Azure / azure-rest-api-specs

The source for REST API specifications for Microsoft Azure.
MIT License
2.64k stars 5.09k forks source link

[BUG] filteredSync & domainConfigurationType not applied. #28691

Open QBY-ChristianHartmann opened 6 months ago

QBY-ChristianHartmann commented 6 months ago

API Spec link

https://github.com/Azure/azure-rest-api-specs/blob/main/specification/domainservices/resource-manager/Microsoft.AAD/stable/2021-05-01/domainservices.json

API Spec version

2021-05-01

Describe the bug

Came here from an azurerm bug, since this is apparently an API bug. filteredSync & domainConfigurationType not applied.

https://github.com/hashicorp/terraform-provider-azurerm/issues/25575 X-Ms-Correlation-Request-Id: 36fbaa54-bf05-949b-a27b-b0366c48951f

Expected behavior

Microsoft Entra Domain Services is deployed with domainConfigurationType = "ResourceTrusting", filteredSync = true.

Actual behavior

Microsoft Entra Domain Services is deployed with domain_configuration_type = "FullySynced ", filtered_sync_enabled = false. Another terraform apply shows that the Domain services must be replaced since the domain_configuration_type in the terraform code is different than the actual deployed configuration. Plan after apply: resource "azurerm_active_directory_domain_service" "eds" { ~ deployment_id = "90fdfb16-de88-4e98-849a-3a03605896fe" -> (known after apply) ~ domain_configuration_type = "FullySynced" -> "ResourceTrusting" # forces replacement ~ filtered_sync_enabled = false -> true

Reproduction Steps

apply the following terraform code

provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "deploy" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_virtual_network" "deploy" {
  name                = "deploy-vnet"
  location            = azurerm_resource_group.deploy.location
  resource_group_name = azurerm_resource_group.deploy.name
  address_space       = ["10.0.1.0/16"]
}

resource "azurerm_subnet" "deploy" {
  name                 = "deploy-subnet"
  resource_group_name  = azurerm_resource_group.deploy.name
  virtual_network_name = azurerm_virtual_network.deploy.name
  address_prefixes     = ["10.0.1.0/24"]
}

resource "azurerm_network_security_group" "deploy" {
  name                = "deploy-nsg"
  location            = azurerm_resource_group.deploy.location
  resource_group_name = azurerm_resource_group.deploy.name

  security_rule {
    name                       = "AllowSyncWithAzureAD"
    priority                   = 101
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "Tcp"
    source_port_range          = "*"
    destination_port_range     = "443"
    source_address_prefix      = "AzureActiveDirectoryDomainServices"
    destination_address_prefix = "*"
  }

  security_rule {
    name                       = "AllowRD"
    priority                   = 201
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "Tcp"
    source_port_range          = "*"
    destination_port_range     = "3389"
    source_address_prefix      = "CorpNetSaw"
    destination_address_prefix = "*"
  }

  security_rule {
    name                       = "AllowPSRemoting"
    priority                   = 301
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "Tcp"
    source_port_range          = "*"
    destination_port_range     = "5986"
    source_address_prefix      = "AzureActiveDirectoryDomainServices"
    destination_address_prefix = "*"
  }

  security_rule {
    name                       = "AllowLDAPS"
    priority                   = 401
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "Tcp"
    source_port_range          = "*"
    destination_port_range     = "636"
    source_address_prefix      = "*"
    destination_address_prefix = "*"
  }
}

resource "azurerm_subnet_network_security_group_association" "deploy" {
  subnet_id                 = azurerm_subnet.deploy.id
  network_security_group_id = azurerm_network_security_group.deploy.id
}

resource "azuread_group" "dc_admins" {
  display_name     = "AAD DC Administrators"
  security_enabled = true
}

resource "azuread_user" "admin" {
  user_principal_name = "dc-admin@hashicorp-example.com"
  display_name        = "DC Administrator"
  password            = "Pa55w0Rd!!1"
}

resource "azuread_group_member" "admin" {
  group_object_id  = azuread_group.dc_admins.object_id
  member_object_id = azuread_user.admin.object_id
}

resource "azuread_service_principal" "example" {
  application_id = "2565bd9d-da50-47d4-8b85-4c97f669dc36" // published app for domain services
}

resource "azurerm_resource_group" "aadds" {
  name     = "aadds-rg"
  location = "westeurope"
}

resource "azurerm_active_directory_domain_service" "example" {
  name                = "example-aadds"
  location            = azurerm_resource_group.aadds.location
  resource_group_name = azurerm_resource_group.aadds.name

  domain_name           = "widgetslogin.net"
  sku                   = "Enterprise"
  filtered_sync_enabled     = true
  domain_configuration_type = "ResourceTrusting"

  initial_replica_set {
    subnet_id = azurerm_subnet.deploy.id
  }

  notifications {
    additional_recipients = ["notifyA@example.net", "notifyB@example.org"]
    notify_dc_admins      = true
    notify_global_admins  = true
  }

  security {
    sync_kerberos_passwords = true
    sync_ntlm_passwords     = true
    sync_on_prem_passwords  = true
  }

  tags = {
    Environment = "prod"
  }

  depends_on = [
    azuread_service_principal.example,
    azurerm_subnet_network_security_group_association.deploy,
  ]
}

Environment

No response

zzhxiaofeng commented 6 months ago

@qianwens Please help have a look, thank you.