Error 400 - azuread_group - Request contains a property with duplicate values

[mlcooper]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform v1.0.6
on linux_amd64
+ provider registry.terraform.io/hashicorp/archive v2.2.0
+ provider registry.terraform.io/hashicorp/azuread v2.2.1
+ provider registry.terraform.io/hashicorp/azurerm v2.76.0
+ provider registry.terraform.io/hashicorp/null v3.1.0
+ provider registry.terraform.io/hashicorp/random v3.1.0

Affected Resource(s)

• azuread_group

Terraform Configuration Files

resource "azuread_group" "ops_key_vault" {
  display_name       = "CTSE-DAML-${var.tenant}-Ops-KeyVault"
  description        = "Admin access to Key Vault in DAML Subscription - ${var.tenant} Tenant"
  security_enabled   = true
  owners             = [for _, v in data.azuread_user.key_vault_security_group_owners : v["id"]]
  members            = [for _, v in data.azuread_user.key_vault_admins : v["id"]]
}

Debug Output

2021-09-10T14:04:12.465-0400 [INFO]  provider.terraform-provider-azuread_v2.2.1_x5: 2021/09/10 14:04:12 [DEBUG] Begin AzureAD Response for POST https://graph.microsoft.com/beta//groups: ==========================================
HTTP/1.1 400 Bad Request
Transfer-Encoding: chunked
Cache-Control: no-cache
Client-Request-Id: 84b0c967-554e-4f0e-a6a1-56e139f84fb7
Content-Type: application/json
Date: Fri, 10 Sep 2021 18:04:12 GMT
Deprecation: 
Link: <https://developer.microsoft-tst.com/en-us/graph/changes?$filterby=beta,PrivatePreview:Restricted_AU_Properties&from=2021-04-01&to=2021-05-01>;rel="deprecation";type="text/html"
Request-Id: 84b0c967-554e-4f0e-a6a1-56e139f84fb7
Strict-Transport-Security: max-age=31536000
Sunset: 
Vary: Accept-Encoding
X-Ms-Ags-Diagnostic: {"ServerInfo":{"DataCenter":"South Central US","Slice":"E","Ring":"3","ScaleUnit":"000","RoleInstance":"SN1PEPF0000C9ED"}}
X-Ms-Resource-Unit: 1

101
{"error":{"code":"Request_BadRequest","message":"Request contains a property with duplicate values.","innerError":{"date":"2021-09-10T18:04:12","request-id":"84b0c967-554e-4f0e-a6a1-56e139f84fb7","client-request-id":"84b0c967-554e-4f0e-a6a1-56e139f84fb7"}}}
0

========================================== End AzureAD Response: timestamp=2021-09-10T14:04:12.465-0400

Panic Output

Expected Behavior

Previously this code worked, but when I downgrade my azuread provider, to something like 2.1.0, it is still broken, but with a different error.

If I login to the Azure Portal or use the Azure CLI, using the same credentials (az login) as I do with TF, I am able to create a group in Azure Active Directory and assign an owner and member(s).

Actual Behavior

╷
│ Error: Creating group "CTSE-DAML-poc-Ops-KeyVault"
│
│   with module.daml_tenant_azurepoc001.azuread_group.ops_key_vault,
│   on .terraform/modules/daml_tenant_azurepoc001/key-vault.tf line 57, in resource "azuread_group" "ops_key_vault":
│   57: resource "azuread_group" "ops_key_vault" {
│
│ GroupsClient.BaseClient.Post(): unexpected status 400 with OData error: Request_BadRequest: Request contains a property with duplicate values.

Steps to Reproduce

1. Using the code snippet above, do terraform apply

Important Factoids

References

• #0000

[manicminer]

Hi @mlcooper, thanks for reporting. Please could you provide a full debug log showing the request and response, it will help in diagnosing the cause of the error. Thanks!

