terraform-provider-azuredevops
terraform-provider-azuredevops copied to clipboard
Published
20 hours ago •
microsoft
microsoft
Approvers attribute of azuredevops_check_approval not accepting AAD Group
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform (and Azure DevOps Provider) Version
Terraform v1.5.4 on darwin_arm64
- provider registry.terraform.io/hashicorp/azuread v2.41.0
- provider registry.terraform.io/microsoft/azuredevops v0.8.0
Affected Resource(s)
-
azuredevops_check_approval
Terraform Configuration Files
terraform {
required_providers {
azuredevops = {
source = "microsoft/azuredevops"
version = "0.8.0"
}
azuread = {
source = "hashicorp/azuread"
version = "2.41.0"
}
}
}
resource "azuredevops_project" "this" {
name = "testforbug"
visibility = "private"
version_control = "Git"
work_item_template = "" # Left as blank string to accept org default.
description = "Some description"
features = {
boards = "enabled"
repositories = "enabled"
pipelines = "enabled"
testplans = "enabled"
artifacts = "enabled"
}
lifecycle {
ignore_changes = [work_item_template]
}
}
data "azuredevops_group" "this" {
name = "PlatformTeam"
}
resource "azuredevops_environment" "this" {
project_id = azuredevops_project.this.id
name = "test"
}
resource "azuredevops_check_approval" "this" {
project_id = azuredevops_project.this.id
target_resource_id = azuredevops_environment.this.id
target_resource_type = "environment"
requester_can_approve = true
approvers = [data.azuredevops_group.this.origin_id]
}
Partial Debug Output
2023-08-23T15:54:53.381+0100 [TRACE] vertex "module.ado.azuredevops_environment.this": visit complete
2023-08-23T15:54:53.381+0100 [TRACE] vertex "module.ado.azuredevops_check_approval.this": starting visit (*terraform.NodeApplyableResourceInstance)
2023-08-23T15:54:53.381+0100 [TRACE] readDiff: Read Create change from plan for module.ado.azuredevops_check_approval.this
2023-08-23T15:54:53.381+0100 [TRACE] readResourceInstanceState: reading state for module.ado.azuredevops_check_approval.this
2023-08-23T15:54:53.381+0100 [TRACE] readResourceInstanceState: no state present for module.ado.azuredevops_check_approval.this
2023-08-23T15:54:53.381+0100 [TRACE] readDiff: Read Create change from plan for module.ado.azuredevops_check_approval.this
2023-08-23T15:54:53.382+0100 [TRACE] Re-validating config for "module.ado.azuredevops_check_approval.this"
2023-08-23T15:54:53.382+0100 [TRACE] GRPCProvider: ValidateResourceConfig
2023-08-23T15:54:53.382+0100 [TRACE] provider.terraform-provider-azuredevops_v0.8.0: Received request: @module=sdk.proto tf_proto_version=5.3 tf_resource_type=azuredevops_check_approval tf_rpc=ValidateResourceTypeConfig @caller=github.com/hashicorp/[email protected]/tfprotov5/tf5server/server.go:679 tf_provider_addr=registry.terraform.io/microsoft/azuredevops tf_req_id=5123c1c5-c016-90b2-99cf-a9cafb30090b timestamp=2023-08-23T15:54:53.382+0100
2023-08-23T15:54:53.382+0100 [TRACE] provider.terraform-provider-azuredevops_v0.8.0: Sending request downstream: tf_req_id=5123c1c5-c016-90b2-99cf-a9cafb30090b tf_resource_type=azuredevops_check_approval @caller=github.com/hashicorp/[email protected]/tfprotov5/internal/tf5serverlogging/downstream_request.go:17 @module=sdk.proto tf_proto_version=5.3 tf_provider_addr=registry.terraform.io/microsoft/azuredevops tf_rpc=ValidateResourceTypeConfig timestamp=2023-08-23T15:54:53.382+0100
2023-08-23T15:54:53.382+0100 [TRACE] provider.terraform-provider-azuredevops_v0.8.0: Calling downstream: tf_provider_addr=registry.terraform.io/microsoft/azuredevops tf_req_id=5123c1c5-c016-90b2-99cf-a9cafb30090b tf_rpc=ValidateResourceTypeConfig @caller=github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/grpc_provider.go:245 @module=sdk.helper_schema tf_resource_type=azuredevops_check_approval timestamp=2023-08-23T15:54:53.382+0100
