azuread_group creation

[jnehlt]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

If you create new AD group, you cannot add your user object_id to a list of the group owners.
In new version of terraform you do not need to add yourself as owner during the group update, and the results are:

• no exception is thrown
• you can delete yourself from existing ADGroup.
  This causes the new issue:
  Short story:

1. You create new ad group. You pass owner list to azuread_group module, without your user object_id (otherwise it will fail).
2. You decided to update this group by adding/removing some members/owners
3. You forgotten to add yourself to owner list.
4. That leads us to situation where you have Authorization_RequestDenied exception (cuz youre not in the owner list)

The problem is with inconsistency of input data. You have to change them during update.
If you will be able to include yourself in the owner list during group creation, you won't have to change the input data.

Another Thing is that if you add yourself to the list of the owners during group creation. Terraform will throw an exception, but the group will be created anyway -> no state will be generated.

New or Affected Resource(s)

• azuread v0.7.0

Potential Terraform Configuration

resource "azuread_group" "new_group" {
  name    = var.azuread_group_name
  members = var.azuread_group_members
  owners  = var.azuread_group_owners
}

variable "azuread_group_name" {
  type        = string
  description = "AD group name"
  default     = "SinglePointOfFailure"
}

variable "azuread_group_owners" {
  type        = list
  description = "List of the users to assign ownership to newly created AD group. Supported object types are Users or Service Principals. If empty, only user that creates this group will grant the ownership."
  default = [
    "00000000-0000-0000-0000-000000000001"
  ]
}

variable "azuread_group_members" {
  type        = list
  description = "List of group members"
  default = [
    "00000000-0000-0000-0000-000000000000", # YOU
    "00000000-0000-0000-0000-000000000001"
  ]
}

References

I've made a PullRequest from fork. I believe that will help you to make eventual changes.
This PR is only a proposition. If it breaks backward compability or might cause some security issues please correct me.
Here's the link: PR_URL

Greet you well!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!

[ghost]

This has been released in version 0.8.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azuread" {
    version = "~> 0.8.0"
}
# ... other configuration ...