[mlcooper]

@manicminer here is the full request and response I pulled out of the debug log:

2021-09-10T14:04:11.887-0400 [INFO]  provider.terraform-provider-azuread_v2.2.1_x5: 2021/09/10 14:04:11 [DEBUG] Begin AzureAD Request: ==========================================
POST /beta//groups HTTP/1.1
Host: graph.microsoft.com
User-Agent: HashiCorp Terraform/1.0.6 (+https://www.terraform.io) Terraform Plugin SDK/2.7.0 terraform-provider-azuread/2.2.1 Hamilton (Go-http-client/1.1) pid-222c6c49-1b0a-5959-a213-6608f9eb8820
Content-Length: 399
Accept: application/json
Content-Type: application/json; charset=utf-8
Accept-Encoding: gzip

{"description":"Admin access to Key Vault in DAML Subscription - poc Tenant","displayName":"CTSE-DAML-poc-Ops-KeyVault","isAssignableToRole":false,"mailEnabled":false,"mailNickname":"4087ae2d-c","[email protected]":["https://graph.microsoft.com/v1.0/a4454629-85ac-4c26-b6be-438709073c2a/directoryObjects/48b7f640-d933-4823-929d-fde13114b7a1/Microsoft.DirectoryServices.User"],"securityEnabled":true}
========================================= End AzureAD Request: timestamp=2021-09-10T14:04:11.887-0400
2021-09-10T14:04:12.115-0400 [INFO]  provider.terraform-provider-azurerm_v2.76.0_x5: authenticated object ID cache miss, populating with: "48b7f640-d933-4823-929d-fde13114b7a1": timestamp=2021-09-10T14:04:12.114-0400
2021-09-10T14:04:12.115-0400 [INFO]  provider.terraform-provider-azurerm_v2.76.0_x5: Getting OAuth config for endpoint https://login.microsoftonline.com/ with  tenant a4454629-85ac-4c26-b6be-438709073c2a: timestamp=2021-09-10T14:04:12.114-0400
2021-09-10T14:04:12.465-0400 [INFO]  provider.terraform-provider-azuread_v2.2.1_x5: 2021/09/10 14:04:12 [DEBUG] Begin AzureAD Response for POST https://graph.microsoft.com/beta//groups: ==========================================
HTTP/1.1 400 Bad Request
Transfer-Encoding: chunked
Cache-Control: no-cache
Client-Request-Id: 84b0c967-554e-4f0e-a6a1-56e139f84fb7
Content-Type: application/json
Date: Fri, 10 Sep 2021 18:04:12 GMT
Deprecation: 
Link: <https://developer.microsoft-tst.com/en-us/graph/changes?$filterby=beta,PrivatePreview:Restricted_AU_Properties&from=2021-04-01&to=2021-05-01>;rel="deprecation";type="text/html"
Request-Id: 84b0c967-554e-4f0e-a6a1-56e139f84fb7
Strict-Transport-Security: max-age=31536000
Sunset: 
Vary: Accept-Encoding
X-Ms-Ags-Diagnostic: {"ServerInfo":{"DataCenter":"South Central US","Slice":"E","Ring":"3","ScaleUnit":"000","RoleInstance":"SN1PEPF0000C9ED"}}
X-Ms-Resource-Unit: 1

101
{"error":{"code":"Request_BadRequest","message":"Request contains a property with duplicate values.","innerError":{"date":"2021-09-10T18:04:12","request-id":"84b0c967-554e-4f0e-a6a1-56e139f84fb7","client-request-id":"84b0c967-554e-4f0e-a6a1-56e139f84fb7"}}}
0


========================================== End AzureAD Response: timestamp=2021-09-10T14:04:12.465-0400

[manicminer]

@mlcooper Thanks that's super helpful. As far as I can tell, there's nothing wrong with the request there, so this would appear to be an API bug? I would suggest raising this in a support ticket, and I will also do what I can to let the service team know (though you likely won't get an individual response).

[mlcooper]

Thank you for taking a look, @manicminer. I have opened a support ticket with Azure and I will let you know what they find.

[manicminer]

Thanks again for reporting this @mlcooper. For additional context this error has made an appearance in other issues such as #478. Since it seems that this is due to an API bug, I've reported this upstream at microsoftgraph/msgraph-metadata#92 and will be closing this issue for now.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.