nziegler
commented
2 years ago Open nziegler opened 2 years ago
manicminer
commented
2 years ago Hi @nziegler, thanks for reporting this and for attaching a log. This is an API inconsistency error which we might be able to work around, but I will have to experiment a little. If you can provide any additional context, the following would be really useful:
Thanks!
nziegler
commented
2 years ago I am running the commands on a Windows 10 virtual machine and sometimes plain Windows 10. My colleague runs it on a Mac with the same error.
We are using a test scenario to try out our identity objects module where we create 4 different groups (Security group, O365 unified group, with or without dynamic membership). But for testing purposes, I reduced it to 1 group and it still fails.
Prior to the groups I create three users (two members and one owner) used for testing group membership. As mentioned, all the resources get created successfully and the GUID that the error shows as supposedly invalid matches the group GUID in Azure AD.
trinka-battelle
commented
2 years ago I can duplicate this same issue. Creating one group on Ubuntu
Terraform v1.2.2 on linux_amd64
manicminer
commented
2 years ago @trinka-battelle Please provide a debug log whilst reproducing as this is necessary to see the complete sequence of events/errors, thanks!
@nziegler I noticed in your debug.log that the tenant ID seems to be omitted. At first I thought this was redacted but we recently fixed a bug that could cause a missing tenant ID in API requests - could you please try to reproduce this with v2.24.0 and advise if you're still getting the ErrorInvalidGroup error? Thanks!
wernerfred
commented
2 years ago @nziegler I noticed in your debug.log that the tenant ID seems to be omitted. At first I thought this was redacted but we recently fixed a bug that could cause a missing tenant ID in API requests - could you please try to reproduce this with v2.24.0 and advise if you're still getting the
ErrorInvalidGrouperror? Thanks!
I will try to reproduce
wernerfred
commented
2 years ago Applying the example from above with provider version 2.25 passes without errors (apart from deprecation warnings).
Seems like the fix @manicminer mentioned did the trick!
MayuriD89
commented
2 years ago Seems it's not been fix yet, I'm still getting the same error, while creating a group with unified type. Behavior too same as you have mentioned earlier that it's getting created on portal but terraform throws this error message -
Error: Could not retrieve group with object UID "4531a726-efe9-45dd-adac-de4a82a23650" retrieving additional fields: GroupsClient.BaseClient.Get(): unexpected status 404 with OData error: ErrorInvalidGroup: The requested group '4531a726-efe9-45dd-adac-de4a82a23650@4a1faaae-19b8-4549-af5d-c9852b29f166' is invalid.
Code that I am running -
azuread_group = {
group-test01 = {
DataSource = {
members = {
group_display_names = []
sp_display_names = []
user_principal_names = []
}
owners = {
sp_display_names = ["app-test01"]
user_principal_names = []
}
}
assignable_to_role = false
auto_subscribe_new_members = false
behaviors = ["WelcomeEmailDisabled", "HideGroupInOutlook"]
description = "This is a group of type Unified type"
display_name = "group-test01"
external_senders_allowed = false
hide_from_address_lists = false
hide_from_outlook_clients = false
mail_enabled = true
mail_nickname = "grouptest01_mail1"
prevent_duplicate_names = true
provisioning_options = ["Team"]
security_enabled = true
theme = "Orange"
types = ["Unified"]
visibility = "Private"
}
}
I have checked it from terraform provider version - 2.20.0 to 2.26.1 (Current latest) and terraform version 1.0.0
Please let me know what I am doing wrong here.
MayuriD89
commented
2 years ago May I know which authentication method you are using to execute this resource?
wernerfred
commented
2 years ago az login with user credentials. No SP.
Sorry I haven't had time to test again but it is on the list ;)
MayuriD89
commented
2 years ago It's Okay @wernerfred. And the user you are authenticating with must be a 'Member' type user right? not a guest. Actually I was authenticating with SP but then I tried with 'member' user and group gets created successfully but if I use SP in owners it again giving me same kind of error. In terraform documentation too it is not clearly mention for 'Unified' group.
NOTE : Error comes only for 'Unified' type of group , 'Dynamic' membership group gets created successfully.
group-test01 = {
DataSource = {
members = {
user_principal_names = ["xyz.com#EXT#@pcz1215pcsacore.onmicrosoft.com"]
}
owners = {
// sp_display_names = ["app-test01","sp-test01"]
user_principal_names = ["xyz01@pcz1215pcsacore.onmicrosoft.com"]
}
}
auto_subscribe_new_members = false
description = "365 group"
behaviors = ["WelcomeEmailDisabled", "HideGroupInOutlook"]
display_name = "group-test01"
hide_from_address_lists = false
hide_from_outlook_clients = false
mail_enabled = true
mail_nickname = "grouptest01_mail"
theme = "Orange"
types = ["Unified"]
}
Also whenever you will test please try to create it without description and with SP specified in owners block.
tkostyrka
commented
1 year ago Hi, same issue. Group is created, consecutive plan/apply/destroy execution fails with: "β retrieving additional fields: GroupsClient.BaseClient.Get(): unexpected status 404 with OData error: ErrorInvalidGroup: The requested group β '5b2dd0c8-7798-47b8-924e-b93ed1ced3a3@b092c121-4bf9-4608-830c-cdca1cedfa36' is invalid."
terraform version = 1.3.3 azuread version = 2.29.0 authentication = service principal client/secret, full access (admin) subscription = Free Tier
dummy example:
resource "azuread_group" "group002" { display_name = "TestGroup002" description = "TestGroup002 description"
mail_enabled = true
mail_nickname = "TestGroup002"
types = ["Unified"]}
Community Note
Terraform (and AzureAD Provider) Version Terraform v1.1.9 Azuread Plugin Version v2.22.0
Affected Resource(s)
Debug Output
Panic Output
Expected Behavior
Actual Behavior β· Error: Could not retrieve group with object UID "6ecd7032-d911-4727-8ba0-db26d1299329" β β with module.azuread_group.azuread_group.this["group1"], β on ....\main.tf line 60, in resource "azuread_group" "this": β 60: resource "azuread_group" "this" { β β retrieving additional fields: GroupsClient.BaseClient.Get(): unexpected status 404 with OData error: ErrorInvalidGroup: The requested group β '6ecd7032-d911-4727-8ba0-db26d1299329@9ab78acf-ebb8-4aa4-ac94-f43b0118b3ae' is invalid.
Steps to Reproduce
Important Factoids
The groups and the users are successfully created, but every refresh after the initial create fails. So it fails during the first apply, then a repeated apply. Terraform refresh or destroy will fail with the same error.
The same error is shown on AzureAD provider version 2.19 (this was an attempt to update a module to 2.22).
References