2023-08-23T15:54:53.382+0100 [TRACE] provider.terraform-provider-azuredevops_v0.8.0: Called downstream: tf_resource_type=azuredevops_check_approval tf_rpc=ValidateResourceTypeConfig @caller=github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/grpc_provider.go:247 @module=sdk.helper_schema tf_provider_addr=registry.terraform.io/microsoft/azuredevops tf_req_id=5123c1c5-c016-90b2-99cf-a9cafb30090b timestamp=2023-08-23T15:54:53.382+0100
2023-08-23T15:54:53.382+0100 [TRACE] provider.terraform-provider-azuredevops_v0.8.0: Received downstream response: @module=sdk.proto diagnostic_error_count=0 tf_req_duration_ms=0 tf_resource_type=azuredevops_check_approval @caller=github.com/hashicorp/[email protected]/tfprotov5/internal/tf5serverlogging/downstream_request.go:37 tf_rpc=ValidateResourceTypeConfig tf_proto_version=5.3 tf_provider_addr=registry.terraform.io/microsoft/azuredevops tf_req_id=5123c1c5-c016-90b2-99cf-a9cafb30090b diagnostic_warning_count=0 timestamp=2023-08-23T15:54:53.382+0100
2023-08-23T15:54:53.382+0100 [TRACE] provider.terraform-provider-azuredevops_v0.8.0: Served request: tf_provider_addr=registry.terraform.io/microsoft/azuredevops tf_rpc=ValidateResourceTypeConfig @module=sdk.proto tf_resource_type=azuredevops_check_approval @caller=github.com/hashicorp/[email protected]/tfprotov5/tf5server/server.go:699 tf_proto_version=5.3 tf_req_id=5123c1c5-c016-90b2-99cf-a9cafb30090b timestamp=2023-08-23T15:54:53.382+0100
2023-08-23T15:54:53.382+0100 [TRACE] GRPCProvider: PlanResourceChange
2023-08-23T15:54:53.383+0100 [TRACE] provider.terraform-provider-azuredevops_v0.8.0: Received request: @caller=github.com/hashicorp/[email protected]/tfprotov5/tf5server/server.go:770 @module=sdk.proto tf_proto_version=5.3 tf_req_id=2e18417b-c493-15ef-11ff-7b0b8c38c600 tf_provider_addr=registry.terraform.io/microsoft/azuredevops tf_resource_type=azuredevops_check_approval tf_rpc=PlanResourceChange timestamp=2023-08-23T15:54:53.383+0100
2023-08-23T15:54:53.383+0100 [TRACE] provider.terraform-provider-azuredevops_v0.8.0: Sending request downstream: tf_proto_version=5.3 tf_provider_addr=registry.terraform.io/microsoft/azuredevops tf_req_id=2e18417b-c493-15ef-11ff-7b0b8c38c600 @module=sdk.proto tf_resource_type=azuredevops_check_approval tf_rpc=PlanResourceChange @caller=github.com/hashicorp/[email protected]/tfprotov5/internal/tf5serverlogging/downstream_request.go:17 timestamp=2023-08-23T15:54:53.383+0100
2023-08-23T15:54:53.383+0100 [TRACE] provider.terraform-provider-azuredevops_v0.8.0: Received downstream response: @module=sdk.proto diagnostic_error_count=0 diagnostic_warning_count=0 tf_proto_version=5.3 tf_provider_addr=registry.terraform.io/microsoft/azuredevops @caller=github.com/hashicorp/[email protected]/tfprotov5/internal/tf5serverlogging/downstream_request.go:37 tf_req_duration_ms=0 tf_req_id=2e18417b-c493-15ef-11ff-7b0b8c38c600 tf_resource_type=azuredevops_check_approval tf_rpc=PlanResourceChange timestamp=2023-08-23T15:54:53.383+0100
2023-08-23T15:54:53.383+0100 [TRACE] provider.terraform-provider-azuredevops_v0.8.0: Served request: @caller=github.com/hashicorp/[email protected]/tfprotov5/tf5server/server.go:796 @module=sdk.proto tf_req_id=2e18417b-c493-15ef-11ff-7b0b8c38c600 tf_proto_version=5.3 tf_provider_addr=registry.terraform.io/microsoft/azuredevops tf_resource_type=azuredevops_check_approval tf_rpc=PlanResourceChange timestamp=2023-08-23T15:54:53.383+0100
2023-08-23T15:54:53.383+0100 [WARN] Provider "registry.terraform.io/microsoft/azuredevops" produced an invalid plan for module.ado.azuredevops_check_approval.this, but we are tolerating it because it is using the legacy plugin SDK.
