Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Could not create azuread_group resource with service principal and user set as owners #548

Closed
neocycf opened this issue Sep 3, 2021 · 7 comments · Fixed by #553
Closed

Could not create azuread_group resource with service principal and user set as owners #548

neocycf opened this issue Sep 3, 2021 · 7 comments · Fixed by #553
Assignees
@manicminer
Labels
bug feature/groups
Milestone
v2.2.0

Comments

@neocycf
Copy link

neocycf commented Sep 3, 2021

Hi,
We're upgrading from v1.5.1 to v2.0.1 and encountered errors when creating new azuread_group resource.
The code below worked in v1.5.1.

resource "azuread_group" "group_xxx" {
  display_name = "group_xxx"
  description  = "group_xxx description"
  owners = [
    "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", # service principal id
    "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy", # user id
  ]
  prevent_duplicate_names = true
  security_enabled        = true
}

Tried:

  1. Remove service principal id from code above, terraform apply. Result: successful.
  2. After the apply, use the same code above and apply again. Result: successful. Group has 2 owners.
  3. Terraform destroy with same code above. Result: successful.

Debug output:
2021-09-02T10:21:20.6799841Z 2021/09/02 10:21:20 [ERROR] eval: *terraform.EvalSequence, err: Creating group "group_xxx": GroupsClient.BaseClient.Post(): unexpected status 400 with OData error: Request_BadRequest: Object '[ResourceType=ServicePrincipal,Id=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,ChangedProperties=[],NonDefaultProperties=[INTERNAL_EnableF14M1SchemaEnumTypes,INTERNAL_SingleResourceQuery,INTERNAL_CombinedServicePrincipal]]' referenced from '[ResourceType=Group,Id=11111111-1111-1111-1111-111111111111,ChangedProperties=[Description,DisplayName,IsAssignableToRole,MailEnabled,MailNickname,SecurityEnabled,CreatedByAppId],NonDefaultProperties=[INTERNAL_EnableF14M1SchemaEnumTypes]]' can only be present once as an add/remove change.
@manicminer
Copy link
Contributor

Hi @neocycf, thanks for reporting this error. That's an interesting one, it looks like some implementation detail is being erroneously leaked in the error response.

I've tried with your config but haven't been able to reproduce with 2.0.1 or 2.1.0. Would you be able to provide an HTTP trace showing the POST requests to create the group and set its owners? Thanks!

@neocycf
Copy link
Author

neocycf commented Sep 3, 2021

Hi @manicminer,
In 1 and 2, ServicePrincipal appeared twice in the request.

  1. ServicePrincipal + User
POST /beta/11111111-1111-1111-1111-111111111111/groups HTTP/1.1
Host: graph.microsoft.com
User-Agent: HashiCorp Terraform/0.13.7 (+https://www.terraform.io) Terraform Plugin SDK/2.7.0 terraform-provider-azuread/2.1.0 Hamilton (Go-http-client/1.1) pid-222c6c49-1b0a-5959-a213-6608f9eb8820
Content-Length: 824
Accept: application/json
Content-Type: application/json; charset=utf-8
Accept-Encoding: gzip
 
{"description":"group_xxx description","displayName":"group_xxx","isAssignableToRole":false,"mailEnabled":false,"mailNickname":"dddddddd-d","[email protected]":["https://graph.microsoft.com/v1.0/11111111-1111-1111-1111-111111111111/directoryObjects/22222222-2222-2222-2222-222222222222/Microsoft.DirectoryServices.ServicePrincipal","https://graph.microsoft.com/v1.0/11111111-1111-1111-1111-111111111111/directoryObjects/33333333-3333-3333-3333-333333333333/Microsoft.DirectoryServices.User","https://graph.microsoft.com/v1.0/11111111-1111-1111-1111-111111111111/directoryObjects/22222222-2222-2222-2222-222222222222/Microsoft.DirectoryServices.ServicePrincipal"],"securityEnabled":true}
  1. ServicePrincipal only
POST /beta/11111111-1111-1111-1111-111111111111/groups HTTP/1.1
Host: graph.microsoft.com
User-Agent: HashiCorp Terraform/0.13.7 (+https://www.terraform.io) Terraform Plugin SDK/2.7.0 terraform-provider-azuread/2.1.0 Hamilton (Go-http-client/1.1) pid-222c6c49-1b0a-5959-a213-6608f9eb8820
Content-Length: 665
Accept: application/json
Content-Type: application/json; charset=utf-8
Accept-Encoding: gzip


{"description":"group_xxx description","displayName":"group_xxx","isAssignableToRole":false,"mailEnabled":false,"mailNickname":"99999999-9","[email protected]":["https://graph.microsoft.com/v1.0/11111111-1111-1111-1111-111111111111/directoryObjects/22222222-2222-2222-2222-222222222222/Microsoft.DirectoryServices.ServicePrincipal","https://graph.microsoft.com/v1.0/11111111-1111-1111-1111-111111111111/directoryObjects/22222222-2222-2222-2222-222222222222/Microsoft.DirectoryServices.ServicePrincipal"],"securityEnabled":true}
  1. User only
POST /beta/11111111-1111-1111-1111-111111111111/groups HTTP/1.1
Host: graph.microsoft.com
User-Agent: HashiCorp Terraform/0.13.7 (+https://www.terraform.io) Terraform Plugin SDK/2.7.0 terraform-provider-azuread/2.1.0 Hamilton (Go-http-client/1.1) pid-222c6c49-1b0a-5959-a213-6608f9eb8820
Content-Length: 482
Accept: application/json
Content-Type: application/json; charset=utf-8
Accept-Encoding: gzip


{"description":"group_xxx description","displayName":"group_xxx","isAssignableToRole":false,"mailEnabled":false,"mailNickname":"bbbbbbbb-b","[email protected]":["https://graph.microsoft.com/v1.0/11111111-1111-1111-1111-111111111111/directoryObjects/33333333-3333-3333-3333-333333333333/Microsoft.DirectoryServices.User"],"securityEnabled":true}
  1. User then ServicePrincipal
POST /beta/11111111-1111-1111-1111-111111111111/groups/44444444-4444-4444-4444-444444444444/owners/$ref HTTP/1.1
Host: graph.microsoft.com
User-Agent: HashiCorp Terraform/0.13.7 (+https://www.terraform.io) Terraform Plugin SDK/2.7.0 terraform-provider-azuread/2.1.0 Hamilton (Go-http-client/1.1) pid-222c6c49-1b0a-5959-a213-6608f9eb8820
Content-Length: 184
Accept: application/json
Content-Type: application/json; charset=utf-8
Accept-Encoding: gzip

{"@odata.id":"https://graph.microsoft.com/v1.0/11111111-1111-1111-1111-111111111111/directoryObjects/22222222-2222-2222-2222-222222222222/Microsoft.DirectoryServices.ServicePrincipal"}

@manicminer
Copy link
Contributor

@neocycf Thanks, is the service principal the same one you are using to authenticate the provider?

@neocycf
Copy link
Author

neocycf commented Sep 3, 2021

@manicminer Yes.

@manicminer
Copy link
Contributor

Thanks @neocycf, I think I found a bug that could account for this. Will PR a fix shortly.

@manicminer manicminer self-assigned this Sep 3, 2021
@manicminer manicminer mentioned this issue Sep 6, 2021
Merged
@manicminer manicminer added this to the v2.2.0 milestone Sep 6, 2021
@github-actions
Copy link

This functionality has been released in v2.2.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 10, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@manicminer manicminer

Labels
bug feature/groups
Projects
None yet
Milestone
v2.2.0
2 participants
@manicminer @neocycf