terraform-provider-ad
terraform-provider-ad copied to clipboard
hashicorp
ad_group_membership allows only to replace all members
When using the ad_group_membership resource, I have to always provide the full list of members. This is because the resource replaces the current group members with the ones provided in input.
This is complex to handle if an AD group is shared between multiple Terraform automations, with each automation interested in adding its own users to the group.
I would like to add a reosurce named ad_group_member that allows to add a single member to an ad group. The member is just added as an additional member, without replacing the ones already in the group. If the resource is destroyed, the user is removed from the group membership, but only this user is removed.
If you think this feature is useful, I can contribute a pull request that implements it.
I just submitted a pull request for this. Please let me know if this change is ok and if the code requires any improvements.
We faced a similar problem - when adding users by sAMAccountName, resource "ad_group_membership" recoginize existing users by GUID and trying to delete users with GUID and adding same users by sAMAccountName -
# module.ns["keycloak"].ad_group_membership.ns will be updated in-place
~ resource "ad_group_membership" "ns" {
~ group_members = [
- "2fb9f8bf-277b-41a3-8680-efe8d11001f4",
- "677119e8-e166-4755-916f-f9b6b117da55",
- "925c2480-562a-4ff5-8ed1-8cf13e5a651b",
+ "username1",
+ "iusername2",
+ "username3",
]
id = "20ee4193-8a12-4aa1-959d-c0bd0440bbd2_ebf9c0de-6352-b8d3-e58a-f05e02e2c12c"
# (1 unchanged attribute hidden)
This PR https://github.com/hashicorp/terraform-provider-ad/pull/135 would help us with our infrastructure
This would be helpful for me as well. I use this provider to manage AD users and groups for use with AWS SSO. I have a module against our payer account and against AWS Orgs member accounts to add all groups to a parent group for SCIM provisioning filtering. I need to manage group membership in a common AD group from multiple workspaces/accounts without each account stapping on other accounts.
This would be helpful for me as well. I use this provider to manage AD users and groups for use with AWS SSO. I have a module against our payer account and against AWS Orgs member accounts to add all groups to a parent group for SCIM provisioning filtering. I need to manage group membership in a common AD group from multiple workspaces/accounts without each account stapping on other accounts.
I tested this provider and the new resource type ad_group_member works as expected. I was able to easily convert my existing resources of type ad_group_membership to ad_group_member with the desired end result of the various workspaces not conflicting with one another.
This has been working for me for the last 6 weeks. Any chance this can be merged into the provider?
@koikonom any chance we could add this resource, the replace all is a real pain to work around as i have to pass around members in vars so that i only have 1 place i define membership
I also have this issue when managing to many users which results in an The command line is too long. error. I chunked the userids to smaller parts. This works on the first run but break on the second run because when it refreshes the state it tries to remove users from the group. Because it tries to remove all users at once the The command line is too long. error occurs as well.
I also have this issue when managing to many users which results in an
The command line is too long.error. I chunked the userids to smaller parts. This works on the first run but break on the second run because when it refreshes the state it tries to remove users from the group. Because it tries to remove all users at once theThe command line is too long.error occurs as well.
How long is too long? I'm just about to start using TF to manage some AD groups, is it 100+ or much smaller numbers before it hits the length limits ?
