Allow no-op on destroy for msgraph_resource_collection to support deleting groups with owners #78
Description
Hi, This is a follow up to #30. Even with the new msgraph_resource_collection, I'm not able to delete a group once it has owners.
Our scenario: Groups count towards the per-principal limit of 250 owned objects. To solve this without tenant-wide permissions, we created an administrative unit and made our service principal "Groups Administrator" on that AU. It therefore has permission to manage all groups within that AU without being explicitly set as the owner.
We can create the group without owners using this provider. However, we also have cases where we need to add individual users as owners to those groups. We're therefore combining the group-resource with a msgraph_resource_collection-resource which manages the individual owners.
# This does NOT add the current principal as an owner to the group.
resource "msgraph_resource" "group" {
url = "directory/administrativeUnits/${local.administrative_unit_id}/members"
body = {
"@odata.type" = "#microsoft.graph.group"
displayName = local.group_name
mailNickname = local.group_name
securityEnabled = true
mailEnabled = false
isAssignableToRole = false
}
}
# Manage all group owners as a collection
resource "msgraph_resource_collection" "group_owners" {
url = "groups/${msgraph_resource.group.id}/owners/$ref"
reference_ids = [
"bbb9d8f1-acdc-4f72-9520-e1ecc4456c37", # User 1
"80c7bb8b-0116-4dfc-877b-da31ba8fe3aa", # User 2
]
}The problem is, that when we want to delete the group, the msgraph_resource_collection-resource wants to delete all the owners and fails with the following error:
Error: Failed to sync collection
│
│ errors during sync: [DELETE
│ https://graph.microsoft.com/v1.0/groups/{GROUP_GUID_REDACTED}/owners/{USER_GUID_REDACTED}/$ref
│ --------------------------------------------------------------------------------
│ RESPONSE 400: 400 Bad Request
│ ERROR CODE: Request_BadRequest
│ --------------------------------------------------------------------------------
│ {
│ "error": {
│ "code": "Request_BadRequest",
│ "message": "The group must have at least one owner, hence this owner cannot be removed.",
│ "innerError": {
│ "date": "2025-12-03T09:14:34",
│ "request-id": "[REDACTED]",
│ "client-request-id": "[REDACTED]"
│ }
│ }
│ }
│ --------------------------------------------------------------------------------
│ ]
I think that this is an issue with Entra ID - it should allow groups without owners in all cases.
But since this probably won't be solved anytime soon, I'm wondering if we could add a flag to msgraph_resource_collection which results in a no-op if the resource is destroyed. That way, Entra ID would keep the owners when it destroys the msgraph_resource_collection-resource and it would then delete the group (which also deletes the owner-references) when it destroys the msgraph_resource for the group.
Proposed syntax:
resource "msgraph_resource_collection" "group_owners" {
url = "groups/${msgraph_resource.group.id}/owners/$ref"
reference_ids = [
"bbb9d8f1-acdc-4f72-9520-e1ecc4456c37", # User 1
"80c7bb8b-0116-4dfc-877b-da31ba8fe3aa", # User 2
]
# This will keep the reference_ids in sync for regular create & update scenarios,
# but it will NOT call the API when the resource is destroyed.
# (The name of the field isn't great yet - do you have better suggestions?)
keep_references_on_destroy = true
}
I think this would be useful for any child collection which is automatically deleted together with its parent resource.