'azurerm_management_group' before deleting a management group, return any subscriptions to tenant root fails on terraform destroy

[jpicken12]

Is there an existing issue for this?

• I have searched the existing issues

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Error occurs when running terraform destroy with azurerm_management_group where subscription(s) are to be returned to the tenant root group.

This issues has been raised previously as #7216 but fails in later versions of azurerm provider.

tests

I tested version 2.14.0 of the provider, where this issue was originally fixed, and confirmed it works. I was able to apply a management group containing a subscription and subsequently destroy it. It was necessary to use compatible versions of terraform and az cli (which I'm using for authentication) with such an old version of the provider.

But tests on later versions, using the same terraform code, fail with the error below

azurerm provider	terraform	azurecli	Result
4.12.0	1.10.1	2.67.0	Fail
2.14.0	0.13.7	2.29.0	Pass

main.tf

resource "azurerm_management_group" "parent" {
display_name = var.management_group_parent
subscription_ids = [
data.azurerm_subscription.current.subscription_id,
]
}

Error

│ Error: unable to parse child Subscription ID parsing "/subscriptions/81d38f3d-bcb4-4af2-a48e-4250b35a3c15": parsing the Subscription ID: the number of segments didn't match
│
│ Expected a Subscription ID that matched (containing 6 segments):
│
│ > /providers/Microsoft.Management/managementGroups/groupId/subscriptions/12345678-1234-9876-4563-123456789012
│
│ However this value was provided (which was parsed into 0 segments):
│
│ > /subscriptions/00000000-0000-0000-0000-000000000000
│
│ The following Segments are expected:
│
│ * Segment 0 - this should be the literal value "providers"
│ * Segment 1 - this should be the name of the Resource Provider [for example 'Microsoft.Management']
│ * Segment 2 - this should be the literal value "managementGroups"
│ * Segment 3 - this should be the user specified value for this groupId [for example "groupId"]
│ * Segment 4 - this should be the literal value "subscriptions"
│ * Segment 5 - this should be the UUID of the Azure Subscription
│
│ The following Segments were parsed:
│
│ * Segment 0 - not found
│ * Segment 1 - not found
│ * Segment 2 - not found
│ * Segment 3 - not found
│ * Segment 4 - not found
│ * Segment 5 - not found

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.10.1

AzureRM Provider Version

4.12.0

Affected Resource(s)/Data Source(s)

azurerm_management_group

Terraform Configuration Files

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "4.12.0"
    }
  }
}

provider "azurerm" {
  # Configuration options
  features {}
}

resource "azurerm_management_group" "parent" {
  display_name = var.management_group_parent
  subscription_ids = [
    data.azurerm_subscription.current.subscription_id,
  ]
}

Debug Output/Panic Output

│ Error: unable to parse child Subscription ID parsing "/subscriptions/81d38f3d-bcb4-4af2-a48e-4250b35a3c15": parsing the Subscription ID: the number of segments didn't match
│
│ Expected a Subscription ID that matched (containing 6 segments):
│
│ > /providers/Microsoft.Management/managementGroups/groupId/subscriptions/12345678-1234-9876-4563-123456789012
│
│ However this value was provided (which was parsed into 0 segments):
│
│ > /subscriptions/00000000-0000-0000-0000-000000000000
│
│ The following Segments are expected:
│
│ * Segment 0 - this should be the literal value "providers"
│ * Segment 1 - this should be the name of the Resource Provider [for example 'Microsoft.Management']
│ * Segment 2 - this should be the literal value "managementGroups"
│ * Segment 3 - this should be the user specified value for this groupId [for example "groupId"]
│ * Segment 4 - this should be the literal value "subscriptions"
│ * Segment 5 - this should be the UUID of the Azure Subscription
│
│ The following Segments were parsed:
│
│ * Segment 0 - not found
│ * Segment 1 - not found
│ * Segment 2 - not found
│ * Segment 3 - not found
│ * Segment 4 - not found
│ * Segment 5 - not found

Expected Behaviour

Subscription assigned to management group to be deleted should be reassigned to tenant root group before deletion.

Actual Behaviour

Error on terraform destroy

Steps to Reproduce

terraform destroy -auto-approve

Important Factoids

No response

References

#7216

[teowa]

Hi @jpicken12 , thanks for reporting this! I have submitted PR #28228 to fix this.