search

hashicorp / terraform-provider-azurerm

Terraform provider for Azure Resource Manager
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs
Mozilla Public License 2.0
4.52k stars 4.6k forks source link

azurerm_subnet_network_security_group_association not applying #18724

Open arbitmcdonald opened 1 year ago

arbitmcdonald commented 1 year ago

Is there an existing issue for this?

Community Note

Terraform Version

1.3.2

AzureRM Provider Version

3.26.0

Affected Resource(s)/Data Source(s)

azurerm_active_directory_domain_service

Terraform Configuration Files

// CLIENT CODE
variable "client_code" {
  description = "Client code? (e.g. 'TST')"
  default = "TST"
}

variable "location_primary" {
  description = "Primary location string? (e.g. 'uksouth')"
  default = "uksouth"
}

variable "vnet_address_space_primary" {
  description = "Primary vNet address space? (e.g. '10.0.0.0/16')"
  default = "10.0.0.0/16"
}

variable "subnet_address_range_primary_aadds" {
  description = "AADDS subnet range for primary location? (e.g. '10.0.1.0/27')"
  default = "10.0.1.0/27"
}

variable "admin_username" {
  description = "Local Admin Username"
  default = "someuser"
}

variable "admin_password" {
  description = "Admin Password"
  default = "3rgSdfsdfdf^dWC"
}

variable "onmicrosoft_domain" {
  description = "Domain to join" 
  default = "myredactedsubsomain.onmicrosoft.com"
}

resource "azurerm_resource_group" "access_primary" {
    name     = "RG-${upper(var.client_code)}-${upper(var.location_primary_code)}-ACCESS"
    location = var.location_primary
    tags = {
        environment = "demo"
    }
}

resource "azurerm_resource_group" "management_primary" {
    name     = "RG-${upper(var.client_code)}-${upper(var.location_primary_code)}-MANAGEMENT"
    location = var.location_primary
    tags = {
        environment = "demo"
    }
}

resource "azurerm_resource_group" "aadds" {
    name     = "RG-${upper(var.client_code)}-${upper(var.location_primary_code)}-AADDS"
    location = var.location_primary
}

resource "azurerm_virtual_network" "primary" {
    name                = "VNet-${upper(var.client_code)}-${upper(var.location_primary_code)}-01"
    location            = azurerm_resource_group.management_primary.location
    resource_group_name = azurerm_resource_group.management_primary.name
    address_space       = [var.vnet_address_space_primary]

    depends_on = [
        azurerm_resource_group.management_primary
    ]
}

resource "azurerm_subnet" "aadds_primary" {
    name                 = "SUBNET-${upper(var.client_code)}-${upper(var.location_primary_code)}-AADDS"
    resource_group_name  = azurerm_resource_group.management_primary.name
    virtual_network_name = azurerm_virtual_network.primary.name
    address_prefixes     = ["10.0.1.0/27"]    
    depends_on = [
        azurerm_virtual_network.primary,
        azurerm_resource_group.management_primary
    ]
}

resource "azurerm_virtual_network_dns_servers" "aadds_dns_primary" {
    virtual_network_id = azurerm_virtual_network.primary.id
    dns_servers = ["10.0.1.4", "10.0.1.5"]

    depends_on = [
        azurerm_virtual_network.primary,
        azurerm_subnet.aadds_primary
    ]
}

resource "azurerm_network_security_group" "aadds_primary" {
    name                = "NSG-${upper(var.client_code)}-${upper(var.location_primary_code)}-ACCESS"
    location            = azurerm_resource_group.access_primary.location
    resource_group_name = azurerm_resource_group.access_primary.name

    security_rule {
        name                       = "AllowSyncWithAzureAD"
        priority                   = 101
        direction                  = "Inbound"
        access                     = "Allow"
        protocol                   = "Tcp"
        source_port_range          = "*"
        destination_port_range     = "443"
        source_address_prefix      = "AzureActiveDirectoryDomainServices"
        destination_address_prefix = "*"
    }

    security_rule {
        name                       = "AllowRD"
        priority                   = 201
        direction                  = "Inbound"
        access                     = "Allow"
        protocol                   = "Tcp"
        source_port_range          = "*"
        destination_port_range     = "3389"
        source_address_prefix      = "CorpNetSaw"
        destination_address_prefix = "*"
    }

