terraform-provider-azuread: azuread_group is broken in v1.6.0 with use_microsoft_graph = true

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
Please do not leave “+1” or “me too” comments, they generate extra noise for issue followers and do not help prioritise the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

➜ terraform -v                 
Terraform v1.0.1
on darwin_amd64

terraform {
  required_providers {
    azuread = {
      source  = "hashicorp/azuread"
      version = "1.6.0"
    }
  }
  required_version = ">= 0.15"
}

Affected Resource(s)

azuread_group

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp
provider "azuread" {
  use_microsoft_graph = true
}
resource "azuread_group" "this" {
  description             = local.description
  display_name            = local.display_name
  members                 = local.members
  owners                  = local.owners
  prevent_duplicate_names = local.prevent_duplicate_names

  depends_on = [
    var.module_depends_on
  ]
}

Debug Output

│ Error: Creating group "azuread_group-test"
│ 
│   with azuread_group.this,
│   on main.tf line 11, in resource "azuread_group" "this":
│   11: resource "azuread_group" "this" {
│ 
│ GroupsClient.BaseClient.Post(): unexpected status 400 with OData error:
│ Request_BadRequest: Request contains a property with duplicate values.

Panic Output

Expected Behavior

New group created in AzureAD

Actual Behavior

Nothing gets created and error is thrown. Azure Log:

Status: failure
Status reason: Microsoft.Online.DirectoryServices.DirectoryValueExistsException

Steps to Reproduce

terraform apply

Important Factoids

Setting use_microsoft_graph = false creates the group without any issues.

References

#0000

About this issue

Original URL
State: closed
Created 3 years ago
Reactions: 7
Comments: 43 (22 by maintainers)

Most upvoted comments

Thanks @nfeltrin-dkb, there are ongoing known service issues with group ownership and I agree what you’ve documented looks like an API bug.

At this time, we’re fairly confident that the provider is doing the right thing with regards to group ownership and the following (misleading) errors, are very likely to be caused by known API bugs:

Request contains a property with duplicate values
The group must have at least one owner, hence this owner cannot be removed

manicminer on Sep 15, 2021

@ibacalu, @ju-la-berger, @patrickmarabeas, @huwjeffries - thanks all for reporting these groups bugs and helping to narrow down the root causes. We’ve worked with the service team to try and get some more insight, and have implemented better logic around group ownership on which I’m hoping to get your feedback whether this helps in your respective cases. I’ve published a test build to the TF Registry which you can consume with the following provider config:

terraform {
  required_providers {
    azuread = {
      source = "manicminer/azuread"
      version = "11.0.6"
    }
  }
}

This is effectively a 2.0 RC build despite the nonsense version number I used. For a brief breakdown of most of the behavioral changes see https://github.com/hashicorp/terraform-provider-azuread/pull/519. Any feedback will be gratefully received and will help us move closer to the next release. Thanks!

Ed: build number bumped to 11.0.6

manicminer on Aug 17, 2021