azuread_group_member - a fail to add a group member creates an unremovable state record

[ivohlavaty]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

• Terraform 1.9.8
• registry.terraform.io/hashicorp/azuread v3.0.2

Affected Resource(s)

• azuread_group_member

Terraform Configuration Files

resource "azuread_group_member" "msi_rg" {
  group_object_id  = var.azuread_group_msi
  member_object_id = azapi_resource.hci_hybrid_compute_machines.identity[0].principal_id

  lifecycle {
    create_before_destroy = true
  }
}
output "azuread_group_member_msi_rg" { value = azuread_group_member.msi_rg }

Debug Output

State file record

This record should not exists as the membership has not been created

  {
      "module": "module.hci-vm[\"gha-runner-001\"]",
      "mode": "managed",
      "type": "random_id",
      "name": "vm_name",
      "provider": "provider[\"registry.terraform.io/hashicorp/random\"]",
      "instances": [
        {
          "schema_version": 0,
          "attributes": {
            "b64_std": "KDA=",
            "b64_url": "KDA",
            "byte_length": 2,
            "dec": "10288",
            "hex": "2830",
            "id": "KDA",
            "keepers": {
              "image_id": "/subscriptions/*****-******/resourceGroups/*****/providers/Microsoft.AzureStackHCI/galleryImages/ubuntu-2004-image-1"
            },
            "prefix": null
          },
          "sensitive_attributes": [],
          "dependencies": [
            "data.vault_generic_secret.hci",
            "module.hci-vm.data.azapi_resource.cluster_resource_group",
            "module.hci-vm.data.azapi_resource.hci_gallery_image",
            "module.hci-vm.data.azapi_resource_list.hci_gallery_image"
          ],
          "create_before_destroy": true
        }
      ]
    },

Panic Output

Expected Behavior

When using the service principal without sufficient permissions, a resource should fail to be created, and there should be no record in the state.

Actual Behavior

Member (hybrid compute machine identity) fails to be added to an Azure security group but there is a record created in the state file. After running another tf plan, terraform fails. It even fails to destroy the group membership because it cannot fetch the membership of an object from the group. User cannot recover from this error unless he has access to perform terraform state rm operation.

Error:

module.hci-vm["gha-runner-001"].azuread_group_member.msi_rg: Refreshing state... [id=160eb7c9-****-****-****-*********/member/62e85ce2-35b3-46c3-8894-ae0185b40494]
Error: Retrieving member "62e85ce2-35b3-46c3-8894-ae0185b40494" for group with object ID: "160eb7c9-****-****-****-*********"

Steps to Reproduce

Use a service principal without group ownership and try to assign that group a member

1. terraform apply

Important Factoids

References

• #0000