    security_rule {
        name                       = "AllowPSRemoting"
        priority                   = 301
        direction                  = "Inbound"
        access                     = "Allow"
        protocol                   = "Tcp"
        source_port_range          = "*"
        destination_port_range     = "5986"
        source_address_prefix      = "AzureActiveDirectoryDomainServices"
        destination_address_prefix = "*"
    }

    security_rule {
        name                       = "AllowLDAPS"
        priority                   = 401
        direction                  = "Inbound"
        access                     = "Allow"
        protocol                   = "Tcp"
        source_port_range          = "*"
        destination_port_range     = "636"
        source_address_prefix      = "*"
        destination_address_prefix = "*"
    }

    depends_on = [
        azurerm_resource_group.access_primary
    ]
}

resource "azurerm_subnet_network_security_group_association" "aadds_primary" {
    subnet_id                 = azurerm_subnet.aadds_primary.id
    network_security_group_id = azurerm_network_security_group.aadds_primary.id
    depends_on = [
        azurerm_virtual_network.primary,
        azurerm_subnet.aadds_primary,
        azurerm_network_security_group.aadds_primary
    ]
}

resource "azuread_service_principal" "aadds_primary" {
  application_id = "2565bd9d-da50-47d4-8b85-4c97f669dc36" // published app for domain services
}

resource "azurerm_active_directory_domain_service" "primary" {
    name                = var.onmicrosoft_domain
    location            = azurerm_resource_group.aadds.location
    resource_group_name = azurerm_resource_group.aadds.name

    domain_name           = var.onmicrosoft_domain
    sku                   = "Standard"
    filtered_sync_enabled = false

    initial_replica_set {
        subnet_id = azurerm_subnet.aadds_primary.id
    }

    notifications {
        additional_recipients = ["${join("@", [var.admin_username, var.onmicrosoft_domain])}"]
        notify_dc_admins      = true
        notify_global_admins  = true
    }

    security {
        sync_kerberos_passwords = true
        sync_ntlm_passwords     = true
        sync_on_prem_passwords  = true
    }

    depends_on = [
        azuread_service_principal.aadds_primary,
        azurerm_subnet_network_security_group_association.aadds_primary,
        azurerm_subnet.aadds_primary,
        azurerm_resource_group.aadds,
        azurerm_network_security_group.aadds_primary,
        azurerm_virtual_network_dns_servers.aadds_dns_primary,
        azurerm_virtual_network.primary
    ]
}

resource "azuread_group" "aadds_administrators" {
    display_name     = "AAD DC Administrators"
    security_enabled = true
    depends_on = [
        azurerm_active_directory_domain_service.primary
    ]
}

resource "azuread_user" "admin" {
    user_principal_name = join("@", [var.admin_username, var.onmicrosoft_domain])
    display_name        = var.admin_username
    password            = var.admin_password
    depends_on = [
        azurerm_active_directory_domain_service.primary,
        azuread_group.aadds_administrators
    ]
}

resource "azuread_group_member" "admin" {
    group_object_id  = azuread_group.aadds_administrators.object_id
    member_object_id = azuread_user.admin.object_id
    depends_on = [
        azurerm_active_directory_domain_service.primary,
        azuread_group.aadds_administrators,
        azuread_user.admin
    ]
}

