Your own example of creating a group doesn't work

Neutrino-Sunset commented 8 months ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform v1.7.4 on windows_amd64

provider registry.terraform.io/hashicorp/azuread v2.47.0
provider registry.terraform.io/hashicorp/azurerm v3.91.0
provider registry.terraform.io/hashicorp/random v3.6.0
provider registry.terraform.io/hashicorp/time v0.10.0

Affected Resource(s)

azuread_group

Terraform Configuration Files

data "azuread_client_config" "current" {}

resource "azuread_group" "example" {
  display_name     = "SomeGroupNameHere"
  owners           = [data.azuread_client_config.current.object_id]
  security_enabled = true
}

Service Principal has the specified permissions.

Debug Output

PS C:\Home\Workspaces\Projects\Elexon\SqlTest> terraform apply
azurerm_resource_group.rg_0: Refreshing state... [id=/subscriptions/7c34cc50-2353-4be0-bd25-d43ce1e7856e/resourceGroups/sqltest-test3]
module.database.azuread_group.example: Refreshing state... [id=17628e48-bbf1-4e70-8d1a-87829dbbb2c9]

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: Could not retrieve owners for group with object ID "17628e48-bbf1-4e70-8d1a-87829dbbb2c9"
│
│   with module.database.azuread_group.example,
│   on SqlDb\sqlDb.tf line 16, in resource "azuread_group" "example":
│   16: resource "azuread_group" "example" {
│
│ GroupsClient.BaseClient.Get(): unexpected status 403 with OData error: Authorization_RequestDenied: Insufficient privileges to complete the
│ operation.
╵

Expected Behavior

Should have created the group.

Actual Behavior

Failed to create the group and reported an error.

Steps to Reproduce

terraform apply

Neutrino-Sunset commented 8 months ago

This is wrong.

My testing suggests that if the authenticated Service Principal is the owner of the Group being managed then the permissions required to create a new group are actually Group.Read.All and Group.Create.

Those same permissions are also sufficient to destroy the created group.

nbaju1 commented 8 months ago

If you believe this is wrong, creating a PR with the updated docs is probably more appreciated than just an issue.

manicminer commented 8 months ago

@Neutrino-Sunset Thanks for reporting. Just as a disclaimer, we provide the permissions references as a best effort convenience, but these are outside of our control and not automatically updated whenever the API behavior changes in a breaking way as it appears to have done in your case.

manicminer commented 6 months ago

After testing, I can confirm that either Directory.Read.All or Group.Read.All roles are required in addition to Group.Create.

hashicorp / terraform-provider-azuread