Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Computer Object Removal Fails with Leaf objects #154

Open
DanZab opened this issue Jul 25, 2022 · 1 comment
Open

Computer Object Removal Fails with Leaf objects #154

DanZab opened this issue Jul 25, 2022 · 1 comment
Labels
bug Something isn't working

Comments

@DanZab
Copy link

DanZab commented Jul 25, 2022

Terraform Version and Provider Version

Terraform v1.2.4
AD Provider v0.4.4

Windows Version

Running from Windows and Linux

Affected Resource(s)

  • ad_computer

Terraform Configuration Files

resource "ad_computer" "computer_object" {
  name      = var.computer_name
  container = var.ou
}

Expected Behavior

The AD Computer object should be destroyed from the domain

Actual Behavior

When a Computer object has had a Service Connection Point created as a sub-object, the Remove-ADComputer command fails because it can't execute on a Leaf object. (An object with sub-containers.)

Steps to Reproduce

We are creating Virtual Machines in Azure, we are pre-creating the AD Computer object with this provider for two reasons:

  1. We can create it in a specific OU
  2. (More Importantly) We want to remove the computer object when that VM is destroyed to keep our domain clean

When you create a Virtual Machine in Azure, it Automatically creates a "Windows Virtual Machine" serviceConnectionPoint object as a sub-object of the computer. You can see this by running:

Get-ADObject -Filter {objectClass -eq "serviceConnectionPoint"} -SearchBase "CN=VM-Name,OU=Servers,DC=exampledomain,DC=local"

When destroying the computer object that was initially created with the ad_computer resource, it causes the Remove-ADComptuer command to fail:

│ Error: error while deleting a computer object with id "7114a6de-30d2-452d-b749-5cf256e8fab5": Remove-ADComputer exited with a non zero exit code (1), stderr: Remove-ADComputer : The directory service can perform the requested operation only on a leaf objectAt line:4 char:2
│  Remove-ADComputer -confirm:$false -Identity "7114a6de-30d2-452d-b749 ...

Important Factoids

This could be fixed by replacing the Remove-ADComputer command with Remove-ADObject, you can keep the -Identity and -Confirm parameter, but add a -Recursive switch:

Remove-ADObject -Identity {resource.ad_computer.id} -confirm:$false -recursive

These SCPs aren't manually created, it seems useless to try and build a way to pre-create them with the provider to contain them within state. I don't see a downside with changing the command if the intent is to remove that object anyways.

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment
@DanZab DanZab added the bug Something isn't working label Jul 25, 2022
@hoivikaj
Copy link

Adding -recursive flag also deletes child objects that are "protected from accidental deletion". However, if you follow the precedent of how this provider handles other resources that are flagged as delete protected, protections are removed during the destroy. (see the set-adobject example from resource_ad_ou below).

Get-ADObject -Properties * -Identity %q", o.DistinguishedName
Set-ADObject -ProtectedFromAccidentalDeletion:$false -Passthru
Remove-ADOrganizationalUnit -confirm:$false

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants