terraform-provider-azuredevops icon indicating copy to clipboard operation
terraform-provider-azuredevops copied to clipboard
verified publisher icon microsoft

cannot add ad group to azure devops group via azuredevops_group_membership Resources

Open Ysabo27 opened this issue 4 years ago • 2 comments

The azuredevops_group_membership Resources cane only add users to azure devops group, becose ad group dont have principal name

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and Azure DevOps Provider) Version

terraform 1.0.2 Azure DevOps Provider 0.1.5

Affected Resource(s)

  • azuredevops_XXXXX

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

Debug Output

Panic Output

Expected Behavior

Actual Behavior

Steps to Reproduce

  1. terraform apply

Important Factoids

References

  • #0000

Ysabo27 avatar Jul 11 '21 15:07 Ysabo27

Hi @huxh27 Can you share your TF script? Current provider does not support import the AAD group directly.
Workaround:

  1. Create the group(aad) in the organization and use this group as the AAD group
  2. Import users in separate emails.

xuzhang3 avatar Jul 13 '21 05:07 xuzhang3

Hi @xuzhang3 - @josh-barker-coles has an example of how to do that in issue #51

This successfully links an AAD group to an Azure DevOps team.

We found in tetsing that subsequent removal of the resource removes ALL references to the group in the Org. This seems to be because you can't set both a scope and an origin_id ( based on this comment ) :

[https://registry.terraform.io/providers/microsoft/azuredevops/latest/docs/resources/group]

scope - (Optional) The scope of the group. A descriptor referencing the scope (collection, project) in which the group should be created. If omitted, will be created in the scope of the enclosing account or organization.x

origin_id - (Optional) The OriginID as a reference to a group from an external AD or AAD backed provider. The scope, mail and display_name arguments cannot be used simultaneously with origin_id.

This seems to be an API limitation. For now we are using a lifecycle block to stop this from causing damage!

a30000931 avatar Sep 08 '21 08:09 a30000931