terraform-provider-azuread
terraform-provider-azuread copied to clipboard
hashicorp
`azuread_group_member` - group as a member in a group
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform (and AzureAD Provider) Version
Affected Resource(s)
azuread_group_member
Terraform Configuration Files
terraform {
required_version = ">= 1.8.0"
required_providers {
azuread = {
source = "hashicorp/azuread"
version = ">= 3.0.1"
}
}
}
provider "azuread" {
tenant_id = "xxxxxx"
}
data "azuread_group" "this" {
display_name = "asd"
security_enabled = true
}
resource "azuread_group_member" "this" {
group_object_id = "UUID" # existing group object id
member_object_id = data.azuread_group.this.id
}
Debug Output
Panic Output
data.azuread_group.this: Reading...
data.azuread_group.this: Read complete after 1s [id=/groups/UUID]
Planning failed. Terraform encountered an error while generating this plan.
╷
│ Error: expected "member_object_id" to be a valid UUID, got /groups/UUID
│
│ with azuread_group_member.this,
│ on main.tf line 16, in resource "azuread_group_member" "this":
│ 16: member_object_id = data.azuread_group.this.id
│
╵
Expected Behavior
worked before version 3
Actual Behavior
Steps to Reproduce
terraform apply
Important Factoids
References
- #0000
data.azuread_group.this.object_id can be a quick workaround , a number of resources return id in resource_type/UUID now, can either be a bug or expected behavior in 3.*.
@juicybaba yes, thanks, that works but as there is nothing in the migration guide related to this change, i went with reporting it as a bug.
Hi @kaplik, @juicybaba is correct, object_id is the correct attribute to use here. You are correct, this is missing from the upgrade guide - sorry for that omission, I’ll look to add this.
As a guide, where a property ends with *_object_id, you should use the object_id attribute of the corresponding resource. This was a bit inconsistent in 2.x versions but we’ve tried to tidy this up in 3.0
@manicminer
As a guide, where a property ends with *_object_id, you should use the object_id attribute of the corresponding resource. This was a bit inconsistent in 2.x versions but we’ve tried to tidy this up in 3.0
How about the principal_id issue as in below?
-/+ resource "azurerm_role_assignment" "avd_customer_as_application_group_user" {
~ principal_id = "0b8f0b8f-0b8f-0b8f-0b8f-0b8f0b8f0b8f" -> "/groups/0b8f0b8f-0b8f-0b8f-0b8f-0b8f0b8f0b8f" # forces replacement
...
│ Error: expected "group_object_id" to be a valid UUID, got /groups/0b8f0b8f-0b8f-0b8f-0b8f-0b8f0b8f0b8f
│
│ with module.stack_platform.azuread_group_member.avd_customer["90239023-9023-9023-9023-902390239023"],
│ on ../../../../modules/mloskot/azure/stack-platform/r-avd-users.tf line 78, in resource "azuread_group_member" "avd_customer":
│ 78: group_object_id = azuread_group.avd_customer[each.value.ucid].id
which I posted also to
- https://github.com/hashicorp/terraform-provider-azurerm/issues/27536#issuecomment-2382700891
group_object_id = azuread_group.avd_customer[each.value.ucid].id
doesn't that still have the azuread_group_example.id in the error you have. switch that to azuread_group.avd_customer[each.value.ucid].object_id
doesn't that still have the azuread_group_example.id in the error you have. switch that to azuread_group.avd_customer[each.value.ucid].object_id
That is clear to me, as @manicminer already explained that in https://github.com/hashicorp/terraform-provider-azuread/issues/1500#issuecomment-2380014170, but my question in https://github.com/hashicorp/terraform-provider-azuread/issues/1500#issuecomment-2382719333 was about principal_id
Error: authorization.RoleAssignmentsClient#Create: Failure responding to request:
StatusCode=400 -- Original Error: autorest/azure: Service returned an error.
Status=400 Code="InvalidPrincipalId"
Message="The Principal ID '/groups/0b8f0b8f-0b8f-0b8f-0b8f-0b8f0b8f0b8f' is not valid. Principal ID must be a GUID."
│
│ with module.stack_platform.azurerm_role_assignment.avd_customer_as_application_group_user["90239023-9023-9023-9023-902390239023"],
│ on ../../../../modules/mloskot/azure/stack-platform/r-avd-applications.tf line 57, in resource "azurerm_role_assignment" "avd_customer_as_application_group_user":
│ 57: resource "azurerm_role_assignment" "avd_customer_as_application_group_user" {
Well, I should have referred the source indeed
How about the
principal_idissue as in below?-/+ resource "azurerm_role_assignment" "avd_customer_as_application_group_user" { ~ principal_id = "0b8f0b8f-0b8f-0b8f-0b8f-0b8f0b8f0b8f" -> "/groups/0b8f0b8f-0b8f-0b8f-0b8f-0b8f0b8f0b8f" # forces replacement
@mloskot Admittedly that one is less clear, as that resource is in the AzureRM provider, it unfortunately hasn't yet been updated. But you should use the object_id attribute there:
resource "azurerm_role_assignment" "example" {
principal_id = azuread_service_principal.example.object_id
}
