search

hashicorp / terraform-provider-ad

Active Directory provider for HashiCorp Terraform (experimental)
https://registry.terraform.io/providers/hashicorp/ad/latest
Mozilla Public License 2.0
142 stars 71 forks source link

ad_ou container and deprecated attribute dn #162

Open IdahoVandal opened 1 year ago

IdahoVandal commented 1 year ago

Terraform Version and Provider Version

Terraform v1.2.8 on windows_amd64

Windows Version

Windows 10

Affected Resource(s)

Terraform Configuration Files

data "ad_ou" "Identity" {
    ou_id = "OU=Identity,${var.default_naming_context}"
}

resource "ad_group" "admin" {
    container = data.ad_ou.Identity.id
    name = "IAM-Admins"
    sam_account_name = "IAM-Admins"
    description = "Identity and Access Management Administrators"
    lifecycle { prevent_destroy = true }
}

Expected Behavior

The container should not be "changed" on every apply when using the "id" attribute for the ou.

Actual Behavior

Every terraform run the plan is to move the object to a new container because the id does not match the dn. If we use the dn it will give warnings about a deprecated attribute.

  # ad_group.admin will be updated in-place
  ~ resource "ad_group" "admin" {
      ~ container        = "OU=Identity,DC=xxx,DC=xxx,DC=xxx" -> "cceac71f-e489-43cc-be41-7f0ed4f851bd"
        id               = "33d8ca18-b82d-41da-864e-0dad71c63e59"
        name             = "IAM-Admins"
        # (6 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Deprecated attribute warning

│ Warning: Deprecated attribute
│
│   on ad-groups.tf line 3, in resource "ad_group" "admin":
│    3:     path        = data.ad_ou.Identity.dn
│
│ The attribute "dn" is deprecated. Refer to the provider documentation for details.

Steps to Reproduce

Attempt to use the "id" attribute of the ad_ou object to place an object in a container. It has to use the dn to avoid the warning but will attempt to move the object every run.

Community Note

Orionde commented 5 months ago

Hello,

I'm using the AD provider version 0.5.0 and also had a problem linked to the depreciation of the attribute dn.

Like you, I was using a datasource to get the id of the container, then provide this ID to my ad_group resource.
In my case, doing this resulted in a powershell error saying that command New-ADGroup exited with a non-zero exit code 1, stderr: New-ADGroup : The object name has bad syntaxAt line:4 char:2. I had the exact same error while manually running the powershell command from a powershell shell directly in my AD server. There was nothing strange in my group name (only lower case letters, less than 10 caracters)

So I tried to use the property ad_ou.dn instead of ad_ou.id, which works but triggers a depreciation warning.

Finally, I decided to directly use the name of the container instead of its ID, so I removed the datasource :

variable name { default = "test group" }
variable sam_account_name { default = "TESTGROUP" }
variable scope { default = "global" }
variable category { default = "security" }
variable container { default = "dc=yourdomain,dc=com" }

resource "ad_group" "g" {
  name                         = var.name
  sam_account_name  = var.sam_account_name
  scope                         = var.scope
  category                     = var.category
  container                    = var.container
}

This works perfectly well and terraform don't want to modifiy the group once it was created.