The following problems may be the cause of any confusing errors from downstream operations:
- .timeout: planned value cty.NumberIntVal(43200) for a non-computed attribute
2023-08-23T15:54:53.383+0100 [TRACE] checkPlannedChange: Verifying that actual change (action Create) matches planned change (action Create)
2023-08-23T15:54:53.383+0100 [INFO] Starting apply for module.ado.azuredevops_check_approval.this
2023-08-23T15:54:53.383+0100 [DEBUG] module.ado.azuredevops_check_approval.this: applying the planned Create change
2023-08-23T15:54:53.384+0100 [TRACE] GRPCProvider: ApplyResourceChange
2023-08-23T15:54:53.384+0100 [TRACE] provider.terraform-provider-azuredevops_v0.8.0: Received request: @caller=github.com/hashicorp/[email protected]/tfprotov5/tf5server/server.go:805 tf_proto_version=5.3 tf_provider_addr=registry.terraform.io/microsoft/azuredevops tf_resource_type=azuredevops_check_approval @module=sdk.proto tf_req_id=53219532-0b93-ead3-cb1c-2800992c33f4 tf_rpc=ApplyResourceChange timestamp=2023-08-23T15:54:53.384+0100
2023-08-23T15:54:53.384+0100 [TRACE] provider.terraform-provider-azuredevops_v0.8.0: Sending request downstream: @caller=github.com/hashicorp/[email protected]/tfprotov5/internal/tf5serverlogging/downstream_request.go:17 tf_proto_version=5.3 tf_req_id=53219532-0b93-ead3-cb1c-2800992c33f4 tf_resource_type=azuredevops_check_approval tf_rpc=ApplyResourceChange @module=sdk.proto tf_provider_addr=registry.terraform.io/microsoft/azuredevops timestamp=2023-08-23T15:54:53.384+0100
2023-08-23T15:54:53.384+0100 [TRACE] provider.terraform-provider-azuredevops_v0.8.0: Calling downstream: @caller=github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/resource.go:836 tf_rpc=ApplyResourceChange @module=sdk.helper_schema tf_provider_addr=registry.terraform.io/microsoft/azuredevops tf_req_id=53219532-0b93-ead3-cb1c-2800992c33f4 tf_resource_type=azuredevops_check_approval timestamp=2023-08-23T15:54:53.384+0100
2023-08-23T15:54:53.469+0100 [TRACE] provider.terraform-provider-azuredevops_v0.8.0: Called downstream: tf_provider_addr=registry.terraform.io/microsoft/azuredevops tf_req_id=53219532-0b93-ead3-cb1c-2800992c33f4 @module=sdk.helper_schema tf_resource_type=azuredevops_check_approval tf_rpc=ApplyResourceChange @caller=github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/resource.go:838 timestamp=2023-08-23T15:54:53.468+0100
2023-08-23T15:54:53.469+0100 [TRACE] provider.terraform-provider-azuredevops_v0.8.0: Received downstream response: @caller=github.com/hashicorp/[email protected]/tfprotov5/internal/tf5serverlogging/downstream_request.go:37 diagnostic_error_count=1 tf_req_duration_ms=84 tf_req_id=53219532-0b93-ead3-cb1c-2800992c33f4 tf_rpc=ApplyResourceChange @module=sdk.proto diagnostic_warning_count=0 tf_proto_version=5.3 tf_provider_addr=registry.terraform.io/microsoft/azuredevops tf_resource_type=azuredevops_check_approval timestamp=2023-08-23T15:54:53.468+0100
