Active Directory Group Membership

roy.madden · April 3, 2023, 6:09pm

I’ve written some simple terraform code to assist with creating group membership for active directory groups. This is an on-prem deployment of Active Directory and we are using the hashicorp/ad provider.

Expected Behavior
When apply is run, the code will be checked against the state file and add, change or destroy objects determined, and actioned, accordingly. In addition, if the code matches the state file, it will report as such with no prompt to confirm an action.

Actual Behavior
Each time the apply is run, group membership is changed. When I add a member to the group, all existing members are removed and the new member added. If I make no changes to membership, all members are removed and, if I apply again without change, all members are added.

Has anyone else experienced this behavior?
Can anyone explain this behavior, is something in my code causing this?

terraform {
  required_version = ">= 0.14.0"
  required_providers {
    ad = {
      source = "hashicorp/ad"
      version = "0.4.4"
    }
  }
}

provider "ad" {
  winrm_hostname = "hostname"
  winrm_username = "username"
  winrm_password = "password"
}

variable group_memberships {
  type = map(object({
    user_list     = list(string)
    group_list    = list(string)
    computer_list = list(string)
  }))
}

group_memberships = {
  AppAccessGroup = {
    user_list     = [
                    "roger.ramjet",
                    "wylie.coyote"]
    group_list    = [
                    "ReadOnlyUsers",
                    "TemporaryUsers"]
    computer_list = [
                    "computer01$",
                    "computer02$"]
  }
}

resource ad_group_membership "gm" {
  for_each = var.group_memberships 
    group_id = each.key
    group_members  = concat(each.value.user_list, each.value.group_list, each.value.computer_list)
}

roy.madden · April 4, 2023, 7:09pm

I did some more investigation and found the answer.

The ad_group_membership resource is very flexible when specifying a list of member AD Principals. From the provider documentation:
“Each principal can be identified by its GUID, SID, Distinguished Name, or SAM Account Name. Only one is required”

This makes it easy to create the membership resource, as you can see in the code I posted.

The problem is, the provider records the list of principals in the state file using each principal’s ID (GUID):

    {
      "mode": "managed",
      "type": "ad_group_membership",
      "name": "gm",
      "provider": "provider[\"registry.terraform.io/hashicorp/ad\"]",
      "instances": [
        {
          "index_key": "AppAccessGroup",
          "schema_version": 0,
          "attributes": {
            "group_id": "AppAccessGroup",
            "group_members": [
              "071792bd-1e5b-4ff5-a57a-969bee712b08",
              "22ee22ba-c562-4645-b03a-1ce451c925f1",
              "2cd6fbcc-5ce2-4e77-95c4-d4a56eb2c974",
              "db274f67-0360-4d6f-9daf-027065dea943",
              "f6655ffc-97d8-4243-851f-7b709d671ec3"
            ],
            "id": "AppAccessGroup_9efccf37-c6cf-f1fd-9f99-9797b23d8cd9"
          },
          "sensitive_attributes": [],
          "private": "bnVsbA==",
          "dependencies": [
            "data.ad_computer.c",
            "data.ad_group.g",
            "data.ad_user.u"
          ]
        }
      ]
    }

So every time the code is applied, the resource is destroyed because it does not have any matching members.

To avoid this problem, the principals should be specified with their GUID, rather than Distinguished Name or SAM Account Name. So, the code gets more complex to keep descriptive names (for readability) and fetch the respective IDs for the resource block.

johanlundberg92 · June 20, 2024, 8:16am

Ran into the same problem today. I forked the provider and added an option for configuring which attribute to use for ad_group_membership. My use-case involves creating users dynamically and also populating groups dynamically and since the objectGUID is not known beforehand this made it impossible, but with my own fork it works.

Feel free to use it.

alexleach · April 7, 2025, 12:48pm

Hi, I’ve also just rum across the same issue. It also makes it incredibly slow to apply, as I’ve over a hundred groups referenced by name, not GUID. I don’t suppose you’ve thought about creating an issue and PR to push it upstream?

roy.madden · April 7, 2025, 4:42pm

Alex,

I have not created an issue, nor pushed anything upstream.

My project was put on hold, so I have not put anymore effort into this specific problem.

If this changes I probably will create and issue with Hashi.

Regards,

alexleach · April 13, 2025, 8:43am

Hi Roy, thanks for your quick reply. I only just saw it, after going through open tabs on my phone to close. (Need to look for notification settings I suppose).

I did find a PR created by a Yrix90, which addresses the problem by adding a “membership_attribute” option to the configuration. I thought it was yours actually!

