terraform-provider-azuread icon indicating copy to clipboard operation
terraform-provider-azuread copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

azuread_group_member Provider produced inconsistent result after apply

Open daniel-anova opened this issue 2 years ago • 5 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform v1.1.9
on linux_amd64
+ provider registry.terraform.io/hashicorp/azuread v2.22.0

Affected Resource(s)

  • azuread_group_member

Terraform Configuration Files


data "azuread_client_config" "current" {}

variable "groups" {
  type = list(string)
  default = [ "1", "2" ]
}

resource "azuread_group" "groups" {
  for_each = toset(var.groups)

  display_name  = "azuread-bug-example-group-${each.value}"
  description = "group to demo a bug"
  security_enabled = true
  prevent_duplicate_names = true
  owners = [
    data.azuread_client_config.current.object_id,
  ]
}

variable "members" {
  type = list(string)
  default = [
    # at least 10 user UUIDs
  ]
}

locals {
  group_members = merge([
    for g in var.groups : {
      for id in distinct(var.members) : lower("${g}_${id}") => {
        group_id = azuread_group.groups[g].id
        object_id = id
      }
    }
  ]...)
}

output "members" {
  value = local.group_members
}

resource "azuread_group_member" "members" {
  for_each = local.group_members
  group_object_id  = each.value.group_id
  member_object_id = each.value.object_id
}

Debug Output

│ Error: Provider produced inconsistent result after apply
│ 
│ When applying changes to azuread_group_member.members["2_<redacted>"], provider
│ "provider[\"registry.terraform.io/hashicorp/azuread\"]" produced an unexpected new value: Root resource was
│ present, but now absent.
│ 
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.

Panic Output

N/A

Expected Behavior

azuread should be able to apply with no errors.

Actual Behavior

When adding users to multiple groups azuread provider will fail with an inconsistent state error when trying to create a large number of azuread_group_member resources.

Steps to Reproduce

  1. terraform apply

References

  • #763

daniel-anova avatar May 10 '22 08:05 daniel-anova

Hi @daniel-anova, thanks for reporting this error. How many group members are you adding and to how many groups? Were the groups created as part of the same apply operation, or did they exist beforehand? Thanks!

manicminer avatar Jun 01 '22 16:06 manicminer

Hi @daniel-anova, thanks for reporting this error. How many group members are you adding and to how many groups? Were the groups created as part of the same apply operation, or did they exist beforehand? Thanks!

My actual case is fairly close to the example shown above, I'm creating all our groups and assignments in terraform.

Currently, that's around 14 groups and 256 assignments but as commented in the example, 2 groups with 10 assignments each will be enough to trigger the issue.

So to clarify, I'm creating the groups and users on the same module, with updates adding groups and/or users.

daniel-anova avatar Jun 02 '22 08:06 daniel-anova

This occurs for us in: terraform1.2.4 azuread 2.26.1

Creating 20 groups with 78 memberships.

calebak404 avatar Jul 12 '22 16:07 calebak404

I can also add that if there's a large number of resources already in state even small additions seem to trigger the issue.

Such has adding a dozen of memberships on a new set of groups.

daniel-anova avatar Jul 18 '22 16:07 daniel-anova

Hi,

Same issue for me when adding members to an existing group. Members are groups created by Terraform :

data "azuread_group" "existing_group" {
  object_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}

resource "azuread_group" "new_groups" {
  for_each                =  local.json_aad_groups
  display_name            = upper("AZ_${var.trigramme_app}_${each.value.display_name_suffix}")
  owners                  = [data.azuread_user.requestor.object_id]
  prevent_duplicate_names = true
  security_enabled        = true
}

resource "azuread_group_member" "member" {
  for_each         = local.json_aad_groups : {}
  group_object_id  = data.azuread_group.existing_group.object_id
  member_object_id = azuread_group.new_groups[each.key].object_id
}

I encounter randomly the following issue :

│ Error: Provider produced inconsistent result after apply
│ 
│ When applying changes to azuread_group_member.member["group_dev"],
│ provider "provider[\"registry.terraform.io/hashicorp/azuread\"]" produced
│ an unexpected new value: Root resource was present, but now absent.
│ 
│ This is a bug in the provider, which should be reported in the provider's
│ own issue tracker.

I use Terraform v1.2.5 and provider azuread v2.26.1

Like @daniel-anova, I use for_each loop operator. Maybe this use case could be the root cause ?

jhauray avatar Jul 19 '22 11:07 jhauray

Any progress on mitigating this issue?

Using azuread v2.29.0 and with 226 lazuread_group_member resources spread across several AD groups I no longer seem to be able to add users without having to manually import state at this point.

daniel-anova avatar Jan 24 '23 14:01 daniel-anova