azuread_group_member - group as a member in a group

[kaplik]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Affected Resource(s)

• azuread_group_member

Terraform Configuration Files

terraform {
  required_version = ">= 1.8.0"
  
  required_providers {
    azuread = {
      source  = "hashicorp/azuread"
      version = ">= 3.0.1"
    }

  }
}

provider "azuread" {
  tenant_id = "xxxxxx"
}

data "azuread_group" "this" {
  display_name     = "asd"
  security_enabled = true
}

resource "azuread_group_member" "this" {
  group_object_id  = "UUID" # existing group object id
  member_object_id = data.azuread_group.this.id
}

Debug Output

Panic Output

data.azuread_group.this: Reading...
data.azuread_group.this: Read complete after 1s [id=/groups/UUID]

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: expected "member_object_id" to be a valid UUID, got /groups/UUID
│ 
│   with azuread_group_member.this,
│   on main.tf line 16, in resource "azuread_group_member" "this":
│   16:   member_object_id = data.azuread_group.this.id
│ 
╵

Expected Behavior

worked before version 3

Actual Behavior

Steps to Reproduce

1. terraform apply

Important Factoids

References

• #0000

[anwarnk]

We are also experiencing this issue!

[juicybaba]

data.azuread_group.this.object_id can be a quick workaround , a number of resources return id in resource_type/UUID now, can either be a bug or expected behavior in 3.*.

[kaplik]

@juicybaba yes, thanks, that works but as there is nothing in the migration guide related to this change, i went with reporting it as a bug.

[manicminer]

Hi @kaplik, @juicybaba is correct, object_id is the correct attribute to use here. You are correct, this is missing from the upgrade guide - sorry for that omission, I’ll look to add this.

As a guide, where a property ends with *_object_id, you should use the object_id attribute of the corresponding resource. This was a bit inconsistent in 2.x versions but we’ve tried to tidy this up in 3.0

[mloskot]

@manicminer

As a guide, where a property ends with *_object_id, you should use the object_id attribute of the corresponding resource. This was a bit inconsistent in 2.x versions but we’ve tried to tidy this up in 3.0

How about the principal_id issue as in below?

-/+ resource "azurerm_role_assignment" "avd_customer_as_application_group_user" {
      ~ principal_id                           = "0b8f0b8f-0b8f-0b8f-0b8f-0b8f0b8f0b8f" -> "/groups/0b8f0b8f-0b8f-0b8f-0b8f-0b8f0b8f0b8f" # forces replacement
...

│ Error: expected "group_object_id" to be a valid UUID, got /groups/0b8f0b8f-0b8f-0b8f-0b8f-0b8f0b8f0b8f
│
│   with module.stack_platform.azuread_group_member.avd_customer["90239023-9023-9023-9023-902390239023"],
│   on ../../../../modules/mloskot/azure/stack-platform/r-avd-users.tf line 78, in resource "azuread_group_member" "avd_customer":
│   78:   group_object_id  = azuread_group.avd_customer[each.value.ucid].id

which I posted also to

• azuread_group command in azurerm return different value for ID field terraform-provider-azurerm#27536 (comment)

[jhaikonen]

 group_object_id  = azuread_group.avd_customer[each.value.ucid].id

doesn't that still have the azuread_group_example.id in the error you have.
switch that to azuread_group.avd_customer[each.value.ucid].object_id

[mloskot]

doesn't that still have the azuread_group_example.id in the error you have.
switch that to azuread_group.avd_customer[each.value.ucid].object_id

That is clear to me, as @manicminer already explained that in #1500 (comment), but my question in #1500 (comment) was about principal_id

Error: authorization.RoleAssignmentsClient#Create: Failure responding to request:
StatusCode=400 -- Original Error: autorest/azure: Service returned an error.
Status=400 Code="InvalidPrincipalId"
Message="The Principal ID '/groups/0b8f0b8f-0b8f-0b8f-0b8f-0b8f0b8f0b8f' is not valid. Principal ID must be a GUID."
│
│   with module.stack_platform.azurerm_role_assignment.avd_customer_as_application_group_user["90239023-9023-9023-9023-902390239023"],
│   on ../../../../modules/mloskot/azure/stack-platform/r-avd-applications.tf line 57, in resource "azurerm_role_assignment" "avd_customer_as_application_group_user":
│   57: resource "azurerm_role_assignment" "avd_customer_as_application_group_user" {

Well, I should have referred the source indeed

[manicminer]

How about the principal_id issue as in below?

-/+ resource "azurerm_role_assignment" "avd_customer_as_application_group_user" {
      ~ principal_id                           = "0b8f0b8f-0b8f-0b8f-0b8f-0b8f0b8f0b8f" -> "/groups/0b8f0b8f-0b8f-0b8f-0b8f-0b8f0b8f0b8f" # forces replacement

@mloskot Admittedly that one is less clear, as that resource is in the AzureRM provider, it unfortunately hasn't yet been updated. But you should use the object_id attribute there:

resource "azurerm_role_assignment" "example" {
  principal_id = azuread_service_principal.example.object_id
}