I’m trying to manage a set of AzureAD resources from a single map (so that we can declare users and a calculated set of groups they should be in in one place):
variable "users" {
default = {
smccartney_test1 = { superuser = ["dv1", "us1"] }
smccartney_test2 = { superuser = ["dv1", "us2"] }
}
}
resource "azuread_user" "users" {
for_each = var.users
user_principal_name = format("%s%s", each.key, "@dummy.com")
password = random_string.temp_password2.result
}
resource "azuread_group" "SuperUsers_US2" {
name = "SuperUsers_US2"
members = [
for user in azuread_user.users:
user.object_id
if contains(lookup(var.users[user.mail_nickname], "superuser", []), "us2")
]
}
This works, but on the 1st terraform apply, only the user is created, on the 2nd plan & apply, the members for azuread_group.SuperUsers_US2 is updated correctly.
I’ve tried explicitly adding the azuread_user to the azuread_group dependency via depends_on = [azuread_user.users] and depends_on = [azuread_user.users["smccartney_test3"]], neither of which result in the members property of the azuread_group being calculated & correctly in the first pass.
Is this expected behaviour? Is there a way for me to have the members calculated correctly during the first plan?