Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] filteredSync & domainConfigurationType not applied. #28691

Open
QBY-ChristianHartmann opened this issue Apr 15, 2024 · 1 comment
Open

[BUG] filteredSync & domainConfigurationType not applied. #28691

QBY-ChristianHartmann opened this issue Apr 15, 2024 · 1 comment
Assignees
@qianwens
Labels
bug This issue requires a change to an existing behavior in the product in order to be resolved. customer-reported Issues that are reported by GitHub users external to the Azure organization. Mgmt This issue points to a problem in the management-plane of the library. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that

Comments

@QBY-ChristianHartmann
Copy link

API Spec link

https://github.com/Azure/azure-rest-api-specs/blob/main/specification/domainservices/resource-manager/Microsoft.AAD/stable/2021-05-01/domainservices.json

API Spec version

2021-05-01

Describe the bug

Came here from an azurerm bug, since this is apparently an API bug.
filteredSync & domainConfigurationType not applied.

hashicorp/terraform-provider-azurerm#25575
X-Ms-Correlation-Request-Id: 36fbaa54-bf05-949b-a27b-b0366c48951f

Expected behavior

Microsoft Entra Domain Services is deployed with domainConfigurationType = "ResourceTrusting", filteredSync = true.

Actual behavior

Microsoft Entra Domain Services is deployed with domain_configuration_type = "FullySynced ", filtered_sync_enabled = false. Another terraform apply shows that the Domain services must be replaced since the domain_configuration_type in the terraform code is different than the actual deployed configuration. Plan after apply:
resource "azurerm_active_directory_domain_service" "eds" {
~ deployment_id = "90fdfb16-de88-4e98-849a-3a03605896fe" -> (known after apply)
~ domain_configuration_type = "FullySynced" -> "ResourceTrusting" # forces replacement
~ filtered_sync_enabled = false -> true

Reproduction Steps

apply the following terraform code

provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "deploy" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_virtual_network" "deploy" {
  name                = "deploy-vnet"
  location            = azurerm_resource_group.deploy.location
  resource_group_name = azurerm_resource_group.deploy.name
  address_space       = ["10.0.1.0/16"]
}

resource "azurerm_subnet" "deploy" {
  name                 = "deploy-subnet"
  resource_group_name  = azurerm_resource_group.deploy.name
  virtual_network_name = azurerm_virtual_network.deploy.name
  address_prefixes     = ["10.0.1.0/24"]
}

resource "azurerm_network_security_group" "deploy" {
  name                = "deploy-nsg"
  location            = azurerm_resource_group.deploy.location
  resource_group_name = azurerm_resource_group.deploy.name

  security_rule {
    name                       = "AllowSyncWithAzureAD"
    priority                   = 101
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "Tcp"
    source_port_range          = "*"
    destination_port_range     = "443"
    source_address_prefix      = "AzureActiveDirectoryDomainServices"
    destination_address_prefix = "*"
  }

  security_rule {
    name                       = "AllowRD"
    priority                   = 201
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "Tcp"
    source_port_range          = "*"
    destination_port_range     = "3389"
    source_address_prefix      = "CorpNetSaw"
    destination_address_prefix = "*"
  }

  security_rule {
    name                       = "AllowPSRemoting"
    priority                   = 301
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "Tcp"
    source_port_range          = "*"
    destination_port_range     = "5986"
    source_address_prefix      = "AzureActiveDirectoryDomainServices"
    destination_address_prefix = "*"
  }

  security_rule {
    name                       = "AllowLDAPS"
    priority                   = 401
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "Tcp"
    source_port_range          = "*"
    destination_port_range     = "636"
    source_address_prefix      = "*"
    destination_address_prefix = "*"
  }
}

resource "azurerm_subnet_network_security_group_association" "deploy" {
  subnet_id                 = azurerm_subnet.deploy.id
  network_security_group_id = azurerm_network_security_group.deploy.id
}

resource "azuread_group" "dc_admins" {
  display_name     = "AAD DC Administrators"
  security_enabled = true
}

resource "azuread_user" "admin" {
  user_principal_name = "dc-admin@hashicorp-example.com"
  display_name        = "DC Administrator"
  password            = "Pa55w0Rd!!1"
}

resource "azuread_group_member" "admin" {
  group_object_id  = azuread_group.dc_admins.object_id
  member_object_id = azuread_user.admin.object_id
}

resource "azuread_service_principal" "example" {
  application_id = "2565bd9d-da50-47d4-8b85-4c97f669dc36" // published app for domain services
}

resource "azurerm_resource_group" "aadds" {
  name     = "aadds-rg"
  location = "westeurope"
}

resource "azurerm_active_directory_domain_service" "example" {
  name                = "example-aadds"
  location            = azurerm_resource_group.aadds.location
  resource_group_name = azurerm_resource_group.aadds.name

  domain_name           = "widgetslogin.net"
  sku                   = "Enterprise"
  filtered_sync_enabled     = true
  domain_configuration_type = "ResourceTrusting"

  initial_replica_set {
    subnet_id = azurerm_subnet.deploy.id
  }

  notifications {
    additional_recipients = ["notifyA@example.net", "notifyB@example.org"]
    notify_dc_admins      = true
    notify_global_admins  = true
  }

  security {
    sync_kerberos_passwords = true
    sync_ntlm_passwords     = true
    sync_on_prem_passwords  = true
  }

  tags = {
    Environment = "prod"
  }

  depends_on = [
    azuread_service_principal.example,
    azurerm_subnet_network_security_group_association.deploy,
  ]
}

Environment

No response
@QBY-ChristianHartmann QBY-ChristianHartmann added the bug This issue requires a change to an existing behavior in the product in order to be resolved. label Apr 15, 2024
@microsoft-github-policy-service microsoft-github-policy-service bot added question The issue doesn't require a change to the product in order to be resolved. Most issues start as that customer-reported Issues that are reported by GitHub users external to the Azure organization. labels Apr 15, 2024
@zzhxiaofeng zzhxiaofeng added the Mgmt This issue points to a problem in the management-plane of the library. label Apr 15, 2024
@zzhxiaofeng
Copy link
Member

@qianwens Please help have a look, thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@qianwens qianwens

Labels
bug This issue requires a change to an existing behavior in the product in order to be resolved. customer-reported Issues that are reported by GitHub users external to the Azure organization. Mgmt This issue points to a problem in the management-plane of the library. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zzhxiaofeng @qianwens @QBY-ChristianHartmann