Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Removing group members using azuread_group_member throws an error although members are being removed #1349

Open
J3d3r opened this issue Apr 5, 2024 · 1 comment
Open

Removing group members using azuread_group_member throws an error although members are being removed #1349

J3d3r opened this issue Apr 5, 2024 · 1 comment
Labels
bug feature/groups

Comments

@J3d3r
Copy link

J3d3r commented Apr 5, 2024

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform v1.3.10
on windows_amd64

  • provider registry.terraform.io/hashicorp/azuread v2.47.0
  • provider registry.terraform.io/hashicorp/azurerm v3.98.0
  • provider registry.terraform.io/hashicorp/local v2.5.1

Affected Resource(s)

  • azuread_group_member

Terraform Configuration Files

resource "azurerm_resource_group" "resource_group" {
  name     = "test-managed-identity"
  location = "West Europe"
}

resource "azurerm_service_plan" "app_service_plan" {
  name                     = "test-managed-identity-asp"
  resource_group_name      = azurerm_resource_group.resource_group.name
  location                 = azurerm_resource_group.resource_group.location
  os_type                  = "Linux"
  sku_name                 = "B1"
  worker_count             = "1"
  per_site_scaling_enabled = false
}

resource "azurerm_linux_web_app" "linux_web_app" {
  name                = "test-managed-identity-webapp"
  resource_group_name = azurerm_resource_group.resource_group.name
  location            = azurerm_service_plan.app_service_plan.location
  service_plan_id     = azurerm_service_plan.app_service_plan.id
  https_only          = true

  identity { type = "SystemAssigned" }

  site_config {
    ftps_state          = "FtpsOnly"
    minimum_tls_version = "1.2"
  }
}

resource "azuread_group_member" "group_member" {
  group_object_id  = "some existing group object id where the service principal performing the operation is an owner"
  member_object_id = azurerm_linux_web_app.linux_web_app.identity.0.principal_id
}

Debug Output

Issue is easy to reproduce. Nothing interesting to see in the logs. I will only paste small output here...

azuread_group_member.group_member: Destroying... [id=/member/]

│ Error: Waiting for removal of member "" from group with object ID ""

│ retrieving resource: GroupsClient.BaseClient.Get(): unexpected status 403 with OData error: Authorization_RequestDenied: Insufficient privileges to complete the operation.

Error occurred while executing scripts!
Press any key to continue . . .

Expected Behavior

When the "azuread_group_member" resource is being removed from the configuration the actual group member should be removed from the group without throwing any errors.

Actual Behavior

Terraform is throwing an error (see above) about "Insufficient privileges...". The group member is still being removed which indicates that the permissions are right but Terraform is somehow misbehaving.

Steps to Reproduce

  1. Create a group where your service principal used for deployments is being an owner
  2. Add Application.Read.All permissions to your service principal to be able to read managed identities from Entra ID
  3. Copy the configuration above and adapt it to your setup (e.g. add group object id...)
  4. Run terraform apply

Important Factoids

Please note that according to the Terraform docs no additional API permission should be required for using "azuread_group_member" if the service principal used for deployment is being an owner of the group in question (https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group_member#api-permissions).
This is at least not correct if the members that should be added to the group are managed identities.
In this case "Application.Read.All" API permission is required.

References

Similar issue but with adding group members. Perhaps "Application.Read.All" API permission is missing here...
#1202

  • #0000
@johnsonp57
Copy link

We get the same problem trying to remove a group member, even though the user performing the operation in a group owner. We are using Pulumi, but that uses the Terraform AD provider under the hood

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug feature/groups
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@manicminer @johnsonp57 @J3d3r