Closed matthorgan closed 4 months ago
Do you experience the same issue if you reference the object IDs directly? I.e.
resource "azuread_administrative_unit_member" "example" {
administrative_unit_object_id = azuread_administrative_unit.example.object_id
member_object_id = azuread_group.example.object_id
}
Do you experience the same issue if you reference the object IDs directly? I.e.
resource "azuread_administrative_unit_member" "example" { administrative_unit_object_id = azuread_administrative_unit.example.object_id member_object_id = azuread_group.example.object_id }
it's the same issue using azuread_group.example.object_id
and when you statically reference the object instead of referencing it from the azuread_group
resource.
Hi @matthorgan, thanks for opening this issue. This is actually expected behavior due to the azuread_administrative_unit_member
resource and the administrative_unit_ids
property of the azuread_group
resource essentially managing the same thing. When using the azuread_administrative_unit_member
resource to manage a group, you will need to use the ignore_changes
lifecycle meta argument to suppress the resulting diff that occurs with the azuread_group
resource. For example:
resource "azuread_administrative_unit" "example" {
display_name = "Example-AU"
}
resource "azuread_group" "example" {
display_name = "Example Users"
security_enabled = true
lifecycle {
ignore_changes = [administrative_unit_ids]
}
}
resource "azuread_administrative_unit_member" "example" {
administrative_unit_object_id = azuread_administrative_unit.example.id
member_object_id = azuread_group.example.id
}
However, I noticed that we don't call this out specifically in the documentation for either resource, so I will open a PR to fix that.
Community Note
Terraform (and AzureAD Provider) Version
Affected Resource(s)
azuread_administrative_unit_member
Terraform Configuration Files
Debug Output
https://gist.github.com/matthorgan/a09b9aed9c0b1ac145c58f362791544a
Expected Behavior
Entra ID group gets added to the Administrative Unit and on subsequent runs, no changes are expected.
Actual Behavior
The Entra ID group gets added to the Administrative Unit, but on the next run, it gets removed and this add/remove behaviour continues on each run.
Steps to Reproduce
terraform apply
Important Factoids
This issue does not happen if you add a User to the Administrative Unit using
azuread_administrative_unit_member
. It seems specific to theazuread_group
resource.In the debug logs it looks like it's using the
beta
API. Could this be an issue? It looks like AUs have functionality in the v1 of the apiI've noticed that the state refresh for the
azuread_administrative_unit_member.example
resource can take upwards of a minute.References
https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/administrative_unit_member