2023-08-23T15:54:53.469+0100 [ERROR] provider.terraform-provider-azuredevops_v0.8.0: Response contains error diagnostic: @module=sdk.proto diagnostic_detail= diagnostic_severity=ERROR tf_rpc=ApplyResourceChange @caller=github.com/hashicorp/[email protected]/tfprotov5/internal/diag/diagnostics.go:55 tf_proto_version=5.3 tf_provider_addr=registry.terraform.io/microsoft/azuredevops tf_req_id=53219532-0b93-ead3-cb1c-2800992c33f4 tf_resource_type=azuredevops_check_approval diagnostic_summary=" failed creating check, project ID: 3f3973fb-b9d3-44ee-9e7d-a37e5ed32dab. Error: The following identities are invalid: a41e320a-7cc7-4e63-af59-15a5dff93f67.
Parameter name: identities" timestamp=2023-08-23T15:54:53.469+0100
2023-08-23T15:54:53.469+0100 [TRACE] provider.terraform-provider-azuredevops_v0.8.0: Served request: tf_provider_addr=registry.terraform.io/microsoft/azuredevops tf_resource_type=azuredevops_check_approval tf_rpc=ApplyResourceChange @caller=github.com/hashicorp/[email protected]/tfprotov5/tf5server/server.go:831 @module=sdk.proto tf_proto_version=5.3 tf_req_id=53219532-0b93-ead3-cb1c-2800992c33f4 timestamp=2023-08-23T15:54:53.469+0100
2023-08-23T15:54:53.469+0100 [TRACE] maybeTainted: module.ado.azuredevops_check_approval.this encountered an error during creation, so it is now marked as tainted
2023-08-23T15:54:53.469+0100 [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState to workingState for module.ado.azuredevops_check_approval.this
2023-08-23T15:54:53.469+0100 [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState: removing state object for module.ado.azuredevops_check_approval.this
2023-08-23T15:54:53.469+0100 [TRACE] evalApplyProvisioners: module.ado.azuredevops_check_approval.this is tainted, so skipping provisioning
2023-08-23T15:54:53.469+0100 [TRACE] maybeTainted: module.ado.azuredevops_check_approval.this was already tainted, so nothing to do
2023-08-23T15:54:53.469+0100 [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState to workingState for module.ado.azuredevops_check_approval.this
2023-08-23T15:54:53.469+0100 [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState: removing state object for module.ado.azuredevops_check_approval.this
2023-08-23T15:54:53.469+0100 [TRACE] statemgr.Filesystem: have already backed up original terraform.tfstate to terraform.tfstate.backup on a previous write
2023-08-23T15:54:53.469+0100 [TRACE] statemgr.Filesystem: state has changed since last snapshot, so incrementing serial to 88
2023-08-23T15:54:53.469+0100 [TRACE] statemgr.Filesystem: writing snapshot at terraform.tfstate
2023-08-23T15:54:53.474+0100 [DEBUG] State storage *statemgr.Filesystem declined to persist a state snapshot
2023-08-23T15:54:53.474+0100 [ERROR] vertex "module.ado.azuredevops_check_approval.this" error: failed creating check, project ID: 3f3973fb-b9d3-44ee-9e7d-a37e5ed32dab. Error: The following identities are invalid: a41e320a-7cc7-4e63-af59-15a5dff93f67.
