Conditional resource argument

I’m looking to create a module that will create an Azure AD application and optionally create one or more api permissions. So far I have:

data “azuread_application_published_app_ids” “well_known” {}

data “azuread_service_principal” “msgraph” {
client_id = data.azuread_application_published_app_ids.well_known.result[“MicrosoftGraph”]
}

data “azuread_service_principal” “SharePoint” {
client_id = data.azuread_application_published_app_ids.well_known.result[“Office365SharePointOnline”]
}

resource “azuread_application” “appr-edp-uksouth” {
display_name = var.app_reg_name
owners = var.app_reg_owners
prevent_duplicate_names = true
logo_image = filebase64(“./favicon.png”)
description = var.app_reg_description
}

resource “azuread_application_api_access” “sharepoint_permissions” {
application_id = azuread_application.appr-edp-uksouth.id
api_client_id = data.azuread_service_principal.SharePoint.id

role_ids = var.sharepoint_application_permissions != null ? [for v in var.sharepoint_application_permissions : data.azuread_service_principal.SharePoint.app_role_ids[v]] : [“”]
scope_ids = var.sharepoint_delegated_permissions != null ? [for v in var.sharepoint_delegated_permissions : data.azuread_service_principal.SharePoint.oauth2_permission_scope_ids[v]] : [“”]
}

Which works as long as there is one or more in both var.sharepoint_application_permissions and var.sharepoint_delegated_permissions. However not all of the applications created by this module will have both ‘application’ and ‘delegated’ permissions, how can I only run the role_ids and scope_ids arguments if they are not blank?

1 Like