search

hashicorp / terraform-provider-ad

Active Directory provider for HashiCorp Terraform (experimental)
https://registry.terraform.io/providers/hashicorp/ad/latest
Mozilla Public License 2.0
142 stars 71 forks source link

Error when creating multiple AD users #119

Open techBeck03 opened 3 years ago

techBeck03 commented 3 years ago

Terraform Version and Provider Version

Terraform: 1.0.0 Provider: 0.4.2

Windows Version

Win 2012 R2

Affected Resource(s)

Terraform Configuration Files

resource "ad_user" "demo_user_1" {
    principal_name = "demo-user-1"
    sam_account_name = "demo-user-1"
    display_name = "Demo1"
    container = var.container
    initial_password = "Password123"
    given_name = "demo"
    surname = "user-1"
    description = "Created by Terraform"
    email_address = "demo-user-1@example.cisco.com"
    password_never_expires = true
    cannot_change_password = false
}
resource "ad_user" "demo_user_2" {
    principal_name = "demo-user-2"
    sam_account_name = "demo-user-2"
    display_name = "Demo2"
    container = var.container
    initial_password = "Password123"
    given_name = "demo"
    surname = "user-2"
    description = "Created by Terraform"
    email_address = "demo-user-2@example.cisco.com"
    password_never_expires = true
    cannot_change_password = false
}

Debug Output

New-ADUser exited with a non-zero exit code 1, stderr: New-ADUser : A local error has occurredAt line:1 char:1

Panic Output

Expected Behavior

All users should get created

Actual Behavior

Only 1 user is successfully created and the others are partially created with errors. In order to get all users created I have to manually cleanup the errored users in AD because the user accounts are partially created and then re-run the plan per user. So if I'm trying to create 4 users I'd have to repeat this process 4 times.

Steps to Reproduce

  1. terraform apply

Important Factoids

References

Community Note

shubhambjadhavar commented 3 years ago

I also got the same problem. I used depends_on parameter of resource block and made the execution of resource blocks one after the other.

shubhambjadhavar commented 3 years ago

I imported the other user created as disabled user and tried to enable it. I came to know that the password was not allocated to it.

So, I tried another way. In the first apply I have created disabled users and with password assigned. In the second apply I have enabled the users. By this I am able to create multiple users.

shubhambjadhavar commented 3 years ago

To debug the error I downloaded the code and edited it as per my understanding.

I am able to avoid the error by making some changes in the run function. I released winrm client after execution of winrm PowerShell execution and everything worked fine.

I have tested this by creating 100 Users blocks.

BrandonStiffplx commented 2 years ago

That didn't work for me. For some reason, the machine I'm running WinRM against does not seem to handle all the requests gracefully. I get a similar error randomly:

Error: command New-ADUser exited with a non-zero exit code 1, stderr: New-ADUser : A connection to the directory on which to process the request was unavailable. This is likely a transient condition.At line:1 char:1
ā”‚ New-ADUser -Passthru -Name "user123" -CannotChangePassword $fa ...
ā”‚ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ā”‚ CategoryInfo          : NotSpecified: (:) [New-ADUser], ADException
ā”‚ FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.NewADUser

I get this on almost every run (but sometimes it runs clean). I verified the WinRm configuration on the remote server and it's pretty wide open:

PS WSMan:\localhost> winrm get winrm/config/winrs
Winrs
    AllowRemoteShellAccess = true
    IdleTimeout = 7200000
    MaxConcurrentUsers = 2147483647
    MaxShellRunTime = 2147483647
    MaxProcessesPerShell = 2147483647
    MaxMemoryPerShellMB = 2147483647
    MaxShellsPerUser = 2147483647

How I worked around it is I use Terragrunt, and I added this to the terragrunt.hcl file in my module folders that make the AD calls:

terraform {
  extra_arguments "reduce_parallelism" {
    commands = ["apply","destroy","plan"]

    arguments = [
      "-parallelism=1"  
    ]
  }
}

It definitely impacts the performance of the Terraform run, but it no longer fails. If anyone knows why this may be, I'd be grateful for any suggestions.