terraform-provider-azuredevops: Creating azuredevops_group.ad_group results in HTTP 503

Community Note

  • Please vote on this issue by adding a đź‘Ť reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave “+1” or “me too” comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and Azure DevOps Provider) Version

Terraform 0.13.5, Azure Devops Provider Version 0.1.2

Affected Resource(s)

azuredevops_group

Terraform Configuration Files

terraform {
  required_providers {
    azuredevops = {
      source = "microsoft/azuredevops"
      version = "0.1.2"
    }
  }
}


###########################################################
# Azure DevOps Permissions
###########################################################
data "azuredevops_group" "admin_group" {
  project_id = azuredevops_project.project.id
  name       = "Project Administrators"
}

resource "azuredevops_group" "ad_group" {
  origin_id  = var.analytics_ad_group_id
}

resource "azuredevops_group_membership" "admin_group" {
  group = data.azuredevops_group.admin_group.descriptor
  members = [
    azuredevops_group.ad_group.descriptor
  ]
}

Expected Behavior

Resource is created

Actual Behavior

Running terraform apply tfplan 2021-02-09 16:43:47,034 - [INFO] - module.devops.azuredevops_group.ad_group: Creating… 2021-02-09 16:43:51,967 - [INFO] - 2021-02-09 16:43:51,967 - [INFO] - Error: REST call returned status code 503

Note this seems to work through the DevOps UI

About this issue

  • Original URL
  • State: open
  • Created 3 years ago
  • Reactions: 14
  • Comments: 22

Most upvoted comments

Still having the same issue described above with the Azure DevOps 0.2.0 provider. We do create new AAD groups just before trying to create the Azure DevOps group resource representation. A simplified version of our code without the loops:

resource "azuredevops_project" "teams" {
  name                         = "something"
  visibility                     = "private"
  work_item_template = "Agile"
  version_control         = "Git"

  features = {
    "repositories" = "enabled"
    "pipelines"    = "enabled"
    "artifacts"    = "enabled"
    "boards"       = "enabled"
    "testplans"    = "disabled"
  }
}

resource "azuread_group" "teams" {
  display_name     = "display_name"
  security_enabled = true

  members = [var.members]
}

data "azuredevops_group" "project-default" {
  project_id = azuredevops_project.teams.id
  name       = "${azuredevops_project.teams.name} Team"
}

resource "azuredevops_project" "teams {
  origin_id = azuread_group.teams.object_id
}

resource "azuredevops_group" "aad-group" {
  origin_id = azuread_group.teams.object_id
}

resource "azuredevops_group_membership" "project-default" {
  group = data.azuredevops_group.project-default.descriptor
  mode  = "add"
  members = [
    azuredevops_group.aad-group.descriptor
  ]
}

When creating a new project and new group this only sometimes result in the 503 error and sometimes a 400 errorcode on creating the azuredevops_group.aad-group. There are also times where there are no reported errors and everything is created according to the plan. For the 400 error we can just rerun the code and it will solve itself as the provider at a later point is able to create the Azure DevOPs group from the AAD object. Perhaps a timing issue with the AAD graph object availability? (Although ugly adding a sleep of 30 seconds seem to solve the 400 error issue. For the times we get the 503, we usualy have to import the azuredevops_group resource using its descriptor manually, as it usually IS already available in the Azure DevOps organization already but somehow this was not registered in Terraform.

Edit: Perhaps this one other process which also “processes” the new Azure AD Groups on a periodic basis which could explain the mixed results that we are having. We do also use “Group Rules” to give all users of our organization licenses. We do this by combining all team’s AAD groups to a single AAD Group used to couple the group rules to. Does the group rules syncing also manage azuredevops_group objects for all AAD objects within the group rules AAD group?

+2
maxvandermeij on Mar 14, 2022

@xuzhang3 No, I just checked the PAT, it is still valid, and we didn’t touch it. And the interesting thing is that, it starts working again… although we didn’t change anything

+1
jacky-ni on Nov 8, 2021

The issue in our case was because the service principle running the deployment didn’t have sufficient permissions on active directory - so this is a case of improving logging since a 503 indicates a server side error

+1
jamescross91 on Nov 5, 2021
Read more comments on GitHub
← terraform-provider-azuredevops: azuredevops provider causes error="exit status 2" when run in pipeline
terraform-provider-azuredevops: Error: invalid character '<' looking for beginning of value →