[Bug] Unable to delete computer accounts in Active Directory leads to invalid state of Machine Catalog unable to be deleted #324
Description
Describe the bug
We have a teardown pipeline which tried to remove multiple machine catalogs and associated resources (Delivery Group, Resource Pool and Azure resources) in parallel, where all failed with the same error on Terraform destroy:
╷
│ Error: Error deleting Machine Catalog MACHINE_CATALOG_NAME
│
│ TransactionId: REDACTED
│ JobId: REDACTED
│
│ Error Message : 6 account failures occurred.
│ DOMAIN\account0011$,DOMAIN\account0007$,DOMAIN\account0010$,DOMAIN\account0009$,DOMAIN\account0013$,DOMAIN\account0012$: 6 of 6 accounts could not be deleted from the identity pool. Note that this result can occur if you do not have the required Active Directory permissions.
╵
We know that the correct access is in place, since it usually works and the same identity initially created the machine catalogs and associated resources.
When I re-ran our pipeline I was met by a new error for all the same machine catalogs on Terraform plan :
╷
│ Error: Invalid Attribute Value
│
│ with module.citrix_machine_catalog.citrix_delivery_group.default,
│ on modules/machine-catalog/main.tf line 63, in resource "citrix_delivery_group" "default":
│ 63: associated_machine_catalogs = local.associated_machine_catalogs
│
│ Attribute
│ associated_machine_catalogs[Value({"machine_catalog":"REDACTED","machine_count":0})].machine_count
│ value must be at least 1, got: 0
╵
This error indicated that the machines actually were deleted, which seemed weird at first. After checking the relevant machine catalogs in Citrix DaaS I could confirm all underlying machines had been deleted. Only "empty" machine catalogs remained.
So, it seems like the initial deletion partially worked (Machines were removed) but not the machine catalog. The next teardown fails since we look up the current value in Citrix DaaS for our machine count in certain cases, and then we pass 0 in, which is an invalid value.
Terraform command (import, apply, etc):
Resource impacted:
Issue reproducible outside of Terraform:
Versions
Terraform: 1.14.3
citrix/citrix provider: 1.0.30
Environment type: Cloud
Hypervisor type (if applicable): Azure
Terraform configuration files
resource "citrix_machine_catalog" "machine_catalog_tf" {
count = var.catalog.deploy_catalog_with_terraform ? 1 : 0
name = var.catalog.name
zone = data.citrix_zone.azure_location_zone.id
allocation_type = var.catalog.allocation_type
provisioning_type = "MCS"
session_support = "SingleSession"
delete_machine_accounts = "Delete"
scopes = []
persist_user_changes = var.catalog.persist_user_changes
minimum_functional_level = var.catalog.functional_level
provisioning_scheme = {
number_of_total_machines = var.catalog.number_of_machines
hypervisor = var.hypervisor.id
hypervisor_resource_pool = var.hypervisor.resource_pool_id
identity_type = "ActiveDirectory"
machine_domain_identity = {
domain = var.domain.domain
domain_ou = var.catalog.ou
service_account = var.domain.admin_username
service_account_password = var.domain.admin_password
}
network_mapping = [{
network = var.catalog.subnet_name
network_device = "0"
}]
azure_machine_config = {
storage_type = "Premium_LRS"
use_managed_disks = true
service_offering = var.catalog.vm_size
license_type = "Windows_Client"
vda_resource_group = var.tenant.rg_name
master_image_note = var.catalog.image.master_note
machine_profile = {
machine_profile_resource_group = var.tenant.rg_name
machine_profile_template_spec_name = azapi_resource.template_spec.name
machine_profile_template_spec_version = azapi_resource.template_spec_version.name
}
azure_master_image = {
resource_group = var.catalog.image.managed_disk_rg_name
master_image = var.catalog.image.managed_disk
}
}
machine_account_creation_rules = {
naming_scheme = var.catalog.naming_scheme
naming_scheme_type = "Numeric"
}
}
lifecycle {
ignore_changes = [
provisioning_scheme.number_of_total_machines
]
}
}
resource "citrix_delivery_group" "default" {
name = var.delivery_group.name
minimum_functional_level = var.catalog.functional_level
associated_machine_catalogs = local.associated_machine_catalogs
delivery_type = var.delivery_group.type
session_support = "SingleSession"
sharing_kind = local.is_static ? "Private" : "Shared"
make_resources_available_in_lhc = local.is_static ? null : true
desktops = [{
enabled = true
published_name = var.delivery_group.published_name
enable_session_roaming = local.is_static ? null : false
}]
autoscale_settings = {
autoscale_enabled = true
off_peak_buffer_size_percent = 10
peak_buffer_size_percent = 10
timezone = coalesce(var.catalog.time_zone, "UTC")
power_time_schemes = [for scheme in (local.use_default_peak_schedules ? local.default_peak_schedules : local.custom_peak_schedules) :
{
display_name = scheme.display_name
days_of_week = scheme.days_of_week
peak_time_ranges = scheme.peak_time_ranges
pool_size_schedules = length(scheme.pool_size_schedules) == 0 ? null : scheme.pool_size_schedules
pool_using_percentage = scheme.pool_using_percentage
}
]
}
restricted_access_users = {
allow_list = local.catalog_ad_groups
}
lifecycle {
ignore_changes = [
delivery_type,
custom_access_policies,
sharing_kind,
session_support,
reboot_schedules
]
}
}
module "location_code" {
source = "REDACTED"
location_name = data.azurerm_resource_group.shared.location
}
resource "azapi_resource" "template_spec" {
type = "Microsoft.Resources/templateSpecs@2022-02-01"
name = "default-machine-profile"
parent_id = var.tenant.rg_id
location = var.catalog.location
body = {
properties = {
displayName = "Default machine profile"
}
}
}
resource "azapi_resource" "template_spec_version" {
type = "Microsoft.Resources/templateSpecs/versions@2022-02-01"
name = "1.0.0"
parent_id = azapi_resource.template_spec.id
location = var.catalog.location
body = {
properties = {
description = "Template for Citrix machine catalog"
mainTemplate = {
"$schema" : "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion" : "1.0.0.0"
"resources" : [REDACTED]
}
}
}
}