AzureAd Provider & Cluster role/template not found

[donydonald1]

data "rancher2_cluster" "rbac_cluster" {
  name = "local"
}
data "rancher2_cluster_role_template_binding" "admin_role" {
    name = "admin"
    cluster_id = "local"
}
data "azuread_groups" "allowedRancherGroups" {
  display_names    = ["aad group 1", "aad group 2"]
  security_enabled = true

}
locals {
  cluster_roles = ["admin","User-Base"]
}

data "rancher2_user" "admin" {
  username = "admin"
}
locals {
  all_allowed_principals = concat([ "local://${data.rancher2_user.admin.id}"], formatlist("azuread_group://%s", data.azuread_groups.allowedRancherGroups.object_ids))
}

resource "rancher2_auth_config_azuread" "ad" {
  application_id        = data.vault_generic_secret.rancher2_azuread_secrets.data["application_id"]
  application_secret    = data.vault_generic_secret.rancher2_azuread_secrets.data["application_secret"]
  rancher_url           = "https://${var.rancher_hostname}/verify-auth-azure"
  tenant_id             = data.vault_generic_secret.rancher2_azuread_secrets.data["tenant_id"]
  endpoint = var.endpoint
  auth_endpoint = "https://login.microsoftonline.com/${data.vault_generic_secret.rancher2_azuread_secrets.data["tenant_id"]}/oauth2/v2.0/authorize"
  token_endpoint = "https://login.microsoftonline.com/${data.vault_generic_secret.rancher2_azuread_secrets.data["tenant_id"]}/oauth2/v2.0/token"
  graph_endpoint = "https://graph.microsoft.com"
  access_mode           = "restricted"
  allowed_principal_ids = local.all_allowed_principals

}

data "azuread_groups" "rancherAdmins" {
  display_names    = ["aad group 1", "aad group 2"]
  security_enabled = true
}
data "rancher2_global_role" "admin_role" {
  name = "admin"
  id = "local"

}

resource "rancher2_global_role_binding" "admin-role-mapping" {
  for_each           = toset(data.azuread_groups.rancherAdmins.object_ids)
  global_role_id     = data.rancher2_global_role.admin_role.name
  group_principal_id = each.value
  user_id = local.all_allowed_principals

}

ERROR BLOW

│ Error: [ERROR] cluster role template binding with name "admin" on cluster ID "local" not found
│ 
│   with data.rancher2_cluster_role_template_binding.admin_role,
│   on main.tf line 11, in data "rancher2_cluster_role_template_binding" "admin_role":
│   11: data "rancher2_cluster_role_template_binding" "admin_role" {
│ 
╵
╷
│ Error: No group found with display name: ""aad group 1", "aad group 2"
│ 
│   with data.azuread_groups.allowedRancherGroups,
│   on main.tf line 16, in data "azuread_groups" "allowedRancherGroups":
│   16:   display_names = [ ""aad group 1", "aad group 2" ]
│ 
╵
╷
│ Error: No group found with display name: ""aad group 1", "aad group 2"
│ 
│   with data.azuread_groups.rancherAdmins,
│   on main.tf line 46, in data "azuread_groups" "rancherAdmins":
│   46:   display_names = [ "ua_hhc_kube_admins" ]
│ 
╵
╷
│ Error: [ERROR] global role with name "admin" not found
│ 
│   with data.rancher2_global_role.admin_role,
│   on main.tf line 48, in data "rancher2_global_role" "admin_role":
│   48: data "rancher2_global_role" "admin_role" {
│ 
╵

If I manually adds auth provider "azuread", I will be able to see all of the groups. not sure why unable to see it with terraform. Please your thoughts on this.

[MehuiSeklayr]

Hello everyone.

We are currently implementing Rancher, and we tried using both Pulumi and Terraform. In both cases, we run into this exact same issue.

Is there any fix coming or workaround available?