Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to create basic groups #1580

Open
pgerhard opened this issue Dec 3, 2024 · 3 comments · May be fixed by #1593
Open

Unable to create basic groups #1580

pgerhard opened this issue Dec 3, 2024 · 3 comments · May be fixed by #1593

Comments

@pgerhard
Copy link

pgerhard commented Dec 3, 2024
edited
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

2024-12-03T20:53:07.856+0100 [INFO]  Terraform version: 1.9.8
2024-12-03T20:53:07.862+0100 [DEBUG] using github.com/hashicorp/go-tfe v1.58.0
2024-12-03T20:53:07.862+0100 [DEBUG] using github.com/hashicorp/hcl/v2 v2.20.0
2024-12-03T20:53:07.862+0100 [DEBUG] using github.com/hashicorp/terraform-svchost v0.1.1
2024-12-03T20:53:07.862+0100 [DEBUG] using github.com/zclconf/go-cty v1.14.4
2024-12-03T20:53:07.862+0100 [INFO]  Go runtime version: go1.22.7
2024-12-03T20:53:07.862+0100 [INFO]  CLI args: []string{"./bin/terraform", "-v"}
2024-12-03T20:53:07.862+0100 [DEBUG] Attempting to open CLI config file: /Users/pgerhard/.terraformrc
2024-12-03T20:53:07.862+0100 [DEBUG] File doesn't exist, but doesn't need to. Ignoring.
2024-12-03T20:53:07.863+0100 [DEBUG] ignoring non-existing provider search directory terraform.d/plugins
2024-12-03T20:53:07.863+0100 [DEBUG] ignoring non-existing provider search directory /Users/pgerhard/.terraform.d/plugins
2024-12-03T20:53:07.863+0100 [DEBUG] ignoring non-existing provider search directory /Users/pgerhard/Library/Application Support/io.terraform/plugins
2024-12-03T20:53:07.863+0100 [DEBUG] ignoring non-existing provider search directory /Library/Application Support/io.terraform/plugins
2024-12-03T20:53:07.864+0100 [INFO]  CLI command args: []string{"version", "-v"}
Terraform v1.9.8
on darwin_arm64
+ provider registry.terraform.io/hashicorp/azuread v3.0.2

Affected Resource(s)

  • azuread_group

Terraform Configuration Files

terraform {
  required_providers {
    azuread = {
      source  = "hashicorp/azuread"
      version = "3.0.2"
    }
  }
}

provider "azuread" {}

resource "azuread_group" "example" {
  display_name     = "example"
  security_enabled = true
}

Debug Output

Debug Output

Expected Behavior

I want to create a group in Entra ID using the Terraform provider. However, this fails with the error

│ Error: Creating group "example"
│
│   with azuread_group.example,
│   on main.tf line 7, in resource "azuread_group" "example":
│    7: resource "azuread_group" "example" {
│
│ unexpected status 400 (400 Bad Request) with error: Request_BadRequest: Request contains a property with duplicate values.

Actual Behavior

After running terraform apply Terraform returned an error.

Steps to Reproduce

  1. Create a new root module containing a main.tf
  2. Add the content from above under Terraform Configuration Files
  3. terraform init
  4. terraform apply

Important Factoids

When looking at the debug logs I noticed that Terraform automatically includes the owners of the group in the request (defaults to the user used to log into Azure). So I re-created the providers request to the graph API in cURL:

curl -X POST https://graph.microsoft.com/beta/groups \
     -H "Content-Type: application/json" \
     -H "Authorization: Bearer <ACCESS_TOKEN>" \
     -d '{
           "displayName": "example",
           "groupTypes": [],
           "mailEnabled": false,
           "mailNickname": "08240dbf-b",
           "owners@odata.bind":[
             "https://graph.microsoft.com/beta/directoryObjects/3c0d4d19-750a-481d-85e1-f7eae2f2568c
           "],
           "securityEnabled": true,
         }'

and this also fails with the same error as seen in the Terraform debug output. However after the removal of the owners attribute the group is successfully created, including the automatic assignment of the user accessing the API as the owner. Here is the working API request:

curl -X POST https://graph.microsoft.com/beta/groups \
     -H "Content-Type: application/json" \
     -H "Authorization: Bearer <ACCESS_TOKEN>" \
     -d '{
           "displayName": "example",
           "groupTypes": [],
           "mailEnabled": false,
           "mailNickname": "08240dbf-b",
           "securityEnabled": true,
         }'

Furthermore the request also succeeds when I add an additional owner (that is a user that is not myself). Example request

curl -X POST https://graph.microsoft.com/beta/groups \
     -H "Content-Type: application/json" \
     -H "Authorization: Bearer <ACCESS_TOKEN>" \
     -d '{
           "displayName": "example",
           "groupTypes": [],
           "mailEnabled": false,
           "mailNickname": "08240dbf-b",
           "owners@odata.bind":[
             "https://graph.microsoft.com/beta/directoryObjects/391b60f3-d858-46c5-86bf-213083495f8f"
           ],
           "securityEnabled": true,
         }'

This leads me to believe that the Microsoft API expects that

  • the owner parameter is empty in case the calling user is meant to be the owner
  • only contains additional owners

This would also explain the message Request contains a property with duplicate values
@alexb-iolo
Copy link

alexb-iolo commented Dec 3, 2024
edited
Loading

I am having this issue as well. Simple AD group. Verified no existing groups with the same name.

Terraform stack worked fine with AzureAD provider 2.53.1 But am now having this exact issue with 3.0.2

I removed the owners parameter from the groups in terraform but still get the same issue. I'm just rolling back to 2.53.1

@manicminer manicminer linked a pull request Dec 16, 2024 that will close this issue
Open
@manicminer
Copy link
Contributor

Thanks for reporting, it looks like this is a regression in v3.x. I've opened #1593 to fix it.

@sschmeck
Copy link

sschmeck commented Jan 6, 2025

In addition to analysis of @pgerhard, I noticed that issue also occurs when setting the the owner attribute explicitly with the current user. FYI

resource "azuread_group" "example" {
  display_name     = "example"
  owners           = [data.azuread_client_config.current.object_id]
  security_enabled = true
}
# Fails with "unexpected status 400 (400 Bad Request) with error: Request_BadRequest: Request contains a property with duplicate values."

But if you add an additional owner to the current user, the creation succeeds.

resource "azuread_group" "example" {
  display_name     = "example"
  owners           = [data.azuread_client_config.current.object_id, "'????????-????-????-????-????????????'"]
  security_enabled = true
}
# Succeeds for exiting additional owner"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
4 participants
@manicminer @sschmeck @pgerhard @alexb-iolo