azurerm_active_directory_domain_service: filtered_sync_enabled & domain_configuration_type not applied

[QBY-ChristianHartmann]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.7.3

AzureRM Provider Version

3.98.0

Affected Resource(s)/Data Source(s)

azurerm_active_directory_domain_service

Terraform Configuration Files

provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "deploy" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_virtual_network" "deploy" {
  name                = "deploy-vnet"
  location            = azurerm_resource_group.deploy.location
  resource_group_name = azurerm_resource_group.deploy.name
  address_space       = ["10.0.1.0/16"]
}

resource "azurerm_subnet" "deploy" {
  name                 = "deploy-subnet"
  resource_group_name  = azurerm_resource_group.deploy.name
  virtual_network_name = azurerm_virtual_network.deploy.name
  address_prefixes     = ["10.0.1.0/24"]
}

resource "azurerm_network_security_group" "deploy" {
  name                = "deploy-nsg"
  location            = azurerm_resource_group.deploy.location
  resource_group_name = azurerm_resource_group.deploy.name

  security_rule {
    name                       = "AllowSyncWithAzureAD"
    priority                   = 101
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "Tcp"
    source_port_range          = "*"
    destination_port_range     = "443"
    source_address_prefix      = "AzureActiveDirectoryDomainServices"
    destination_address_prefix = "*"
  }

  security_rule {
    name                       = "AllowRD"
    priority                   = 201
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "Tcp"
    source_port_range          = "*"
    destination_port_range     = "3389"
    source_address_prefix      = "CorpNetSaw"
    destination_address_prefix = "*"
  }

  security_rule {
    name                       = "AllowPSRemoting"
    priority                   = 301
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "Tcp"
    source_port_range          = "*"
    destination_port_range     = "5986"
    source_address_prefix      = "AzureActiveDirectoryDomainServices"
    destination_address_prefix = "*"
  }

  security_rule {
    name                       = "AllowLDAPS"
    priority                   = 401
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "Tcp"
    source_port_range          = "*"
    destination_port_range     = "636"
    source_address_prefix      = "*"
    destination_address_prefix = "*"
  }
}

resource "azurerm_subnet_network_security_group_association" "deploy" {
  subnet_id                 = azurerm_subnet.deploy.id
  network_security_group_id = azurerm_network_security_group.deploy.id
}

resource "azuread_group" "dc_admins" {
  display_name     = "AAD DC Administrators"
  security_enabled = true
}

resource "azuread_user" "admin" {
  user_principal_name = "[email protected]"
  display_name        = "DC Administrator"
  password            = "Pa55w0Rd!!1"
}

resource "azuread_group_member" "admin" {
  group_object_id  = azuread_group.dc_admins.object_id
  member_object_id = azuread_user.admin.object_id
}

resource "azuread_service_principal" "example" {
  application_id = "2565bd9d-da50-47d4-8b85-4c97f669dc36" // published app for domain services
}

resource "azurerm_resource_group" "aadds" {
  name     = "aadds-rg"
  location = "westeurope"
}

resource "azurerm_active_directory_domain_service" "example" {
  name                = "example-aadds"
  location            = azurerm_resource_group.aadds.location
  resource_group_name = azurerm_resource_group.aadds.name

  domain_name           = "widgetslogin.net"
  sku                   = "Enterprise"
  filtered_sync_enabled     = true
  domain_configuration_type = "ResourceTrusting"

  initial_replica_set {
    subnet_id = azurerm_subnet.deploy.id
  }

  notifications {
    additional_recipients = ["[email protected]", "[email protected]"]
    notify_dc_admins      = true
    notify_global_admins  = true
  }

  security {
    sync_kerberos_passwords = true
    sync_ntlm_passwords     = true
    sync_on_prem_passwords  = true
  }

  tags = {
    Environment = "prod"
  }

  depends_on = [
    azuread_service_principal.example,
    azurerm_subnet_network_security_group_association.deploy,
  ]
}

Debug Output/Panic Output

first apply:
resource "azurerm_active_directory_domain_service" "example" {
      + deployment_id             = (known after apply)
      + domain_configuration_type = "ResourceTrusting"
      + domain_name               = "widgetslogin.net"
      + filtered_sync_enabled     = true
      + id                        = (known after apply)
      + location                  = "westeurope"
      + name                      = "example-aadds"
      + resource_group_name       = "aadds-rg"
      + resource_id               = (known after apply)
      + sku                       = "Enterprise"
      + sync_owner                = (known after apply)
      + tags                      = {
          + "Environment" = "prod"
        }
      + tenant_id                 = (known after apply)
      + version                   = (known after apply)