Debug Output/Panic Output

{"id":"/subscriptions/ea937dbe-1566-456f-aa68-47f18c44d93e/providers/Microsoft.AAD/locations/uksouth/operationResults/0d491852-d7f4-4687-a5fe-3410ba3a916f","name":"0d491852-d7f4-4687-a5fe-3410ba3a916f","status":"Creating","startTime":"0001-01-01T08:00:00Z","endTime":"0001-01-01T08:00:00Z","percentComplete":0.0}: timestamp=2022-10-12T16:53:01.104+0100
azurerm_active_directory_domain_service.primary: Still creating... [15m40s elapsed]
azurerm_active_directory_domain_service.primary: Still creating... [15m50s elapsed]
azurerm_active_directory_domain_service.primary: Still creating... [16m0s elapsed]
2022-10-12T16:53:31.110+0100 [DEBUG] provider.terraform-provider-azurerm_v3.26.0_x5.exe: AzureRM Request:
GET /subscriptions/ea937dbe-1566-456f-aa68-47f18c44d93e/providers/Microsoft.AAD/locations/uksouth/operationResults/0d491852-d7f4-4687-a5fe-3410ba3a916f?api-version=2021-05-01 HTTP/1.1
Host: management.azure.com
User-Agent: Go/go1.18.5 (386-windows) go-autorest/v14.2.1 hashicorp/go-azure-sdk/domainservices/2021-05-01 HashiCorp Terraform/1.3.2 (+https://www.terraform.io) Terraform Plugin SDK/2.10.1 terraform-provider-azurerm/dev pid-222c6c49-1b0a-5959-a213-6608f9eb8820
X-Ms-Correlation-Request-Id: 30b7687d-538e-4564-2be5-6acfd84f0498
Accept-Encoding: gzip: timestamp=2022-10-12T16:53:31.109+0100
2022-10-12T16:53:31.809+0100 [DEBUG] provider.terraform-provider-azurerm_v3.26.0_x5.exe: AzureRM Response for https://management.azure.com/subscriptions/ea937dbe-1566-456f-aa68-47f18c44d93e/providers/Microsoft.AAD/locations/uksouth/operationResults/0d491852-d7f4-4687-a5fe-3410ba3a916f?api-version=2021-05-01:
HTTP/2.0 200 OK
Cache-Control: no-cache
Content-Type: application/json; charset=utf-8
Date: Wed, 12 Oct 2022 15:53:30 GMT
Expires: -1
Pragma: no-cache
Strict-Transport-Security: max-age=31536000; includeSubDomains
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Ms-Correlation-Request-Id: 30b7687d-538e-4564-2be5-6acfd84f0498
X-Ms-Ratelimit-Remaining-Subscription-Reads: 11965
X-Ms-Request-Id: 67c3d721-6c30-4dc9-96ac-a048ebb3c7f7
X-Ms-Routing-Request-Id: UKSOUTH:20221012T155331Z:e5ffce89-2e34-4f69-b96f-4e076c628f06

{"id":"/subscriptions/ea937dbe-1566-456f-aa68-47f18c44d93e/providers/Microsoft.AAD/locations/uksouth/operationResults/0d491852-d7f4-4687-a5fe-3410ba3a916f","name":"0d491852-d7f4-4687-a5fe-3410ba3a916f","status":"Failed","startTime":"0001-01-01T08:00:00Z","endTime":"0001-01-01T08:00:00Z","percentComplete":0.0,"error":{"code":"InternalError","message":"Error testing domain controller connectivity through PowerShell. A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 20.26.9.56:5986"}}: timestamp=2022-10-12T16:53:31.809+0100
2022-10-12T16:53:31.809+0100 [DEBUG] provider.terraform-provider-azurerm_v3.26.0_x5.exe: Unlocking "azurerm_active_directory_domain_service.redacted.onmicrosoft.com": timestamp=2022-10-12T16:53:31.809+0100
2022-10-12T16:53:31.811+0100 [DEBUG] provider.terraform-provider-azurerm_v3.26.0_x5.exe: Unlocked "azurerm_active_directory_domain_service.redacted.onmicrosoft.com": timestamp=2022-10-12T16:53:31.809+0100
2022-10-12T16:53:31.811+0100 [ERROR] provider.terraform-provider-azurerm_v3.26.0_x5.exe: Response contains error diagnostic: tf_provider_addr=provider tf_req_id=18c5d7a9-6269-1bc9-2647-c35cc562f167 tf_rpc=ApplyResourceChange diagnostic_detail= diagnostic_summary="creating/updating Domain Service (Name: "redacted.onmicrosoft.com", Resource Group: "RG-LWL-UKS-AADDS"): polling after CreateOrUpdate: Code="InternalError" Message="Error testing domain controller connectivity through PowerShell. A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 20.26.9.56:5986"" tf_proto_version=5.2 @caller=github.com/hashicorp/terraform-plugin-go@v0.10.0/tfprotov5/internal/diag/diagnostics.go:56 @module=sdk.proto diagnostic_severity=ERROR tf_resource_type=azurerm_active_directory_domain_service timestamp=2022-10-12T16:53:31.809+0100
2022-10-12T16:53:31.811+0100 [ERROR] vertex "azurerm_active_directory_domain_service.primary" error: creating/updating Domain Service (Name: "redacted.onmicrosoft.com", Resource Group: "RG-LWL-UKS-AADDS"): polling after CreateOrUpdate: Code="InternalError" Message="Error testing domain controller connectivity through PowerShell. A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 20.26.9.56:5986"
╷
│ Warning: Applied changes may be incomplete
│
│ The plan was created with the -target option in effect, so some changes requested in the configuration may have been ignored and the output values may not be fully updated. Run the following command to verify that no other changes are pending:
│     terraform plan
│
│ Note that the -target option is not suitable for routine use, and is provided only for exceptional situations such as recovering from errors or mistakes, or when Terraform specifically suggests to use it as part of an error message.
╵
╷
│ Error: creating/updating Domain Service (Name: "redacted.onmicrosoft.com", Resource Group: "RG-LWL-UKS-AADDS"): polling after CreateOrUpdate: Code="InternalError" Message="Error testing domain controller connectivity through PowerShell. A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 20.26.9.56:5986"
│
│   with azurerm_active_directory_domain_service.primary,
│   on main.tf line 918, in resource "azurerm_active_directory_domain_service" "primary":
│  918: resource "azurerm_active_directory_domain_service" "primary" {
│
╵
2022-10-12T16:53:31.828+0100 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"
2022-10-12T16:53:31.854+0100 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/azurerm/3.26.0/windows_386/terraform-provider-azurerm_v3.26.0_x5.exe pid=13276
2022-10-12T16:53:31.854+0100 [DEBUG] provider: plugin exited