Parameter name: identities
2023-08-23T15:54:53.474+0100 [TRACE] vertex "module.ado.azuredevops_check_approval.this": visit complete, with errors
2023-08-23T15:54:53.474+0100 [TRACE] dag/walk: upstream of "provider[\"registry.terraform.io/microsoft/azuredevops\"] (close)" errored, so skipping
2023-08-23T15:54:53.474+0100 [TRACE] dag/walk: upstream of "module.ado (close)" errored, so skipping
2023-08-23T15:54:53.474+0100 [TRACE] dag/walk: upstream of "root" errored, so skipping
2023-08-23T15:54:53.474+0100 [TRACE] statemgr.Filesystem: have already backed up original terraform.tfstate to terraform.tfstate.backup on a previous write
2023-08-23T15:54:53.474+0100 [TRACE] statemgr.Filesystem: state has changed since last snapshot, so incrementing serial to 89
2023-08-23T15:54:53.474+0100 [TRACE] statemgr.Filesystem: writing snapshot at terraform.tfstate
2023-08-23T15:54:53.480+0100 [TRACE] statemgr.Filesystem: removing lock metadata file .terraform.tfstate.lock.info
2023-08-23T15:54:53.480+0100 [TRACE] statemgr.Filesystem: unlocking terraform.tfstate using fcntl flock
2023-08-23T15:54:53.480+0100 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"
2023-08-23T15:54:53.482+0100 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/microsoft/azuredevops/0.8.0/darwin_arm64/terraform-provider-azuredevops_v0.8.0 pid=75242
2023-08-23T15:54:53.482+0100 [DEBUG] provider: plugin exited
Expected Behavior
AAD backed groups should be usable for approval checks as they are in the web GUI, but it seems to just generate an error.
Actual Behavior
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the
following symbols:
+ create
Terraform will perform the following actions:
# module.ado.azuredevops_check_approval.this will be created
+ resource "azuredevops_check_approval" "this" {
+ approvers = [
+ "a41e320a-7cc7-4e63-af59-15a5dff93f67",
]
+ id = (known after apply)
+ project_id = (known after apply)
+ requester_can_approve = true
+ target_resource_id = (known after apply)
+ target_resource_type = "environment"
+ timeout = 43200
}
# module.ado.azuredevops_environment.this will be created
+ resource "azuredevops_environment" "this" {
+ id = (known after apply)
+ name = "test"
+ project_id = (known after apply)
}
# module.ado.azuredevops_project.this will be created
+ resource "azuredevops_project" "this" {
+ description = "Project for Example Project. Initially holds repositories, variable groups and environments for Terraform configuration."
+ features = {
+ "artifacts" = "enabled"
+ "boards" = "enabled"
+ "pipelines" = "enabled"
+ "repositories" = "enabled"
+ "testplans" = "enabled"
}
+ id = (known after apply)
+ name = "testforbug"
+ process_template_id = (known after apply)
+ version_control = "Git"
+ visibility = "private"
}
Plan: 3 to add, 0 to change, 0 to destroy.
module.ado.azuredevops_project.this: Creating...
module.ado.azuredevops_project.this: Still creating... [10s elapsed]
module.ado.azuredevops_project.this: Creation complete after 16s [id=3f3973fb-b9d3-44ee-9e7d-a37e5ed32dab]
module.ado.azuredevops_environment.this: Creating...
module.ado.azuredevops_environment.this: Creation complete after 0s [id=35]
module.ado.azuredevops_check_approval.this: Creating...
╷
│ Error: failed creating check, project ID: 3f3973fb-b9d3-44ee-9e7d-a37e5ed32dab. Error: The following identities are invalid: a41e320a-7cc7-4e63-af59-15a5dff93f67.
│ Parameter name: identities
│
│ with module.ado.azuredevops_check_approval.this,
│ on module/main.tf line 154, in resource "azuredevops_check_approval" "this":
│ 154: resource "azuredevops_check_approval" "this" {
│
Steps to Reproduce
- Create. an Azure AD backed group in ADO manually.
- Use the provided code to lookup with a data call, and try and use the group as an approver.
