Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

azuredevops_group_membership - Error adding group memberships during create or update (azuredevops_group_membership) #1093

Closed
chrisnavar opened this issue Jul 8, 2024 · 4 comments
Closed

azuredevops_group_membership - Error adding group memberships during create or update (azuredevops_group_membership) #1093

chrisnavar opened this issue Jul 8, 2024 · 4 comments
Labels
question

Comments

@chrisnavar
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and Azure DevOps Provider) Version

Terraform core version: 1.6.3
Provider version: 1.0.1

Affected Resource(s)

  • azuredevops_group_membership

Terraform Configuration Files

locals {
    devops_default_group_git_permissions = {
        "reader" = {
            Administer = "Deny"
            GenericRead = "Allow"
            GenericContribute = "Deny"
            ForcePush = "Deny"
            CreateBranch = "Deny"
            CreateTag = "Deny"
            ManageNote = "Deny"
            PolicyExempt = "Deny"
            CreateRepository = "Deny"
            DeleteRepository = "Deny"
            RenameRepository = "Deny"
            EditPolicies = "Deny"
            RemoveOthersLocks = "Deny"
            ManagePermissions = "Deny"
            PullRequestContribute = "Allow"
            PullRequestBypassPolicy = "Deny"
        }
    }
}

variable "git_repo_reader_members" {
    type = list(string)
    description = "A list of user or group descriptors that will become members of the readers group."
    default = ["john.doe@contoso.com"]
}

resource "azuredevops_group" "azuredevops_groups" {
  for_each = local.devops_default_group_git_permissions
  
  scope        = data.azuredevops_project.contoso.id
  display_name = "azuredevops_group"
}

resource "azuredevops_group_membership" "azuredevops_reader_group_membership" {
  count      =  length(var.git_repo_reader_members) != 0 ? 1 : 0

  group      = azuredevops_group.azuredevops_groups["reader"].descriptor
  members    = var.git_repo_reader_members
  mode       = "add"
}

Debug Output

Actual Behavior

The deployment failed yielding the following error:

Error: Error adding group memberships during create: Error adding group memberships during update: Error adding member john.doe@contoso.com to group vssgp.Uy0xLTktMTU1MTM3NDI0NS0xNDgwMjgwMDg1LTEyMzE1NDQzOTYtMjI2NTc0NDI0NS0yNTc1MTkxMDY5LTEtMzQ0NzQ1MzMwMi0yNDE2NjE2MjY0LTIyNTY4NDEzOTEtNDA5MzAyNzk0Mw: The controller for path '/_apis/Graph/Memberships/john.doe@contoso.com/vssgp.Uy0xLTktMTU1MTM3NDI0NS0xNDgwMjgwMDg1LTEyMzE1NDQzOTYtMjI2NTc0NDI0NS0yNTc1MTkxMDY5LTEtMzQ0NzQ1MzMwMi0yNDE2NjE2MjY0LTIyNTY4NDEzOTEtNDA5MzAyNzk0Mw' was not found or does not implement IController.

Steps to Reproduce

Terraform plan and apply the code explained above to create a resource of type azuredevops_group_membership.

  • #0000
@xuzhang3 xuzhang3 changed the title Error adding group memberships during create or update (azuredevops_group_membership) azuredevops_group_membership - Error adding group memberships during create or update (azuredevops_group_membership) Jul 12, 2024
@rahuja23
Copy link

Is there any update on this issue?

@carlosjourdan
Copy link

carlosjourdan commented Jul 30, 2024
edited

I was running into a similiar issue. Turns out that the group membership has to receive the legacy identity descriptors in the members array.

Something like this should work fine

variable "git_repo_reader_members" {
    type = list(string)
    description = "A list of user or group descriptors that will become members of the readers group."
    default = ["john.doe@contoso.com"]
}

resource "azuredevops_group" "azuredevops_groups" {
  for_each = local.devops_default_group_git_permissions
  
  scope        = data.azuredevops_project.contoso.id
  display_name = "azuredevops_group"
}

data "azuredevops_users" "azdo_users" {
  for_each = toset(var.git_repo_reader_members)
  principal_name = each.key
}

resource "azuredevops_group_membership" "azuredevops_reader_group_membership" {
  for_each = toset(var.git_repo_reader_members)

  group      = azuredevops_group.azuredevops_groups["reader"].descriptor
  members    = [one(data.azuredevops_users.azdo_users[each.key].users).descriptor]
  mode       = "add"
}

@xuzhang3
Copy link
Collaborator

xuzhang3 commented Aug 5, 2024

@chrisnavar Cannot add the users with email or display name directly. Descriptor should be used here.

@chrisnavar
Copy link
Author

Thank you for your solution @xuzhang3, appreciate it. I'll close the ticket as it's been resolved.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@carlosjourdan @chrisnavar @rahuja23 @xuzhang3