terraform-provider-ad
terraform-provider-ad copied to clipboard
hashicorp
refreshing state is failing on ad_group_membership (groups named with '_')
Terraform Version and Provider Version
1.2.5
Affected Resource(s)
ad_group_membership
Terraform Configuration Files
provider "ad" {
winrm_hostname = var.winrm_hostname
winrm_username = var.winrm_username
winrm_password = var.winrm_password
winrm_use_ntlm = true
winrm_port = 5986
winrm_proto = "https"
domain_controller = "servrDC"
winrm_pass_credentials = true
}
resource "ad_ou" "ou" {
name = "OneOU"
path = "DC=mydc"
protected = false
}
resource "ad_group" "g" {
for_each = toset(["foo_bar", "foo_baz"])
name = each.value
sam_account_name = each.value
container = ad_ou.ou.dn
scope = "global"
category = "security"
depends_on = [
ad_ou.ou
]
}
resource "ad_group_membership" "gm" {
for_each = {
"foo" = {
name = "foo_bar"
users = ["userA"]
},
"bar" = {
name = "foo_baz"
users = ["userA"]
}
}
group_id = each.value.name
group_members = each.value.users
depends_on = [
ad_group.g
]
}
Debug Output
https://gist.github.com/insoIite/40f63a2f3b30b0035b2af52ba4e1a1b9
Panic Output
Expected Behavior
Terraform plan should be working
Actual Behavior
ad_ou.ou: Refreshing state... [id=66d4498f-fcb0-4858-b277-3ad41a3d1349]
ad_group.g["foo_bar"]: Refreshing state... [id=7886cad7-18ac-4805-a1ea-87db890610fd]
ad_group.g["foo_baz"]: Refreshing state... [id=0c99b6b6-f2e9-4b43-91fb-c7673d037219]
ad_group_membership.gm["bar"]: Refreshing state... [id=foo_baz_59f3d36a-9b1d-73b1-1cc9-586d680a946b]
ad_group_membership.gm["foo"]: Refreshing state... [id=foo_bar_447ec7bb-f1d4-898b-b529-e91260814de5]
╷
│ Error: command Get-ADGroupMember exited with a non-zero exit code(1), stderr: Get-ADGroupMember : Cannot find an object with identity: 'foo' under: 'DC=MYDC'.At line:4 char:2
│ Get-ADGroupMember -Identity "foo" -Credential $Credential -Server s6 ...
│ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
│ CategoryInfo : ObjectNotFound: (foo:ADGroup) [Get-ADGroupMember], ADIdentityNotFoundException
│ FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,M icrosoft.ActiveDirectory.Management.Commands.GetADGroupMember, stdout:
│
│ with ad_group_membership.gm["foo"],
│ on main.tf line 31, in resource "ad_group_membership" "gm":
│ 31: resource "ad_group_membership" "gm" {
│
╵
╷
│ Error: command Get-ADGroupMember exited with a non-zero exit code(1), stderr: Get-ADGroupMember : Cannot find an object with identity: 'foo' under: 'DC=DC'.At line:4 char:2
│ Get-ADGroupMember -Identity "foo" -Credential $Credential -Server s6 ...
│ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
│ CategoryInfo : ObjectNotFound: (foo:ADGroup) [Get-ADGroupMember], ADIdentityNotFoundException
│ FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,M icrosoft.ActiveDirectory.Management.Commands.GetADGroupMember, stdout:
│
│ with ad_group_membership.gm["bar"],
│ on main.tf line 31, in resource "ad_group_membership" "gm":
│ 31: resource "ad_group_membership" "gm" {
The powershell command is trying to find the AD group foo instead of foo_bar and foo_baz
Therefore it fails because the foo AD group does not exists...
The bug seems to be related to groups named with '_' in them. In case of '-' no error whatsoever !
What's very weird is that terraform destroy works correctly (with cached states)
Steps to Reproduce
-
terraform plan
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
I'm running into this as well, without realising it was because of the _ . Any help on this would be great
