given_name and surname detected as null in v0.4.1

[shoddyguard]

Terraform Version and Provider Version

Terraform v0.14.3
hashicorp/ad v0.4.1

Windows Version

Various (Windows 10 2004, Server 2019, Server 2016, MacOS)

Affected Resource(s)

ad_user

Terraform Configuration Files

data "vault_generic_secret" "john_doe-password" {
  path = "credentials/testingco/john.doe"
}

resource "ad_user" "john_doe" {
  display_name     = "John Doe"
  principal_name   = "[email protected]"
  sam_account_name = "john.doe"

  enabled                = true
  initial_password       = data.vault_generic_secret.john_doe-password.data["password"]
  password_never_expires = true
  container              = "CN=Users,DC=redgate-testing,DC=com"
}

Debug Output

Debug output appears to expose plaintext secrets so if there's a method for sharing securely please let me know.

Expected Behavior

What should have happened?

No changes should be detected or made to the user.

Actual Behavior

Terraform detected that the surname and given_name needed to be set to null

  # ad_user.john_doe will be updated in-place
  ~ resource "ad_user" "john_doe" {
      - given_name                = "John" -> null
        id                        = "c77ce1fa-b1de-4715-991d-a91d9db91f8a"
      - surname                   = "Doe" -> null
        # (10 unchanged attributes hidden)
    }

Steps to Reproduce

terraform plan

Important Factoids

This runs as part of a CI/CD pipeline and only started happening yesterday after v.0.4.1 was released.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

[koikonom]

Hi @shoddyguard, thanks for opening this issue.

Is it possible that these two fields have been updated by an external tool (or someone doing it manually) ?

The reason this started happening with v0.4.1 is because this version introduced support for additional user attributes (such as given name and surname). My assumption is that someone or something updated the user object in AD with a name and surname and then once you upgraded to 0.4.1 it started complaining because the default value for these in the operator is null.

If this is the case then the plan will return empty again once you set given_name and surname in your terraform configuration.

[shoddyguard]

Hi @koikonom thanks for the quick response.
Sorry I think I should have specified a bit more around this.
There's another issue here other than the plan in that running a terraform apply with these null values seemingly crashes the set-aduser PowerShell cmdlet (that I assume terraform is using under the hood to make the changes?)

While the output is a little hard to read it looks like it's unhappy with null being applied to these values?
https://gist.github.com/shoddyguard/beb4c8be5dc28b3cdcc2afc05b7e80b2

[koikonom]

OK I got it now, thanks for clarifying. I managed to reproduce the issue on my side.

[shoddyguard]

Many thanks for fixing this so quickly. 😄

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!