      + initial_replica_set {
          + domain_controller_ip_addresses = (known after apply)
          + external_access_ip_address     = (known after apply)
          + id                             = (known after apply)
          + location                       = (known after apply)
          + service_status                 = (known after apply)
          + subnet_id                      = (known after apply)
        }

      + notifications {
          + additional_recipients = [
              + "[email protected]",
              + "[email protected]",
            ]
          + notify_dc_admins      = true
          + notify_global_admins  = true
        }

      + security {
          + kerberos_armoring_enabled       = false
          + kerberos_rc4_encryption_enabled = false
          + ntlm_v1_enabled                 = false
          + sync_kerberos_passwords         = true
          + sync_ntlm_passwords             = true
          + sync_on_prem_passwords          = true
          + tls_v1_enabled                  = false
        }
    }

Expected Behaviour

Microsoft Entra Domain Services is deployed with domain_configuration_type = "ResourceTrusting", filtered_sync_enabled = true.
``

Actual Behaviour

Microsoft Entra Domain Services is deployed with domain_configuration_type = "FullySynced ", filtered_sync_enabled = false. Another terraform apply shows that the Domain services must be replaced since the domain_configuration_type in the terraform code is different than the actual deployed configuration. Plan after apply:
resource "azurerm_active_directory_domain_service" "eds" {
~ deployment_id = "90fdfb16-de88-4e98-849a-3a03605896fe" -> (known after apply)
~ domain_configuration_type = "FullySynced" -> "ResourceTrusting" # forces replacement
~ filtered_sync_enabled = false -> true

Steps to Reproduce

1. terraform init
2. terraform apply
3. terraform apply again

Important Factoids

No response

References

No response

[magodo]

@QBY-ChristianHartmann

Following is the code where these two fields are applied in the provider:

terraform-provider-azurerm/internal/services/domainservices/active_directory_domain_service_resource.go

Lines 361 to 364 in fd5f043

	filteredSync := domainservices.FilteredSyncDisabled
	if d.Get("filtered_sync_enabled").(bool) {
	filteredSync = domainservices.FilteredSyncDisabled
	}

This is apparently a bug ☝️

terraform-provider-azurerm/internal/services/domainservices/active_directory_domain_service_resource.go

Lines 379 to 381 in fd5f043

	if v := d.Get("domain_configuration_type").(string); v != "" {
	domainService.Properties.DomainConfigurationType = &v
	}

This LGTM..

Following is the code where these two fields are read in the provider:

terraform-provider-azurerm/internal/services/domainservices/active_directory_domain_service_resource.go

Lines 493 to 498 in fd5f043

	d.Set("domain_configuration_type", props.DomainConfigurationType)
	d.Set("filtered_sync_enabled", false)
	if props.FilteredSync != nil && *props.FilteredSync == domainservices.FilteredSyncEnabled {
	d.Set("filtered_sync_enabled", true)
	}

These also LGTM (except the case sensitive quality, but should be fine)

Would mind run terraform plan/apply with TF_LOG=DEBUG, and inspect the actual response returned from the API for the properties.domainConfigurationType, and check whether when you apply, it is set as ResourceTrusting, while on read it returns FullySynced.

[QBY-ChristianHartmann]

Hi @magodo,

it seems to be a problems from the API. The request includes the correct input "ResourceTrusting", but the 201 answer shows "FullySynced".

2024-04-12T08:52:27.484+0200 [DEBUG] provider.terraform-provider-azurerm_v3.98.0_x5.exe: AzureRM Request: 
PUT /subscriptions/<subscriptionID>/resourceGroups/rg-EntraDomainServices-dev-01/providers/Microsoft.AAD/domainServices/<tenantID>.onmicrosoft.com?api-version=2021-05-01 HTTP/1.1
Host: management.azure.com
User-Agent: HashiCorp/go-azure-sdk (Go-http-Client/1.1 domainservices/2021-05-01) HashiCorp Terraform/1.7.3 (+https://www.terraform.io) Terraform Plugin SDK/2.10.1 terraform-provider-azurerm/3.98.0 pid-222c6c49-1b0a-5959-a213-6608f9eb8820
Content-Length: 834
Content-Type: application/json; charset=utf-8
X-Ms-Correlation-Request-Id: 36fbaa54-bf05-949b-a27b-b0366c48951f
Accept-Encoding: gzip

