Cant Assign groups to AWS SSO App

[CyberViking949]

I am creating a module to automate the creation of azureAD groups, assignment to AWS SSO application, and all the related AWS SSO roles, policies etc.

When assigning groups to the Azure App "AWS IAM Identity Center (successor to AWS Single Sign-On)", terraform requires the inclusion of an app_role_id. However, this app doesnt support that. Ive validated that by manually assigning groups to the app, and the "select a role" section is greyed out.

Below is my terraform

data "azuread_client_config" "client_config" {}

resource "azuread_group" "aad_groups" {
  for_each = var.roles
  display_name     = format("aws-role-%s", each.key)
  owners           = [data.azuread_client_config.client_config.object_id]
  security_enabled = true
}

data "azuread_application" "aws_sso" {
  display_name = "AWS IAM Identity Center (successor to AWS Single Sign-On)"
}

resource "azuread_service_principal" "aws_sso" {
  application_id               = data.azuread_application.aws_sso.application_id
  app_role_assignment_required = true
  owners = [data.azuread_client_config.client_config.object_id]
  lifecycle {
    prevent_destroy = true
  }
}

resource "azuread_app_role_assignment" "group_assignment" {
  for_each = azuread_group.aad_groups
  app_role_id         = ""   <<< The value that needs to be empty or null
  principal_object_id = azuread_group.aad_groups[each.key].object_id
  resource_object_id  = azuread_service_principal.aws_sso.object_id
  depends_on = [ 
    azuread_service_principal.aws_sso,
    azuread_group.aad_groups
    ]
}

The app_role_id value needs to be excluded. Any ideas on how to go about achieving this?

[CyberViking949]

Disregard. It uses a role of User, but the role has empty values, so it cant be referrenced. Within the role i just added a User value, and it works as expected.

Thanks for the rubberducky assist :)