`azuredevops_group_membership` - Error adding group memberships during create or update (azuredevops_group_membership)

[chrisnavar]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and Azure DevOps Provider) Version

Terraform core version: 1.6.3 Provider version: 1.0.1

Affected Resource(s)

• azuredevops_group_membership

Terraform Configuration Files

locals {
    devops_default_group_git_permissions = {
        "reader" = {
            Administer = "Deny"
            GenericRead = "Allow"
            GenericContribute = "Deny"
            ForcePush = "Deny"
            CreateBranch = "Deny"
            CreateTag = "Deny"
            ManageNote = "Deny"
            PolicyExempt = "Deny"
            CreateRepository = "Deny"
            DeleteRepository = "Deny"
            RenameRepository = "Deny"
            EditPolicies = "Deny"
            RemoveOthersLocks = "Deny"
            ManagePermissions = "Deny"
            PullRequestContribute = "Allow"
            PullRequestBypassPolicy = "Deny"
        }
    }
}

variable "git_repo_reader_members" {
    type = list(string)
    description = "A list of user or group descriptors that will become members of the readers group."
    default = ["john.doe@contoso.com"]
}

resource "azuredevops_group" "azuredevops_groups" {
  for_each = local.devops_default_group_git_permissions

  scope        = data.azuredevops_project.contoso.id
  display_name = "azuredevops_group"
}

resource "azuredevops_group_membership" "azuredevops_reader_group_membership" {
  count      =  length(var.git_repo_reader_members) != 0 ? 1 : 0

  group      = azuredevops_group.azuredevops_groups["reader"].descriptor
  members    = var.git_repo_reader_members
  mode       = "add"
}

Debug Output

Actual Behavior

The deployment failed yielding the following error:

Error: Error adding group memberships during create: Error adding group memberships during update: Error adding member john.doe@contoso.com to group vssgp.Uy0xLTktMTU1MTM3NDI0NS0xNDgwMjgwMDg1LTEyMzE1NDQzOTYtMjI2NTc0NDI0NS0yNTc1MTkxMDY5LTEtMzQ0NzQ1MzMwMi0yNDE2NjE2MjY0LTIyNTY4NDEzOTEtNDA5MzAyNzk0Mw: The controller for path '/_apis/Graph/Memberships/john.doe@contoso.com/vssgp.Uy0xLTktMTU1MTM3NDI0NS0xNDgwMjgwMDg1LTEyMzE1NDQzOTYtMjI2NTc0NDI0NS0yNTc1MTkxMDY5LTEtMzQ0NzQ1MzMwMi0yNDE2NjE2MjY0LTIyNTY4NDEzOTEtNDA5MzAyNzk0Mw' was not found or does not implement IController.

Steps to Reproduce

Terraform plan and apply the code explained above to create a resource of type azuredevops_group_membership.

• 0000

[rahuja23]

Is there any update on this issue?

[carlosjourdan]

I was running into a similiar issue. Turns out that the group membership has to receive the legacy identity descriptors in the members array.

Something like this should work fine

variable "git_repo_reader_members" {
    type = list(string)
    description = "A list of user or group descriptors that will become members of the readers group."
    default = ["john.doe@contoso.com"]
}

resource "azuredevops_group" "azuredevops_groups" {
  for_each = local.devops_default_group_git_permissions

  scope        = data.azuredevops_project.contoso.id
  display_name = "azuredevops_group"
}

data "azuredevops_users" "azdo_users" {
  for_each = toset(var.git_repo_reader_members)
  principal_name = each.key
}

resource "azuredevops_group_membership" "azuredevops_reader_group_membership" {
  for_each = toset(var.git_repo_reader_members)

  group      = azuredevops_group.azuredevops_groups["reader"].descriptor
  members    = [one(data.azuredevops_users.azdo_users[each.key].users).descriptor]
  mode       = "add"
}

[xuzhang3]

@chrisnavar Cannot add the users with email or display name directly. Descriptor should be used here.

[chrisnavar]

Thank you for your solution @xuzhang3, appreciate it. I'll close the ticket as it's been resolved.