Terraform Refresh State of Groups returns could not check for existing group(s)

[DevopsMercenary]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.9.8

AzureAD Provider Version

3.0.2

I manually deleted the groups and downgraded the provider to 2.53.1 and did not experience this issue

Affected Resource(s)/Data Source(s)

azuread_group

Terraform Configuration Files

resource "azuread_group" "aad-role" {

  for_each = toset( ["admin", "analyst", "delivery", "developer", "etl", "read-only", "solutions", "security-reader"] )

  display_name = format("%s-%s-%s", var.cm-region, "databricks", each.value)

  security_enabled        = "true"
  prevent_duplicate_names = true

}

### Debug Output/Panic Output

```shell
https://gist.github.com/DevopsMercenary/b93ff28402ea15ad1030ec59e0721e66

Expected Behaviour

Updated the names of my groups

Actual Behaviour

│ Error: could not check for existing group(s): unable to list Groups with filter "displayName eq 'read-only'": the context used must have a deadline attached for polling purposes, but got no deadline
│
│   with azuread_group.aad-role["read-only"],
│   on rbac.tf line 20, in resource "azuread_group" "aad-role":
│   20: resource "azuread_group" "aad-role" {
│
╵
╷
│ Error: could not check for existing group(s): unable to list Groups with filter "displayName eq 'delivery'": the context used must have a deadline attached for polling purposes, but got no deadline
│
│   with azuread_group.aad-role["delivery"],
│   on rbac.tf line 20, in resource "azuread_group" "aad-role":
│   20: resource "azuread_group" "aad-role" {
│
╵
╷
│ Error: could not check for existing group(s): unable to list Groups with filter "displayName eq 'developer'": the context used must have a deadline attached for polling purposes, but got no deadline
│
│   with azuread_group.aad-role["developer"],
│   on rbac.tf line 20, in resource "azuread_group" "aad-role":
│   20: resource "azuread_group" "aad-role" {
│
╵

Steps to Reproduce

No response

Important Factoids

No response

References

No response

[DevopsMercenary]

HI, any updates on this?

I've run into this issue again today as well.

Terraform v1.9.8
on darwin_arm64
+ provider registry.terraform.io/hashicorp/azuread v3.0.2
+ provider registry.terraform.io/hashicorp/azurerm v4.8.0
+ provider registry.terraform.io/hashicorp/random v3.6.3

I would guess that this is being caused by prevent_duplicate_names = true

resource "azuread_group" "blob-read-write" {

  display_name            = "sales-blob-read-write"
  prevent_duplicate_names = true

  description = "Allow group members to read and modify all containers in the storage account ${local.storage-account-resource-map.resource_name}"

  security_enabled = true
}

[DevopsMercenary]

This issue continues to persist.

2024-11-20T16:52:41.004-0500 [INFO]  provider.terraform-provider-azuread_v3.0.2_x5: 2024/11/20 16:52:41 [DEBUG] ============================ Begin AzureAD Request ============================
Request ID: b4ecf8cf-4259-a7ae-556a-8a7353ed0b83

GET /beta/groups/2131acbe-9482-4e61-bdf9-4dbdf7fe8cf5/memberOf HTTP/1.1
Host: graph.microsoft.com
User-Agent: HashiCorp Terraform/1.9.8 (+https://www.terraform.io) Terraform Plugin SDK/2.34.0 terraform-provider-azuread/3.0.2 HashiCorp/go-azure-sdk (Go-http-Client/1.1 MicrosoftGraph-memberof/beta) pid-222c6c49-1b0a-5959-a213-6608f9eb8820
Accept: application/json; charset=utf-8; IEEE754Compatible=false
Content-Type: application/json; charset=utf-8
Odata-Maxversion: 4.0
Odata-Version: 4.0
Accept-Encoding: gzip

============================= End AzureAD Request =============================: timestamp=2024-11-20T16:52:41.004-0500

2024-11-20T16:52:41.592-0500 [INFO]  provider.terraform-provider-azuread_v3.0.2_x5: 2024/11/20 16:52:41 [DEBUG] ============================ Begin AzureAD Response ===========================
GET https://graph.microsoft.com/beta/groups/2131acbe-9482-4e61-bdf9-4dbdf7fe8cf5/memberOf
Request ID: b4ecf8cf-4259-a7ae-556a-8a7353ed0b83

HTTP/2.0 200 OK
Cache-Control: no-cache
Client-Request-Id: 5e16c148-3dd1-4b5e-8587-68d65a31c53a
Content-Type: application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8
Date: Wed, 20 Nov 2024 21:52:41 GMT
Odata-Version: 4.0
Request-Id: 5e16c148-3dd1-4b5e-8587-68d65a31c53a
Strict-Transport-Security: max-age=31536000
Vary: Accept-Encoding
X-Ms-Ags-Diagnostic: {"ServerInfo":{"DataCenter":"North Central US","Slice":"E","Ring":"4","ScaleUnit":"000","RoleInstance":"CH01EPF0004B330"}}
X-Ms-Resource-Unit: 2

{"@odata.context":"https://graph.microsoft.com/beta/$metadata#directoryObjects","value":[]}
============================= End AzureAD Response ============================: timestamp=2024-11-20T16:52:41.592-0500
2024-11-20T16:52:41.595-0500 [ERROR] provider.terraform-provider-azuread_v3.0.2_x5: Response contains error diagnostic: @module=sdk.proto diagnostic_summary="could not check for existing group(s): unable to list Groups with filter \"displayName eq 'ai-service-sa-container-read-write'\": the context used must have a deadline attached for polling purposes, but got no deadline" tf_provider_addr=registry.terraform.io/hashicorp/azuread @caller=github.com/hashicorp/terraform-plugin-go@v0.24.0/tfprotov5/internal/diag/diagnostics.go:58 diagnostic_detail="" diagnostic_severity=ERROR tf_proto_version=5.6 tf_req_id=e950719c-ec90-a130-c07c-c3f22ea91120 tf_resource_type=azuread_group tf_rpc=PlanResourceChange timestamp=2024-11-20T16:52:41.595-0500
2024-11-20T16:52:41.595-0500 [ERROR] vertex "module.storage-account-rbac.azuread_group.container-read-write" error: could not check for existing group(s): unable to list Groups with filter "displayName eq 'ai-service-sa-container-read-write'": the context used must have a deadline attached for polling purposes, but got no deadline
2024-11-20T16:52:41.595-0500 [ERROR] vertex "module.storage-account-rbac.azuread_group.container-read-write (expand)" error: could not check for existing group(s): unable to list Groups with filter "displayName eq 'ai-service-sa-container-read-write'": the context used must have a deadline attached for polling purposes, but got no deadline

[DevopsMercenary]

More details that I've discovered and that it appears to be from the moved blocks that I have in the code in a module I'm using...

Minimal Config Example

Root-Module

main.tf

module "storage-account-rbac" {

  source = "./sub module"

}

Sub Module

moved {
  from = azuread_group.blob-read-write
  to   = azuread_group.container-read-write
}
resource "azuread_group" "container-read-write" {

  display_name            = "container-read-write"
  prevent_duplicate_names = true
  description = "Allow group members to read and modify all containers"
  security_enabled = true
}

[DevopsMercenary]

Because I was renaming these groups, I removed the three groups that I was renaming ( new TF resource names and updated group names ) from the terraform remote state tf state rm using the old resource name.

Then imported the group again with the new terraform resource name.

Tried Applying and it failed again with the same errors as before.

I then went ahead an manually went into Entra and updated the names of the groups that I was changing to their new names.

Now, running tf apply this all worked.