Discrete feature to create multiple AAD Group Owners

[nitmatgeo]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

I would like to recommend to add another Resource: azuread_group_owners similar to azuread_group_member. This will help to configure multiple owners or add/remove owners, otherwise, this is causing an issue when we use CSV files to create groups/owners.

Please let me know if this could be implemented, it should be easy and very similar to azuread_group_member.

New or Affected Resource(s)

• azuread_group_owner

Potential Terraform Configuration

resource "azuread_group_owner" "test" {
  group_object_id  = azuread_group.example.id
  owner_object_id = data.azuread_user.example.id
}

[manicminer]

Hi @nitmatgeo, thanks for requesting. I've gone ahead and updated your initial comment using our issue template for feature requests as this aids us in reviewing.

You are correct this should be a relatively straightforward resource to implement. At the moment, the AzureAD provider is in a feature freeze whilst we implement major changes for the ongoing Microsoft Graph transition. However, once we are able to merge new features we'll be able to work on this.

[manicminer]

Due to ongoing API issues I'm going to mark this one as blocked for now.

For context, since moving to MS Graph and then again after adding support for unified groups (aka M365/O365 groups) we've had to take great care to conform to new constraints on group ownership whilst maintaining compatibility for Terraform users who may or may not have permissions to read/write all groups in their tenant. At this time we are complying with these constraints, however reports continue of potential API errors, and so to avoid breaking existing configurations this feature will be on hold until we have further clarification. Thanks!

[pcornelissen]

Well, the problem is still present in recent azuread terraform + public azure-api combinations.
Right now I can't create a group via terraform, because I the duplicate owner error with http status 400.
If there is right now a problem that somehow the owner get's assigned twice somewhere along the call chain, why is that not silently discarded at least until the internal problem is fixed.
The intent is to create the group and the desired owner is clearly present in the request (although it's duplicated, but still the intent is crystal clear). Why can't you just ignore the duplicate value in this case and treat it as "set" instead of a list?

[sumitkatre123]

any news/update it is pushing us away from terraform and forcing to do things manually ?

[sumitkatre123]

or any workaround would be great :)

[VPPetr]

is there anything as a workaround?

[manicminer]

This is blocked by various API issues including #1435