{"location":"westeurope","properties":{"domainConfigurationType":"ResourceTrusting","domainName":"<tenantID>.onmicrosoft.com","domainSecuritySettings":{"kerberosArmoring":"Disabled","kerberosRc4Encryption":"Disabled","ntlmV1":"Disabled","syncKerberosPasswords":"Enabled","syncNtlmPasswords":"Enabled","syncOnPremPasswords":"Enabled","tlsV1":"Disabled"},"filteredSync":"Disabled","ldapsSettings":{"ldaps":"Disabled"},"notificationSettings":{"additionalRecipients":[],"notifyDcAdmins":"Enabled","notifyGlobalAdmins":"Enabled"},"replicaSets":[{"location":"westeurope","subnetId":"/subscriptions/<subscriptionID>/resourceGroups/rg-EntraDomainServices-dev-01/providers/Microsoft.Network/virtualNetworks/vnet-10-0-0-0-16-westeurope/subnets/snet-10-0-1-0-24-EDS"}],"sku":"Enterprise"},"tags":{"Environment":"dev"}}: timestamp="2024-04-12T08:52:27.483+0200"
2024-04-12T08:52:27.484+0200 [DEBUG] provider.terraform-provider-azurerm_v3.98.0_x5.exe: PUT https://management.azure.com/subscriptions/<subscriptionID>/resourceGroups/rg-EntraDomainServices-dev-01/providers/Microsoft.AAD/domainServices/<tenantID>.onmicrosoft.com?api-version=2021-05-01: timestamp="2024-04-12T08:52:27.483+0200"
2024-04-12T08:52:41.129+0200 [DEBUG] provider.terraform-provider-azurerm_v3.98.0_x5.exe: AzureRM Response for https://management.azure.com/subscriptions/<subscriptionID>/resourceGroups/rg-EntraDomainServices-dev-01/providers/Microsoft.AAD/domainServices/<tenantID>.onmicrosoft.com?api-version=2021-05-01: 
HTTP/2.0 201 Created
Content-Length: 1471
Azure-Asyncoperation: https://management.azure.com/subscriptions/<subscriptionID>/providers/Microsoft.AAD/locations/westeurope/operationResults/7992bb03-494d-4cde-845f-3ea3ad23291f?api-version=2021-05-01&t=
Cache-Control: no-cache
Content-Type: application/json; charset=utf-8
Date: Fri, 12 Apr 2024 06:52:40 GMT
Etag: W/"datetime'2024-04-12T06%3A52%3A29.9192534Z'"
Expires: -1
Pragma: no-cache
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Ms-Correlation-Request-Id: 36fbaa54-bf05-949b-a27b-b0366c48951f
X-Ms-Ratelimit-Remaining-Subscription-Writes: 1199
X-Ms-Request-Id: 61798f5d-580d-4a3e-9a50-c6942cc53836
X-Ms-Routing-Request-Id: FRANCESOUTH:20240412T065241Z:b1e7609b-6663-49ce-9ca0-6ea17f350354

{"id":"/subscriptions/<subscriptionID>/resourceGroups/rg-EntraDomainServices-dev-01/providers/Microsoft.AAD/domainServices/<tenantID>.onmicrosoft.com","name":"<tenantID>.onmicrosoft.com","type":"Microsoft.AAD/domainServices","etag":"W/\"datetime'2024-04-12T06%3A52%3A29.9192534Z'\"","location":"westeurope","tags":{"Environment":"dev"},"properties":{"version":2,"tenantId":"<TenantId>","domainName":"<tenantID>.onmicrosoft.com","deploymentId":"b9f5035c-c4be-4d23-acf4-1b654a798186","syncOwner":"b9f5035c-c4be-4d23-acf4-1b654a798186","replicaSets":[{"replicaSetId":"b9f5035c-c4be-4d23-acf4-1b654a798186","location":"West Europe","subnetId":"/subscriptions/<subscriptionID>/resourceGroups/rg-EntraDomainServices-dev-01/providers/Microsoft.Network/virtualNetworks/vnet-10-0-0-0-16-westeurope/subnets/snet-10-0-1-0-24-EDS"}],"ldapsSettings":{"ldaps":"Disabled","certificateNotAfter":"0001-01-01T08:00:00Z","externalAccess":"Disabled"},"domainSecuritySettings":{"ntlmV1":"Disabled","tlsV1":"Disabled","syncNtlmPasswords":"Enabled","syncKerberosPasswords":"Enabled","syncOnPremPasswords":"Enabled","kerberosRc4Encryption":"Disabled","kerberosArmoring":"Disabled"},"filteredSync":"Disabled","domainConfigurationType":"FullySynced","notificationSettings":{"notifyGlobalAdmins":"Enabled","notifyDcAdmins":"Enabled","additionalRecipients":[]},"sku":"Enterprise","provisioningState":"Creating"}}: timestamp="2024-04-12T08:52:41.129+0200"

[magodo]

@QBY-ChristianHartmann In this case, you can submit an Azure support ticket, with the X-Ms-Correlation-Request-Id.