You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
resource"azurerm_resource_group""resource_group" {
name="test-managed-identity"location="West Europe"
}
resource"azurerm_service_plan""app_service_plan" {
name="test-managed-identity-asp"resource_group_name=azurerm_resource_group.resource_group.namelocation=azurerm_resource_group.resource_group.locationos_type="Linux"sku_name="B1"worker_count="1"per_site_scaling_enabled=false
}
resource"azurerm_linux_web_app""linux_web_app" {
name="test-managed-identity-webapp"resource_group_name=azurerm_resource_group.resource_group.namelocation=azurerm_service_plan.app_service_plan.locationservice_plan_id=azurerm_service_plan.app_service_plan.idhttps_only=trueidentity { type="SystemAssigned" }
site_config {
ftps_state="FtpsOnly"minimum_tls_version="1.2"
}
}
resource"azuread_group_member""group_member" {
group_object_id="some existing group object id where the service principal performing the operation is an owner"member_object_id=azurerm_linux_web_app.linux_web_app.identity.0.principal_id
}
Debug Output
Issue is easy to reproduce. Nothing interesting to see in the logs. I will only paste small output here...
azuread_group_member.group_member: Destroying... [id=/member/]
╷
│ Error: Waiting for removal of member "" from group with object ID ""
│
│ retrieving resource: GroupsClient.BaseClient.Get(): unexpected status 403 with OData error: Authorization_RequestDenied: Insufficient privileges to complete the operation.
╵
Error occurred while executing scripts!
Press any key to continue . . .
Expected Behavior
When the "azuread_group_member" resource is being removed from the configuration the actual group member should be removed from the group without throwing any errors.
Actual Behavior
Terraform is throwing an error (see above) about "Insufficient privileges...". The group member is still being removed which indicates that the permissions are right but Terraform is somehow misbehaving.
Steps to Reproduce
Create a group where your service principal used for deployments is being an owner
Add Application.Read.All permissions to your service principal to be able to read managed identities from Entra ID
Copy the configuration above and adapt it to your setup (e.g. add group object id...)
Run terraform apply
Important Factoids
Please note that according to the Terraform docs no additional API permission should be required for using "azuread_group_member" if the service principal used for deployment is being an owner of the group in question (https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group_member#api-permissions).
This is at least not correct if the members that should be added to the group are managed identities.
In this case "Application.Read.All" API permission is required.
References
Similar issue but with adding group members. Perhaps "Application.Read.All" API permission is missing here... #1202
#0000
The text was updated successfully, but these errors were encountered:
We get the same problem trying to remove a group member, even though the user performing the operation in a group owner. We are using Pulumi, but that uses the Terraform AD provider under the hood
Community Note
Terraform (and AzureAD Provider) Version
Terraform v1.3.10
on windows_amd64
Affected Resource(s)
Terraform Configuration Files
Debug Output
Issue is easy to reproduce. Nothing interesting to see in the logs. I will only paste small output here...
azuread_group_member.group_member: Destroying... [id=/member/]
╷
│ Error: Waiting for removal of member "" from group with object ID ""
│
│ retrieving resource: GroupsClient.BaseClient.Get(): unexpected status 403 with OData error: Authorization_RequestDenied: Insufficient privileges to complete the operation.
╵
Error occurred while executing scripts!
Press any key to continue . . .
Expected Behavior
When the "azuread_group_member" resource is being removed from the configuration the actual group member should be removed from the group without throwing any errors.
Actual Behavior
Terraform is throwing an error (see above) about "Insufficient privileges...". The group member is still being removed which indicates that the permissions are right but Terraform is somehow misbehaving.
Steps to Reproduce
terraform apply
Important Factoids
Please note that according to the Terraform docs no additional API permission should be required for using "azuread_group_member" if the service principal used for deployment is being an owner of the group in question (https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group_member#api-permissions).
This is at least not correct if the members that should be added to the group are managed identities.
In this case "Application.Read.All" API permission is required.
References
Similar issue but with adding group members. Perhaps "Application.Read.All" API permission is missing here...
#1202
The text was updated successfully, but these errors were encountered: