terraform-provider-azuread
terraform-provider-azuread copied to clipboard
hashicorp
azuread_group resource fails with "unexpected status 404 with OData error" after it is created
Community Note
Please vote on this issue by adding a 👍 [reaction](https://blog.github.com/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/) to the original issue to help the community and maintainers prioritise this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform (and AzureAD Provider) Version Terraform v1.1.9 Azuread Plugin Version v2.22.0
Affected Resource(s)
azuread_2.22.0
azuread_group
azuread_group_member
Debug Output
Terraform will perform the following actions:
azuread_directory_role.this will be created
+ resource "azuread_directory_role" "this" {
+ description = (known after apply)
+ display_name = "Security administrator"
+ id = (known after apply)
+ object_id = (known after apply)
+ template_id = (known after apply)
}
azuread_group.test_group_for_group_membership will be created
+ resource "azuread_group" "test_group_for_group_membership" {
+ auto_subscribe_new_members = (known after apply)
+ display_name = "Test_group_for_group_membership"
+ external_senders_allowed = (known after apply)
+ hide_from_address_lists = (known after apply)
+ hide_from_outlook_clients = (known after apply)
+ id = (known after apply)
+ mail = (known after apply)
+ mail_nickname = (known after apply)
+ members = (known after apply)
+ object_id = (known after apply)
+ onpremises_domain_name = (known after apply)
+ onpremises_netbios_name = (known after apply)
+ onpremises_sam_account_name = (known after apply)
+ onpremises_security_identifier = (known after apply)
+ onpremises_sync_enabled = (known after apply)
+ owners = (known after apply)
+ preferred_language = (known after apply)
+ prevent_duplicate_names = false
+ proxy_addresses = (known after apply)
+ security_enabled = true
+ visibility = (known after apply)
}
azuread_user.group_owner will be created
+ resource "azuread_user" "group_owner" {
+ about_me = (known after apply)
+ account_enabled = true
+ business_phones = (known after apply)
+ creation_type = (known after apply)
+ disable_password_expiration = false
+ disable_strong_password = false
+ display_name = "GroupOwner"
+ external_user_state = (known after apply)
+ force_password_change = false
+ id = (known after apply)
+ im_addresses = (known after apply)
+ mail = (known after apply)
+ mail_nickname = "example-group-owner"
+ object_id = (known after apply)
+ onpremises_distinguished_name = (known after apply)
+ onpremises_domain_name = (known after apply)
+ onpremises_immutable_id = (known after apply)
+ onpremises_sam_account_name = (known after apply)
+ onpremises_security_identifier = (known after apply)
+ onpremises_sync_enabled = (known after apply)
+ onpremises_user_principal_name = (known after apply)
+ password = (sensitive value)
+ proxy_addresses = (known after apply)
+ show_in_address_list = true
+ user_principal_name = "[email protected]"
+ user_type = (known after apply)
}
azuread_user.test_group_user_1 will be created
+ resource "azuread_user" "test_group_user_1" {
+ about_me = (known after apply)
+ account_enabled = true
+ business_phones = (known after apply)
+ creation_type = (known after apply)
+ disable_password_expiration = false
+ disable_strong_password = false
+ display_name = "T. GroupUserOne"
+ external_user_state = (known after apply)
+ force_password_change = false
+ id = (known after apply)
+ im_addresses = (known after apply)
+ mail = (known after apply)
+ mail_nickname = "tgroupuserone"
+ object_id = (known after apply)
+ onpremises_distinguished_name = (known after apply)
+ onpremises_domain_name = (known after apply)
+ onpremises_immutable_id = (known after apply)
+ onpremises_sam_account_name = (known after apply)
+ onpremises_security_identifier = (known after apply)
+ onpremises_sync_enabled = (known after apply)
+ onpremises_user_principal_name = (known after apply)
+ password = (sensitive value)
+ proxy_addresses = (known after apply)
+ show_in_address_list = true
+ user_principal_name = "[email protected]"
+ user_type = (known after apply)
}
azuread_user.test_group_user_2 will be created
+ resource "azuread_user" "test_group_user_2" {
+ about_me = (known after apply)
+ account_enabled = true
+ business_phones = (known after apply)
+ creation_type = (known after apply)
+ department = "Sales"
+ disable_password_expiration = false
+ disable_strong_password = false
+ display_name = "T. GroupUserTwo"
+ external_user_state = (known after apply)
+ force_password_change = false
+ id = (known after apply)
+ im_addresses = (known after apply)
+ mail = (known after apply)
+ mail_nickname = "tgroupusertwo"
+ object_id = (known after apply)
+ onpremises_distinguished_name = (known after apply)
+ onpremises_domain_name = (known after apply)
+ onpremises_immutable_id = (known after apply)
+ onpremises_sam_account_name = (known after apply)
+ onpremises_security_identifier = (known after apply)
+ onpremises_sync_enabled = (known after apply)
+ onpremises_user_principal_name = (known after apply)
+ password = (sensitive value)
+ proxy_addresses = (known after apply)
+ show_in_address_list = true
+ user_principal_name = "[email protected]"
+ user_type = (known after apply)
}
random_string.this will be created
+ resource "random_string" "this" {
+ id = (known after apply)
+ length = 3
+ lower = true
+ min_lower = 3
+ min_numeric = 0
+ min_special = 0
+ min_upper = 0
+ number = true
+ result = (known after apply)
+ special = false
+ upper = true
}
module.azuread_directory_role.azuread_directory_role.this["role1"] will be created
+ resource "azuread_directory_role" "this" {
+ description = (known after apply)
+ display_name = (known after apply)
+ id = (known after apply)
+ object_id = (known after apply)
+ template_id = "194ae4cb-b126-40b2-bd5b-6091b380977d"
}
module.azuread_directory_role.azuread_directory_role.this["role2"] will be created
+ resource "azuread_directory_role" "this" {
+ description = (known after apply)
+ display_name = "Printer administrator"
+ id = (known after apply)
+ object_id = (known after apply)
+ template_id = (known after apply)
}
module.azuread_directory_role_members.azuread_directory_role_member.this["directory_role_member1"] will be created
+ resource "azuread_directory_role_member" "this" {
+ id = (known after apply)
+ member_object_id = (known after apply)
+ role_object_id = (known after apply)
}
module.azuread_group.azuread_group.this["group1"] will be created
+ resource "azuread_group" "this" {
+ assignable_to_role = true
+ auto_subscribe_new_members = (known after apply)
+ behaviors = [
+ "AllowOnlyMembersToPost",
]
+ description = "Microsoft 365 group"
+ display_name = "TestGroup1Microsoft365"
+ external_senders_allowed = (known after apply)
+ hide_from_address_lists = (known after apply)
+ hide_from_outlook_clients = (known after apply)
+ id = (known after apply)
+ mail = (known after apply)
+ mail_enabled = true
+ mail_nickname = "NicknameTestGroup1Microsoft365"
+ members = (known after apply)
+ object_id = (known after apply)
+ onpremises_domain_name = (known after apply)
+ onpremises_netbios_name = (known after apply)
+ onpremises_sam_account_name = (known after apply)
+ onpremises_security_identifier = (known after apply)
+ onpremises_sync_enabled = (known after apply)
+ owners = (known after apply)
+ preferred_language = (known after apply)
+ prevent_duplicate_names = true
+ provisioning_options = [
+ "Team",
]
+ proxy_addresses = (known after apply)
+ security_enabled = true
+ theme = "Blue"
+ types = [
+ "Unified",
]
+ visibility = "Private"
}
module.azuread_group_member.azuread_group_member.this["group_member1"] will be created
+ resource "azuread_group_member" "this" {
+ group_object_id = (known after apply)
+ id = (known after apply)
+ member_object_id = (known after apply)
}
# module.azuread_users.azuread_user.this["user1"] will be created
+ resource "azuread_user" "this" {
+ about_me = (known after apply)
+ account_enabled = true
+ age_group = "Adult"
+ business_phones = [
+ "123123123",
]
+ city = "TestCity"
+ company_name = "TestCompany"
+ consent_provided_for_minor = "NotRequired"
+ cost_center = "123456"
+ country = "TestCountry"
+ creation_type = (known after apply)
+ department = "TestDepartment"
+ disable_password_expiration = false
+ disable_strong_password = false
+ display_name = "TestUser1"
+ division = "TestDivision"
+ employee_id = "1234567890"
+ employee_type = "Employee"
+ external_user_state = (known after apply)
+ fax_number = "8889999000"
+ force_password_change = false
+ given_name = "TestGivenName"
+ id = (known after apply)
+ im_addresses = (known after apply)
+ job_title = "TestJobTitle"
+ mail = "[email protected]"
+ mail_nickname = "testuser1"
+ mobile_phone = "999888777"
+ object_id = (known after apply)
+ office_location = "TestLocation"
+ onpremises_distinguished_name = (known after apply)
+ onpremises_domain_name = (known after apply)
+ onpremises_immutable_id = (known after apply)
+ onpremises_sam_account_name = (known after apply)
+ onpremises_security_identifier = (known after apply)
+ onpremises_sync_enabled = (known after apply)
+ onpremises_user_principal_name = (known after apply)
+ other_mails = [
+ "[email protected]",
]
+ password = (sensitive value)
+ postal_code = "12345"
+ preferred_language = "en"
+ proxy_addresses = (known after apply)
+ show_in_address_list = true
+ state = "TestState"
+ street_address = "TestAddress"
+ surname = "TestSurname"
+ usage_location = "DE"
+ user_principal_name = "[email protected]"
+ user_type = (known after apply)
}
Plan: 12 to add, 0 to change, 0 to destroy.
Panic Output
Expected Behavior
Actual Behavior ╷ Error: Could not retrieve group with object UID "6ecd7032-d911-4727-8ba0-db26d1299329" │ │ with module.azuread_group.azuread_group.this["group1"], │ on ....\main.tf line 60, in resource "azuread_group" "this": │ 60: resource "azuread_group" "this" { │ │ retrieving additional fields: GroupsClient.BaseClient.Get(): unexpected status 404 with OData error: ErrorInvalidGroup: The requested group │ '6ecd7032-d911-4727-8ba0-db26d1299329@9ab78acf-ebb8-4aa4-ac94-f43b0118b3ae' is invalid.
Steps to Reproduce
terraform apply
Important Factoids
The groups and the users are successfully created, but every refresh after the initial create fails. So it fails during the first apply, then a repeated apply. Terraform refresh or destroy will fail with the same error.
The same error is shown on AzureAD provider version 2.19 (this was an attempt to update a module to 2.22).
References
Hi @nziegler, thanks for reporting this and for attaching a log. This is an API inconsistency error which we might be able to work around, but I will have to experiment a little. If you can provide any additional context, the following would be really useful:
- On which OS/platform are you running Terraform? If virtualized, what is the host OS?
- How many groups are you creating in a single apply operation that fails with this error (to the nearest order of magnitude)?
- Did Terraform create a lot of other resources prior to attempting to create the [failed] group?
Thanks!
I am running the commands on a Windows 10 virtual machine and sometimes plain Windows 10. My colleague runs it on a Mac with the same error.
We are using a test scenario to try out our identity objects module where we create 4 different groups (Security group, O365 unified group, with or without dynamic membership). But for testing purposes, I reduced it to 1 group and it still fails.
Prior to the groups I create three users (two members and one owner) used for testing group membership. As mentioned, all the resources get created successfully and the GUID that the error shows as supposedly invalid matches the group GUID in Azure AD.
I can duplicate this same issue. Creating one group on Ubuntu
Terraform v1.2.2 on linux_amd64
- provider registry.terraform.io/hashicorp/azuread v2.23.0
@trinka-battelle Please provide a debug log whilst reproducing as this is necessary to see the complete sequence of events/errors, thanks!
@nziegler I noticed in your debug.log that the tenant ID seems to be omitted. At first I thought this was redacted but we recently fixed a bug that could cause a missing tenant ID in API requests - could you please try to reproduce this with v2.24.0 and advise if you're still getting the ErrorInvalidGroup error? Thanks!