Expected Behaviour

The creation should have continued for another hour or so, at which point Azure Active Directory Domain Services would have been created. This used to work perfectly, but I updated AzureRM and a ton of my config has been changed as a result due to breaking changes in the more recent version(s). I'm not sure if it's my config somehow at fault, or the provider.

Actual Behaviour

The creation runs for 15-16 minutes before throwing the following error: Error testing domain controller connectivity through PowerShell. A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 20.26.9.56:5986

Steps to Reproduce

terraform plan -target="azurerm_active_directory_domain_service.primary" -out="aadds.tfplan" terraform.exe apply "aadds.tfplan"

Also happens if I just run terraform apply, but this config is a snippet of a much larger file. I usually create AADDS first, as it takes so long, and then spin up the rest of the plan. This also fails now.

Important Factoids

No response

References

No response

magodo commented 1 year ago

@arbitmcdonald Thank you for submitting this!

We have a nightly test case for the aadds resource, whose configuration is defined here: https://github.com/hashicorp/terraform-provider-azurerm/blob/05362bb7236ab7ff91dbe07dda7bec8bb154ff65/internal/services/domainservices/active_directory_domain_service_test.go#L213 The test is successful in recent runs.

From the error message, it is something went wrong in Azure when it was checking connectivity internally, during the creation (long running) operation. That most likely because of the service side issue. So I would suggest you to raise an Azure support ticket by providing the X-Ms-Correlation-Request-Id: 30b7687d-538e-4564-2be5-6acfd84f0498.

By comparing the configurations between what is tested and yours, one possible cause might be the sku of the aadds is different, where you were using Standard, and the acctest was using Enterprise.

arbitmcdonald commented 1 year ago

Thanks @magodo I'll reach out to their support.

Interestingly the creation does succeed (within Azure) about an hour later, which is normal for AADDS. Its terraform that bombs out/fails, the resource creation still succeeds.

I'll try with Enterprise next and see what happens.

I really appreciate your detailed and helpful response!

arbitmcdonald commented 1 year ago

Just an update on this. I changed my SKU to see if it made a difference and the same error happened.

Error: creating/updating Domain Service (Name: "redacted.onmicrosoft.com", Resource Group: "RG-UKS-AADDS"): polling after CreateOrUpdate: 

Code="InternalError" 

Message="Error testing domain controller connectivity through PowerShell. A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 20.26.161.131:5986"
arbitmcdonald commented 1 year ago

I just had another swing at this, and rather than destroying all successfully created resources after the AADDS failure I thought it best to have a proper look around. Even though I told Terraform that the AADDS depends on the vNet, AADDS subnet, AADDS NSG, and AADDS NSG/subnet association, the association was not there in Azure.

Terraform created the vNet, Subnet, and NSG, but it did not associate the NSG with the Subnet before creating AADDS.

Root cause identified... issue still remains. Why is AADDS being created before Terraform associated the NSG with the subnet, when I specifically said AADDS depends on the NSG association?


