I also obtained some TRACE level logs, and it looks like the problem comes when, after creating the app with the permissions, there’s a PATCH request to make the app public:

PATCH /my-tenant-id/applications/my-application-id?api-version=1.6 HTTP/1.1

[DEBUG] plugin.terraform-provider-azuread_v0.7.0_x4: Host: graph.windows.net
[DEBUG] plugin.terraform-provider-azuread_v0.7.0_x4: User-Agent: Go/go1.12.6 (amd64-linux) go-autorest/v13.0.2 Azure-SDK-For-Go/v35.0.0 graphrbac/1.6 HashiCorp Terraform/0.12.18 (https://www.terraform.io) Terraform Plugin SDK/1.0.0 terraform-provider-azuread/0.7.0 
[DEBUG] plugin.terraform-provider-azuread_v0.7.0_x4: Content-Length: 41
[DEBUG] plugin.terraform-provider-azuread_v0.7.0_x4: Content-Type: application/json; charset=utf-8
[DEBUG] plugin.terraform-provider-azuread_v0.7.0_x4: Accept-Encoding: gzip
[DEBUG] plugin.terraform-provider-azuread_v0.7.0_x4:
[DEBUG] plugin.terraform-provider-azuread_v0.7.0_x4: {
    "identifierUris": [],
    "publicClient": true
}
[DEBUG] plugin.terraform-provider-azuread_v0.7.0_x4: 
[DEBUG] AzureAD Response for https: //graph.windows.net/my-tenant-id/applications/my-application-id?api-version=1.6: 
[DEBUG] plugin.terraform-provider-azuread_v0.7.0_x4: HTTP/1.1 400 Bad Request
[DEBUG] plugin.terraform-provider-azuread_v0.7.0_x4: Content-Length: 353
[DEBUG] plugin.terraform-provider-azuread_v0.7.0_x4: Access-Control-Allow-Origin: *
[DEBUG] plugin.terraform-provider-azuread_v0.7.0_x4: Cache-Control: no-cache
[DEBUG] plugin.terraform-provider-azuread_v0.7.0_x4: Client-Request-Id: my-request-id
[DEBUG] plugin.terraform-provider-azuread_v0.7.0_x4: Content-Type: application/json; odata=minimalmetadata; streaming=true; charset=utf-8
[DEBUG] plugin.terraform-provider-azuread_v0.7.0_x4: Dataserviceversion: 3.0;
[DEBUG] plugin.terraform-provider-azuread_v0.7.0_x4: Duration: 579812
[DEBUG] plugin.terraform-provider-azuread_v0.7.0_x4: Expires: -1
[DEBUG] plugin.terraform-provider-azuread_v0.7.0_x4: Ocp-Aad-Diagnostics-Server-Name: my-server-name
[DEBUG] plugin.terraform-provider-azuread_v0.7.0_x4: Ocp-Aad-Session-Key: my-session-key
[DEBUG] plugin.terraform-provider-azuread_v0.7.0_x4: Pragma: no-cache
[DEBUG] plugin.terraform-provider-azuread_v0.7.0_x4: Request-Id: my-request-id
[DEBUG] plugin.terraform-provider-azuread_v0.7.0_x4: Strict-Transport-Security: max-age=31536000; includeSubDomains
[DEBUG] plugin.terraform-provider-azuread_v0.7.0_x4: X-Aspnet-Version: 4.0.30319
[DEBUG] plugin.terraform-provider-azuread_v0.7.0_x4: X-Ms-Dirapi-Data-Contract-Version: 1.6
[DEBUG] plugin.terraform-provider-azuread_v0.7.0_x4: X-Powered-By: ASP.NET
[DEBUG] plugin.terraform-provider-azuread_v0.7.0_x4: 
[DEBUG] plugin.terraform-provider-azuread_v0.7.0_x4: {
    "odata.error": {
        "code": "Request_BadRequest",
        "message": {
            "lang": "en",
            "value": "Property requiredResourceAccess.resourceAccess is invalid."
        },
        "requestId": "my-request-id",
        "date": "my-date",
        "values": [
            {
                "item": "PropertyName",
                "value": "requiredResourceAccess.resourceAccess"
            },
            {
                "item": "PropertyErrorCode",
                "value": "GenericError"
            }
        ]
    }
}
[DEBUG] azuread_application.sp_app_new: apply errored, but we're indicating that via the Error pointer rather than returning it: graphrbac.ApplicationsClient#Patch: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="Unknown" Message="Unknown service error" Details=[
    {
        "odata.error": {
            "code": "Request_BadRequest",
            "date": "2020-01-15T12:05:41",
            "message": {
                "lang": "en",
                "value": "Property requiredResourceAccess.resourceAccess is invalid."
            },
            "requestId": "my-request-id",
            "values": [
                {
                    "item": "PropertyName",
                    "value": "requiredResourceAccess.resourceAccess"
                },
                {
                    "item": "PropertyErrorCode",
                    "value": "GenericError"
                }
            ]
        }
    }
]