Management Groups Don't Work So Well

[simongh]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Affected Resource(s)

• azurerm_management_group
• data.azurerm_management_group

Terraform Configuration Files

resource "azurerm_management_group" "dev" {
  display_name = "test"
  name         = "test"
}

Debug Output

n/a

Panic Output

n/a

Expected Behavior

Should be able to import an existing management group that uses a specific name rather than a GUID.

Should be able to use the data resource to reference a previously created management group

Actual Behavior

If you have a management group that uses a specific name rather than a GUID, It won't get imported. It'll be created ok, but you can't manage existing resources.

Furthermore, trying to use the data resource, results in a case change for the id, which means anything depending on this, such as roles think they need recreating.

Steps to Reproduce

1. terraform apply

Important Factoids

Error: Error parsing Resource ID "/providers/Microsoft.Management/ManagementGroups/test": Unable to parse Management Group ID "/providers/Microsoft.Management/ManagementGroups/test"

  # azurerm_role_assignment.devtest_qa_website_contributor must be replaced
-/+ resource "azurerm_role_assignment" "devtest_qa_website_contributor" {
      ~ id                               = "/providers/Microsoft.Management/ManagementGroups/test/providers/Microsoft.Authorization/roleAssignments/XXXXXXXX-XXX-XXXX-XXXX-eff97a62e330" -> (known after apply)
      ~ name                             = "XXXXXXXX-XXX-XXXX-XXXX-eff97a62e330" -> (known after apply)
        principal_id                     = "XXXXXXXX-XXX-XXXX-XXXX-70e90be0c90b"
      ~ principal_type                   = "Group" -> (known after apply)
      ~ role_definition_id               = "/providers/Microsoft.Authorization/roleDefinitions/XXXXXXXX-XXX-XXXX-XXXX-808fbbe84772" -> (known after apply)
        role_definition_name             = "Website Contributor"
      ~ scope                            = "/providers/Microsoft.Management/ManagementGroups/test" -> "/providers/Microsoft.Management/managementGroups/test" # forces replacement
      + skip_service_principal_aad_check = (known after apply)
    }

References

• #0000

[BrendanThompson]

There are some parallels to #8251 .

[DenWin]

I cannot really see, whether something was already done here, but I assume the problem is that the existing value differs from the new one - in this case it is a form of case-sensitivity:

~ scope = "/providers/Microsoft.Management/ManagementGroups/test" -> "/providers/Microsoft.Management/managementGroups/test" # forces replacement

To be precise ".../ManagementGroups/test" vs ".../managementGroups/test"

[favoretti]

Thanks for opening this issue! Since this issue has been reported a long time ago and relates to an older version of provider - I'm going to close it. If this is still relevant and occurring on the latest version of terraform and provider please do open a new issue!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.