@nziegler I noticed in your debug.log that the tenant ID seems to be omitted. At first I thought this was redacted but we recently fixed a bug that could cause a missing tenant ID in API requests - could you please try to reproduce this with v2.24.0 and advise if you're still getting the
ErrorInvalidGrouperror? Thanks!
I will try to reproduce
Applying the example from above with provider version 2.25 passes without errors (apart from deprecation warnings).
Seems like the fix @manicminer mentioned did the trick!
Seems it's not been fix yet, I'm still getting the same error, while creating a group with unified type. Behavior too same as you have mentioned earlier that it's getting created on portal but terraform throws this error message -
Error: Could not retrieve group with object UID "4531a726-efe9-45dd-adac-de4a82a23650" retrieving additional fields: GroupsClient.BaseClient.Get(): unexpected status 404 with OData error: ErrorInvalidGroup: The requested group '4531a726-efe9-45dd-adac-de4a82a23650@4a1faaae-19b8-4549-af5d-c9852b29f166' is invalid.
Code that I am running -
azuread_group = {
group-test01 = {
DataSource = {
members = {
group_display_names = []
sp_display_names = []
user_principal_names = []
}
owners = {
sp_display_names = ["app-test01"]
user_principal_names = []
}
}
assignable_to_role = false
auto_subscribe_new_members = false
behaviors = ["WelcomeEmailDisabled", "HideGroupInOutlook"]
description = "This is a group of type Unified type"
display_name = "group-test01"
external_senders_allowed = false
hide_from_address_lists = false
hide_from_outlook_clients = false
mail_enabled = true
mail_nickname = "grouptest01_mail1"
prevent_duplicate_names = true
provisioning_options = ["Team"]
security_enabled = true
theme = "Orange"
types = ["Unified"]
visibility = "Private"
}
}
I have checked it from terraform provider version - 2.20.0 to 2.26.1 (Current latest) and terraform version 1.0.0
Please let me know what I am doing wrong here.
May I know which authentication method you are using to execute this resource?
az login with user credentials. No SP.
Sorry I haven't had time to test again but it is on the list ;)
It's Okay @wernerfred. And the user you are authenticating with must be a 'Member' type user right? not a guest. Actually I was authenticating with SP but then I tried with 'member' user and group gets created successfully but if I use SP in owners it again giving me same kind of error. In terraform documentation too it is not clearly mention for 'Unified' group.
NOTE : Error comes only for 'Unified' type of group , 'Dynamic' membership group gets created successfully.
group-test01 = {
DataSource = {
members = {
user_principal_names = ["xyz.com#EXT#@pcz1215pcsacore.onmicrosoft.com"]
}
owners = {
// sp_display_names = ["app-test01","sp-test01"]
user_principal_names = ["[email protected]"]
}
}
auto_subscribe_new_members = false
description = "365 group"
behaviors = ["WelcomeEmailDisabled", "HideGroupInOutlook"]
display_name = "group-test01"
hide_from_address_lists = false
hide_from_outlook_clients = false
mail_enabled = true
mail_nickname = "grouptest01_mail"
theme = "Orange"
types = ["Unified"]
}
Also whenever you will test please try to create it without description and with SP specified in owners block.
Hi, same issue. Group is created, consecutive plan/apply/destroy execution fails with: "│ retrieving additional fields: GroupsClient.BaseClient.Get(): unexpected status 404 with OData error: ErrorInvalidGroup: The requested group │ '5b2dd0c8-7798-47b8-924e-b93ed1ced3a3@b092c121-4bf9-4608-830c-cdca1cedfa36' is invalid."
terraform version = 1.3.3 azuread version = 2.29.0 authentication = service principal client/secret, full access (admin) subscription = Free Tier
dummy example:
resource "azuread_group" "group002" { display_name = "TestGroup002" description = "TestGroup002 description"
mail_enabled = true
mail_nickname = "TestGroup002"
types = ["Unified"]
}