// 1. Create the network
resource "azurerm_virtual_network" "primary" {
    name                = "VNet-${upper(var.client_code)}-${upper(var.location_primary_code)}-01"
    location            = azurerm_resource_group.management_primary.location
    resource_group_name = azurerm_resource_group.management_primary.name
    address_space       = [var.vnet_address_space_primary]

    depends_on = [
        azurerm_resource_group.management_primary
    ]
}

// 2. Create the subnet
resource "azurerm_subnet" "aadds_primary" {
    name                 = "SUBNET-${upper(var.client_code)}-${upper(var.location_primary_code)}-AADDS"
    resource_group_name  = azurerm_resource_group.management_primary.name
    virtual_network_name = azurerm_virtual_network.primary.name
    address_prefixes     = ["10.0.1.0/27"]    
    depends_on = [
        azurerm_virtual_network.primary,
        azurerm_resource_group.management_primary
    ]
}

// 3. Create the NSG
resource "azurerm_network_security_group" "aadds_primary" {
    name                = "NSG-${upper(var.client_code)}-${upper(var.location_primary_code)}-ACCESS"
    location            = azurerm_resource_group.access_primary.location
    resource_group_name = azurerm_resource_group.access_primary.name

    security_rule {
        name                       = "AllowSyncWithAzureAD"
        priority                   = 101
        direction                  = "Inbound"
        access                     = "Allow"
        protocol                   = "Tcp"
        source_port_range          = "*"
        destination_port_range     = "443"
        source_address_prefix      = "AzureActiveDirectoryDomainServices"
        destination_address_prefix = "*"
    }

    security_rule {
        name                       = "AllowRD"
        priority                   = 201
        direction                  = "Inbound"
        access                     = "Allow"
        protocol                   = "Tcp"
        source_port_range          = "*"
        destination_port_range     = "3389"
        source_address_prefix      = "CorpNetSaw"
        destination_address_prefix = "*"
    }

    security_rule {
        name                       = "AllowPSRemoting"
        priority                   = 301
        direction                  = "Inbound"
        access                     = "Allow"
        protocol                   = "Tcp"
        source_port_range          = "*"
        destination_port_range     = "5986"
        source_address_prefix      = "AzureActiveDirectoryDomainServices"
        destination_address_prefix = "*"
    }

    security_rule {
        name                       = "AllowLDAPS"
        priority                   = 401
        direction                  = "Inbound"
        access                     = "Allow"
        protocol                   = "Tcp"
        source_port_range          = "*"
        destination_port_range     = "636"
        source_address_prefix      = "*"
        destination_address_prefix = "*"
    }

    depends_on = [
        azurerm_resource_group.access_primary
    ]
}

// 4. Associate the NSG
resource "azurerm_subnet_network_security_group_association" "aadds_primary" {
    subnet_id                 = azurerm_subnet.aadds_primary.id
    network_security_group_id = azurerm_network_security_group.aadds_primary.id
    depends_on = [
        azurerm_virtual_network.primary,
        azurerm_subnet.aadds_primary,
        azurerm_network_security_group.aadds_primary
    ]
}

// 5. Create AADDS
resource "azurerm_active_directory_domain_service" "primary" {
    name                = var.onmicrosoft_domain
    location            = azurerm_resource_group.aadds.location
    resource_group_name = azurerm_resource_group.aadds.name

    domain_name           = var.onmicrosoft_domain
    sku                   = "Enterprise"
    filtered_sync_enabled = false

    initial_replica_set {
        subnet_id = azurerm_subnet.aadds_primary.id
    }

    notifications {
        additional_recipients = ["${join("@", [var.admin_username, var.onmicrosoft_domain])}"]
        notify_dc_admins      = true
        notify_global_admins  = true
    }

    security {
        kerberos_armoring_enabled       = true
        kerberos_rc4_encryption_enabled = true
        ntlm_v1_enabled                 = true
        sync_kerberos_passwords         = true
        sync_ntlm_passwords             = true
        sync_on_prem_passwords          = true
        tls_v1_enabled                  = true
    }

    depends_on = [
        azurerm_virtual_network.primary,
        azurerm_subnet.aadds_primary,
        azurerm_network_security_group.aadds_primary,
        azurerm_subnet_network_security_group_association.aadds_primary,
        azuread_group_member.admin,
        azurerm_resource_group.aadds,
        azuread_service_principal.aadds_primary,
        azurerm_virtual_network_dns_servers.aadds_dns_primary,
    ]
}
arbitmcdonald commented 1 year ago

Update on this, I believe there's an issue with the provider, not with Azure, as Terraform reports the creation complete for my NSG association.

