Discrete feature to create multiple AAD Group Owners

hashicorp / terraform-provider-azuread

Terraform provider for Azure Active Directory

https://registry.terraform.io/providers/hashicorp/azuread/latest/docs

Mozilla Public License 2.0

427 stars 293 forks source link

Discrete feature to create multiple AAD Group Owners #435

Open nitmatgeo opened 3 years ago

nitmatgeo commented 3 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

I would like to recommend to add another Resource: azuread_group_owners similar to azuread_group_member. This will help to configure multiple owners or add/remove owners, otherwise, this is causing an issue when we use CSV files to create groups/owners.

Please let me know if this could be implemented, it should be easy and very similar to azuread_group_member.

New or Affected Resource(s)

azuread_group_owner

Potential Terraform Configuration

resource "azuread_group_owner" "test" {
  group_object_id  = azuread_group.example.id
  owner_object_id = data.azuread_user.example.id
}

manicminer commented 3 years ago

Hi @nitmatgeo, thanks for requesting. I've gone ahead and updated your initial comment using our issue template for feature requests as this aids us in reviewing.

You are correct this should be a relatively straightforward resource to implement. At the moment, the AzureAD provider is in a feature freeze whilst we implement major changes for the ongoing Microsoft Graph transition. However, once we are able to merge new features we'll be able to work on this.

manicminer commented 3 years ago

Due to ongoing API issues I'm going to mark this one as blocked for now.

For context, since moving to MS Graph and then again after adding support for unified groups (aka M365/O365 groups) we've had to take great care to conform to new constraints on group ownership whilst maintaining compatibility for Terraform users who may or may not have permissions to read/write all groups in their tenant. At this time we are complying with these constraints, however reports continue of potential API errors, and so to avoid breaking existing configurations this feature will be on hold until we have further clarification. Thanks!

pcornelissen commented 2 years ago

Well, the problem is still present in recent azuread terraform + public azure-api combinations. Right now I can't create a group via terraform, because I the duplicate owner error with http status 400. If there is right now a problem that somehow the owner get's assigned twice somewhere along the call chain, why is that not silently discarded at least until the internal problem is fixed. The intent is to create the group and the desired owner is clearly present in the request (although it's duplicated, but still the intent is crystal clear). Why can't you just ignore the duplicate value in this case and treat it as "set" instead of a list?

sumitkatre123 commented 2 years ago

any news/update it is pushing us away from terraform and forcing to do things manually ?

sumitkatre123 commented 2 years ago

or any workaround would be great :)

VPPetr commented 3 months ago

is there anything as a workaround?

manicminer commented 3 months ago

This is blocked by various API issues including #1435