Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ad_group_membership allows only to replace all members #134

Open
randomswdev opened this issue Nov 3, 2021 · 9 comments
Open

ad_group_membership allows only to replace all members #134

randomswdev opened this issue Nov 3, 2021 · 9 comments

Comments

@randomswdev
Copy link

When using the ad_group_membership resource, I have to always provide the full list of members. This is because the resource replaces the current group members with the ones provided in input.

This is complex to handle if an AD group is shared between multiple Terraform automations, with each automation interested in adding its own users to the group.

I would like to add a reosurce named ad_group_member that allows to add a single member to an ad group. The member is just added as an additional member, without replacing the ones already in the group. If the resource is destroyed, the user is removed from the group membership, but only this user is removed.

If you think this feature is useful, I can contribute a pull request that implements it.

@randomswdev
Copy link
Author

I just submitted a pull request for this. Please let me know if this change is ok and if the code requires any improvements.

@hAh0L13
Copy link

hAh0L13 commented Nov 19, 2021

We faced a similar problem - when adding users by sAMAccountName, resource "ad_group_membership" recoginize existing users by GUID and trying to delete users with GUID and adding same users by sAMAccountName -

# module.ns["keycloak"].ad_group_membership.ns will be updated in-place
  ~ resource "ad_group_membership" "ns" {
      ~ group_members = [
          - "2fb9f8bf-277b-41a3-8680-efe8d11001f4",
          - "677119e8-e166-4755-916f-f9b6b117da55",
          - "925c2480-562a-4ff5-8ed1-8cf13e5a651b",
          + "username1",
          + "iusername2",
          + "username3",
        ]
        id            = "20ee4193-8a12-4aa1-959d-c0bd0440bbd2_ebf9c0de-6352-b8d3-e58a-f05e02e2c12c"
        # (1 unchanged attribute hidden)

This PR #135 would help us with our infrastructure

@Nothing4You
Copy link

@hAh0L13 see #94 - that's the issue you're describing.

@gramsa49
Copy link
Contributor

This would be helpful for me as well. I use this provider to manage AD users and groups for use with AWS SSO. I have a module against our payer account and against AWS Orgs member accounts to add all groups to a parent group for SCIM provisioning filtering. I need to manage group membership in a common AD group from multiple workspaces/accounts without each account stapping on other accounts.

@gramsa49
Copy link
Contributor

This would be helpful for me as well. I use this provider to manage AD users and groups for use with AWS SSO. I have a module against our payer account and against AWS Orgs member accounts to add all groups to a parent group for SCIM provisioning filtering. I need to manage group membership in a common AD group from multiple workspaces/accounts without each account stapping on other accounts.

I tested this provider and the new resource type ad_group_member works as expected. I was able to easily convert my existing resources of type ad_group_membership to ad_group_member with the desired end result of the various workspaces not conflicting with one another.

@gramsa49
Copy link
Contributor

gramsa49 commented Jan 6, 2022

This has been working for me for the last 6 weeks. Any chance this can be merged into the provider?

@drdamour
Copy link

drdamour commented Apr 6, 2022

@koikonom any chance we could add this resource, the replace all is a real pain to work around as i have to pass around members in vars so that i only have 1 place i define membership

@dl-mai
Copy link

dl-mai commented Jul 5, 2022

I also have this issue when managing to many users which results in an The command line is too long. error. I chunked the userids to smaller parts. This works on the first run but break on the second run because when it refreshes the state it tries to remove users from the group. Because it tries to remove all users at once the The command line is too long. error occurs as well.

@eperdeme
Copy link

I also have this issue when managing to many users which results in an The command line is too long. error. I chunked the userids to smaller parts. This works on the first run but break on the second run because when it refreshes the state it tries to remove users from the group. Because it tries to remove all users at once the The command line is too long. error occurs as well.

How long is too long? I'm just about to start using TF to manage some AD groups, is it 100+ or much smaller numbers before it hits the length limits ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

7 participants