refreshing state is failing on ad_group_membership (groups named with '_')

Terraform Version and Provider Version

1.2.5

Affected Resource(s)

ad_group_membership

Terraform Configuration Files

provider "ad" {
    winrm_hostname = var.winrm_hostname
    winrm_username = var.winrm_username
    winrm_password = var.winrm_password
    winrm_use_ntlm = true
    winrm_port     = 5986
    winrm_proto    = "https"
    domain_controller = "servrDC"
    winrm_pass_credentials = true
}

resource "ad_ou" "ou" {
    name = "OneOU"
    path = "DC=mydc"
    protected = false
}

resource "ad_group" "g" {
    for_each = toset(["foo_bar", "foo_baz"])

    name             = each.value
    sam_account_name = each.value
    container        = ad_ou.ou.dn
    scope            = "global"
    category         = "security"
    depends_on = [
        ad_ou.ou
    ]
}

resource "ad_group_membership" "gm" {
    for_each = {
        "foo" = {
            name = "foo_bar"
            users = ["userA"]
        },
        "bar" = {
            name = "foo_baz"
            users = ["userA"]
        }
    }

    group_id      = each.value.name
    group_members = each.value.users

    depends_on = [
        ad_group.g
    ]
}

Debug Output

https://gist.github.com/insoIite/40f63a2f3b30b0035b2af52ba4e1a1b9

Panic Output

Expected Behavior

Terraform plan should be working

Actual Behavior

ad_ou.ou: Refreshing state... [id=66d4498f-fcb0-4858-b277-3ad41a3d1349]
ad_group.g["foo_bar"]: Refreshing state... [id=7886cad7-18ac-4805-a1ea-87db890610fd]
ad_group.g["foo_baz"]: Refreshing state... [id=0c99b6b6-f2e9-4b43-91fb-c7673d037219]
ad_group_membership.gm["bar"]: Refreshing state... [id=foo_baz_59f3d36a-9b1d-73b1-1cc9-586d680a946b]
ad_group_membership.gm["foo"]: Refreshing state... [id=foo_bar_447ec7bb-f1d4-898b-b529-e91260814de5]
╷
│ Error: command Get-ADGroupMember exited with a non-zero exit code(1), stderr: Get-ADGroupMember : Cannot find an object with identity: 'foo' under: 'DC=MYDC'.At line:4 char:2
│  Get-ADGroupMember -Identity "foo" -Credential $Credential -Server s6 ...
│  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
│ CategoryInfo          : ObjectNotFound: (foo:ADGroup) [Get-ADGroupMember], ADIdentityNotFoundException
│ FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,M icrosoft.ActiveDirectory.Management.Commands.GetADGroupMember, stdout: 
│ 
│   with ad_group_membership.gm["foo"],
│   on main.tf line 31, in resource "ad_group_membership" "gm":
│   31: resource "ad_group_membership" "gm" {
│ 
╵
╷
│ Error: command Get-ADGroupMember exited with a non-zero exit code(1), stderr: Get-ADGroupMember : Cannot find an object with identity: 'foo' under: 'DC=DC'.At line:4 char:2
│  Get-ADGroupMember -Identity "foo" -Credential $Credential -Server s6 ...
│  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
│ CategoryInfo          : ObjectNotFound: (foo:ADGroup) [Get-ADGroupMember], ADIdentityNotFoundException
│ FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,M icrosoft.ActiveDirectory.Management.Commands.GetADGroupMember, stdout: 
│ 
│   with ad_group_membership.gm["bar"],
│   on main.tf line 31, in resource "ad_group_membership" "gm":
│   31: resource "ad_group_membership" "gm" {

The powershell command is trying to find the AD group foo instead of foo_bar and foo_baz Therefore it fails because the foo AD group does not exists...

The bug seems to be related to groups named with '_' in them. In case of '-' no error whatsoever !

What's very weird is that terraform destroy works correctly (with cached states)

Steps to Reproduce

terraform plan

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

hashicorp / terraform-provider-ad

refreshing state is failing on ad_group_membership (groups named with '_') #153