terraform-provider-azuredevops icon indicating copy to clipboard operation
terraform-provider-azuredevops copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Unsafe Behaviour with Group Memberships

Open natilik-mikeguy opened this issue 1 year ago • 0 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and Azure DevOps Provider) Version

Terraform v1.5.4 on darwin_arm64

  • provider registry.terraform.io/hashicorp/azuread v2.45.0
  • provider registry.terraform.io/microsoft/azuredevops v0.10.0

Affected Resource(s)

  • azuredevops_group_membership

Terraform Configuration Files

Relevant snippet below:

data "azuredevops_group" "project_admins" {
  project_id = local.ado_project_id
  name       = "Project Administrators"
}

data "azuredevops_group" "project_contributors" {
  project_id = local.ado_project_id
  name       = "Contributors"
}

resource "azuredevops_group_membership" "platform_team_admins" {
  group = data.azuredevops_group.project_admins.id
  mode  = "add"
  members = [
    data.azuredevops_group.platform_team_admins.descriptor
  ]
}

resource "azuredevops_group_membership" "platform_team_contributors" {
  group = data.azuredevops_group.project_contributors.id
  mode  = "add"
  members = [
    data.azuredevops_group.platform_team_contributors.descriptor
  ]
}

Expected Behavior

When trying to add a group membership that already exists, I'd expect Terraform to error to ensure safe behaviour on future operations.

Actual Behavior

Terraform did not error when trying to add a membership that already existed, and as such I have ended up accidentally deleting group memberships that existed before Terraform created any resources.

I have a module, and as part of that module it takes care of a number of things, one of which is setting up group memberships. I had written the code with the intention of being able to deploy multiple repositories/environments/variable groups to a pre-existing Azure DevOps project, however I overlooked group memberships in my logic. If the provider had worked in a safe manner, I should have received an error, but I didn't. The order of issues happened as follows:

  • "Group X" existed as a member of "Project Administrators" in "Project X" (this was pre-existing and outside of Terraform).
  • My Terraform code then ran, and generated no errors - it looked successful. At this point it should have errored (in my opinion) stating that "Group X already exists in Project Administrators". This is the general behaviour I've seen across numerous other providers.
  • I then ran Terraform destroy as part of my testing - again it all looked fine and everything deleted cleanly. However, I had now unknowingly deleted the pre-existing group membership (that existed before Terraform).

Steps to Reproduce

Add a group membership using Terraform that already exists (no error) and then run a destroy operation.

Important Factoids

This is not possible to workaround either at the moment, as there is no data source available to look up group memberships and do an if expression as part of a conditional resource.

natilik-mikeguy avatar Nov 21 '23 18:11 natilik-mikeguy