Here's what happens:

  1. I tell Terraform that AADDS depends on the nsg assoc
  2. Terraform creates the vnet, subnet, nsg
  3. Terraform also claims to associate the nsg with the subnet
  4. When I check the nsg in the Azure Portal, there are 0 subnet associations
  5. Terraform fails (original error about "A connection attempt failed")

If I manually update the nsg association (to apply the nsg to the subnet) while terraform is applying the plan at step 3 (after supposed creation of the nsg association, before AADDS creation), the Terraform apply succeeds and AADDS is created.

Notable console messages:

  1. azurerm_subnet_network_security_group_association.aadds_primary: Creating...
  2. azurerm_subnet_network_security_group_association.aadds_primary: Creation complete after 3s

Console output:

azuread_service_principal.aadds_primary: Creating...
azuread_group.aadds_administrators: Creating...
azuread_service_principal.aadds_primary: Creation complete after 2s [id=ed4ce269-69c0-4c4f-a705-redacted]
azuread_group.aadds_administrators: Still creating... [10s elapsed]
azurerm_resource_group.management_primary: Creating...
azurerm_resource_group.access_primary: Creating...
azurerm_resource_group.aadds: Creating...
azurerm_resource_group.management_primary: Creation complete after 0s [id=/subscriptions/...redacted.../resourceGroups/RG-LWL-UKS-MANAGEMENT]
azurerm_virtual_network.primary: Creating...
azurerm_resource_group.aadds: Creation complete after 0s [id=/subscriptions/...redacted.../resourceGroups/RG-LWL-UKS-AADDS]
azurerm_resource_group.access_primary: Creation complete after 0s [id=/subscriptions/...redacted.../resourceGroups/RG-LWL-UKS-ACCESS]
azurerm_network_security_group.aadds_primary: Creating...
azurerm_network_security_group.aadds_primary: Creation complete after 4s [id=/subscriptions/...redacted.../resourceGroups/RG-LWL-UKS-ACCESS/providers/Microsoft.Network/networkSecurityGroups/NSG-LWL-UKS-ACCESS]
azurerm_virtual_network.primary: Creation complete after 4s [id=/subscriptions/...redacted.../resourceGroups/RG-LWL-UKS-MANAGEMENT/providers/Microsoft.Network/virtualNetworks/VNet-LWL-UKS-01]
azurerm_subnet.aadds_primary: Creating...
azuread_group.aadds_administrators: Still creating... [20s elapsed]
azurerm_subnet.aadds_primary: Creation complete after 4s [id=/subscriptions/...redacted.../resourceGroups/RG-LWL-UKS-MANAGEMENT/providers/Microsoft.Network/virtualNetworks/VNet-LWL-UKS-01/subnets/SUBNET-LWL-UKS-AADDS]
azurerm_virtual_network_dns_servers.aadds_dns_primary: Creating...
azurerm_subnet_network_security_group_association.aadds_primary: Creating...
azuread_group.aadds_administrators: Creation complete after 22s [id=adb56c4e-43a8-4869-ab0f-redacted]
azuread_user.admin: Creating...
azuread_user.admin: Creation complete after 0s [id=4b93e93b-62ac-4b14-a3ac-redacted]
azuread_group_member.admin: Creating...
azuread_group_member.admin: Creation complete after 1s [id=adb56c4e-43a8-4869-ab0f-redacted/member/4b93e93b-62ac-4b14-a3ac-redacted]
azurerm_subnet_network_security_group_association.aadds_primary: Creation complete after 3s [id=/subscriptions/...redacted.../resourceGroups/RG-LWL-UKS-MANAGEMENT/providers/Microsoft.Network/virtualNetworks/VNet-LWL-UKS-01/subnets/SUBNET-LWL-UKS-AADDS]
azurerm_virtual_network_dns_servers.aadds_dns_primary: Creation complete after 7s [id=/subscriptions/...redacted.../resourceGroups/RG-LWL-UKS-MANAGEMENT/providers/Microsoft.Network/virtualNetworks/VNet-LWL-UKS-01/dnsServers/default]
azurerm_active_directory_domain_service.primary: Creating...
azurerm_active_directory_domain_service.primary: Still creating... [10s elapsed]