Group membership not overwriting group members on first run

zanozbot commented 3 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and Azure DevOps Provider) Version

Terraform: v0.14.5 Azure DevOps Provider: 0.1.1

Affected Resource(s)

azuredevops_group_membership

Terraform Configuration Files

resource "azuredevops_project" "project" {
  name               = "Test Project"
  description        = "Test Project Description"
  visibility         = "private"
  version_control    = "Git"
  work_item_template = "Agile"

  features = {
    "testplans"    = "enabled"
    "artifacts"    = "enabled"
    "boards"       = "enabled"
    "repositories" = "enabled"
    "pipelines"    = "enabled"
  }
}

data "azuredevops_group" "contributors" {
  project_id = azuredevops_project.project.id
  name       = "Contributors"
}

resource "azuredevops_group_membership" "membership" {
  group      = data.azuredevops_group.contributors.descriptor
  members    = []
  mode       = "overwrite"
}

Debug Output

https://gist.github.com/zanozbot/aca3e5b2b34edbd9de77298d8c99d1bd

Expected Behavior

The Azure DevOps Contributers group should have no members.

Actual Behavior

Nothing happens. On the second run Terraform detects changes and removes the members.

Steps to Reproduce

terraform apply

References

https://registry.terraform.io/providers/microsoft/azuredevops/latest/docs/resources/group_membership

drdamour commented 3 years ago

what i've found is overwrite doesn't overwrite anything NOT in the state file...IE it only removes things that are in the state file

joshfria commented 2 years ago

I am experiencing this behavious myself.

mg-8 commented 1 year ago

I am also experiencing this behavior :(

robdock92 commented 3 weeks ago

This is particularly painful for Groups that are created as a result of another process - e.g. the Endpoint Creators and Endpoint Administrators Groups are created automatically when a Service Endpoint has been added to a Project. This is the default behavior as the Groups are then given default permissions of Creator and Administrator respectively. Additionally, the Contributor and Project Administrator groups are added as members under the newly created Endpoint groups.

Because of this, maintaining the groups in state with the azuredevops provider is impossible. Given that the Azure DevOps REST API documentation for Removing Members from a Group expects exactly one member ID per request, it doesn't appear that this resource can remove all members on the first run (as @drdamour pointed out, the IDs of the members to remove from the group are not known yet).

I wish we could find an alternate path to use another provider to manage this group, but even using the restapi provider proves troublesome as you run into similar issues.

It would be great if we could get a data source for Group Membership through this provider instead. Something that uses the Members - Get API request and passes the return JSON out as a map so we can parse it.

microsoft / terraform-provider-azuredevops