Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refreshing state is failing on ad_group_membership (groups named with '_') #153

Open
insoIite opened this issue Jul 23, 2022 · 1 comment
Open

refreshing state is failing on ad_group_membership (groups named with '_') #153

insoIite opened this issue Jul 23, 2022 · 1 comment
Labels
bug Something isn't working

Comments

@insoIite
Copy link

insoIite commented Jul 23, 2022
edited
Loading

Terraform Version and Provider Version

1.2.5

Affected Resource(s)

ad_group_membership

Terraform Configuration Files

provider "ad" {
    winrm_hostname = var.winrm_hostname
    winrm_username = var.winrm_username
    winrm_password = var.winrm_password
    winrm_use_ntlm = true
    winrm_port     = 5986
    winrm_proto    = "https"
    domain_controller = "servrDC"
    winrm_pass_credentials = true
}

resource "ad_ou" "ou" {
    name = "OneOU"
    path = "DC=mydc"
    protected = false
}

resource "ad_group" "g" {
    for_each = toset(["foo_bar", "foo_baz"])

    name             = each.value
    sam_account_name = each.value
    container        = ad_ou.ou.dn
    scope            = "global"
    category         = "security"
    depends_on = [
        ad_ou.ou
    ]
}

resource "ad_group_membership" "gm" {
    for_each = {
        "foo" = {
            name = "foo_bar"
            users = ["userA"]
        },
        "bar" = {
            name = "foo_baz"
            users = ["userA"]
        }
    }

    group_id      = each.value.name
    group_members = each.value.users

    depends_on = [
        ad_group.g
    ]
}

Debug Output

https://gist.github.com/insoIite/40f63a2f3b30b0035b2af52ba4e1a1b9

Panic Output

Expected Behavior

Terraform plan should be working

Actual Behavior

ad_ou.ou: Refreshing state... [id=66d4498f-fcb0-4858-b277-3ad41a3d1349]
ad_group.g["foo_bar"]: Refreshing state... [id=7886cad7-18ac-4805-a1ea-87db890610fd]
ad_group.g["foo_baz"]: Refreshing state... [id=0c99b6b6-f2e9-4b43-91fb-c7673d037219]
ad_group_membership.gm["bar"]: Refreshing state... [id=foo_baz_59f3d36a-9b1d-73b1-1cc9-586d680a946b]
ad_group_membership.gm["foo"]: Refreshing state... [id=foo_bar_447ec7bb-f1d4-898b-b529-e91260814de5]
╷
│ Error: command Get-ADGroupMember exited with a non-zero exit code(1), stderr: Get-ADGroupMember : Cannot find an object with identity: 'foo' under: 'DC=MYDC'.At line:4 char:2
│  Get-ADGroupMember -Identity "foo" -Credential $Credential -Server s6 ...
│  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
│ CategoryInfo          : ObjectNotFound: (foo:ADGroup) [Get-ADGroupMember], ADIdentityNotFoundException
│ FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,M icrosoft.ActiveDirectory.Management.Commands.GetADGroupMember, stdout: 
│ 
│   with ad_group_membership.gm["foo"],
│   on main.tf line 31, in resource "ad_group_membership" "gm":
│   31: resource "ad_group_membership" "gm" {
│ 
╵
╷
│ Error: command Get-ADGroupMember exited with a non-zero exit code(1), stderr: Get-ADGroupMember : Cannot find an object with identity: 'foo' under: 'DC=DC'.At line:4 char:2
│  Get-ADGroupMember -Identity "foo" -Credential $Credential -Server s6 ...
│  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
│ CategoryInfo          : ObjectNotFound: (foo:ADGroup) [Get-ADGroupMember], ADIdentityNotFoundException
│ FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,M icrosoft.ActiveDirectory.Management.Commands.GetADGroupMember, stdout: 
│ 
│   with ad_group_membership.gm["bar"],
│   on main.tf line 31, in resource "ad_group_membership" "gm":31: resource "ad_group_membership" "gm" {

The powershell command is trying to find the AD group foo instead of foo_bar and foo_baz
Therefore it fails because the foo AD group does not exists...

The bug seems to be related to groups named with '_' in them. In case of '-' no error whatsoever !

What's very weird is that terraform destroy works correctly (with cached states)

Steps to Reproduce

  1. terraform plan

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment
@insoIite insoIite added the bug Something isn't working label Jul 23, 2022
@insoIite insoIite changed the title refreshing state is failing on ad_group_membership (search for truncated group name) refreshing state is failing on ad_group_membership (groups named with '_') Jul 25, 2022
@dylanl321
Copy link

I'm running into this as well, without realising it was because of the _ . Any help on this would be great

jaroslav-svoboda added a commit to jaroslav-svoboda/terraform-provider-ad that referenced this issue Aug 8, 2022
@jaroslav-svoboda
hashicorp#153 - Use slash as delimiter
2fb1ea5
@jaroslav-svoboda jaroslav-svoboda mentioned this issue Aug 8, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@insoIite @dylanl321