Anyway, I’ve had my own stab at hacking the ad_group_membership code in the hashicorp/ad provider, so now any attribute can be specified in the group_members list. I put a PR up at:-

github.com/hashicorp/terraform-provider-ad

fix: Remember Group Membership Names

main ← alexleach:main

opened 08:25AM - 13 Apr 25 UTC

alexleach

+110 -13

### Description As per Issue https://github.com/hashicorp/terraform-provider-…ad/issues/196, `ad_group_membership` stores only a member's GUID in the state file. So, when the configuration uses `SamAccountName`, `DN` or `SID`, a terraform refresh / plan will try and remove and re-add the group member each time. I do not plan on putting member `GUID`s in the configuration, which would be a nightmare to maintain. I need this because I've implemented RBAC groups and memberships with this terraform provider for a client and have nearly 300 ad_groups and ad_group_memberships to modify each run, so the current behaviour of trying to remove and re-add each group membership is unacceptable. This patch Computes `GUID`, `DN`, `SID` and `SamAccountName` from Active Directory, and stores them in the State file. On refresh / plan, a `DiffSuppressFunc` function compares the `Identity` in the configuration, to all of those attributes, so only produces a diff if there is a true change in the group_members of `ad_group_membership`. @Yrix90 proposed adding a `membership_attribute` to the configuration, allowing users to specify what attribute to compare between the Configuration and Host. What I didn't like is that the patch doesn't allow a mix of Identity types, which this PR would allow, while negating the need to add an extra `membership_attribute` to the configuration. So, this PR allows users to use a mix of attribute types for group_members. e.g. Groups may be referenced `SamAccountName`, Users by `DN`, for example, or just a complete mix-and-match. One other change perhaps worth mentioning. I have changed the `GroupMember` struct in [`ad/internal/winrmhelper/winrm_group_membership.go`](https://github.com/hashicorp/terraform-provider-ad/compare/main...alexleach:terraform-provider-ad:main#diff-6ec3a81d3dc859201b6536a64ac711508b207792edd254b784b86f782fe7f992) which represents the `group_members` list of strings entered into the configuration, renaming `Name` to `Identity`. The Active Directory schema has a `Name` attribute for Users and Groups, but Users and Groups can't be found by their `Name`, as it is not guaranteed to be unique. So, to avoid confusion, I've changed this to `Identity`, which is how the parameter is named in `Get-ADObject`, `Get-ADUser` and `Get-ADGroup`, e.g. ```powershell PS C:\Users\a.leach> Get-Help Get-ADObject NAME Get-ADGroup SYNTAX Get-ADGroup **[-Identity]** <ADGroup> [-AuthType {Negotiate | Basic}] [-Credential <pscredential>] [-Partition <string>] [-Properties <string[]>] [-Server <string>] [-ShowMemberTimeToLive] [<CommonParameters>] ``` ### References Fixes Issue https://github.com/hashicorp/terraform-provider-ad/issues/196 Supersedes PR https://github.com/hashicorp/terraform-provider-ad/pull/208 ### Personal Note This is my first time writing any Go code, and I've only used terraform a small handful of times. So, this took me an embarrassingly long amount of time to figure out and get working, even with a lot of assistance from VS Code CoPilot! The schema modifications in [`ad/resource_ad_group_membership.go`](https://github.com/hashicorp/terraform-provider-ad/compare/main...alexleach:terraform-provider-ad:main#diff-6ec3a81d3dc859201b6536a64ac711508b207792edd254b784b86f782fe7f992) could probably be improved from my implementation. I currently store `group_members` and `group_member_details` as two `TypeSets`, so each time one needs to look up a specific group_member's details, I need to look through the set comparing attributes. A `TypeMap` would probably be better, but either way, it works. ### Community Note * Please vote on this issue by adding a 👍 [reaction](https://blog.github.com/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/) to the original issue to help the community and maintainers prioritize this request * If you are interested in working on this issue or have submitted a pull request, please leave a comment

Maybe it will help someone else. (I’ll try and figure out how to publish it to terraform.io for anyone else to use, as upstream looks fairly abandoned?).

Cheers,
Alex

Topic		Replies	Views
Adding Users to AD group (windows AD) using Terraform Enterprise Terraform	0	331	November 8, 2022
AD Group Management Example: The "for_each" value depends on resource attributes that cannot be determined until apply Terraform	1	565	September 9, 2022
Replication of Azure AD group members from one tenant to another Terraform hcp-terraform , azure	1	345	March 9, 2023
Add azure ad group to azure devops project group Terraform Providers	4	1351	January 10, 2024
Azure IAM using Terraform ( purging of existing users and replacing them with new ones) is not the expected behaviour Azure hcp-terraform , azure	0	749	June 15, 2021

Active Directory Group Membership

Related topics