Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Referencing the principal_id for an azurerm_app_configuration with SystemAssigned identity #22703

Open
1 task done
flcdrg opened this issue Jul 27, 2023 · 6 comments
Open
1 task done
Labels
service/app-configuration upstream/terraform This issue is blocked on an upstream issue within Terraform (Terraform Core/CLI, The Plugin SDK etc) v/3.x

Comments

@flcdrg
Copy link
Contributor

flcdrg commented Jul 27, 2023

Is there an existing issue for this?

  • I have searched the existing issues

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.4.6

AzureRM Provider Version

3.66.0

Affected Resource(s)/Data Source(s)

azurerm_app_configuration

Terraform Configuration Files

resource "azurerm_app_configuration" "app_conf" {
  name                       = "appconfig"
  location                   = data.azurerm_resource_group.group.location
  resource_group_name        = data.azurerm_resource_group.group.name
  sku                        = "standard"
  public_network_access      = "Disabled"
  soft_delete_retention_days = 1
  local_auth_enabled         = false

  # Updating resource to add this
  identity {
    type = "SystemAssigned"
  }
}

# Adding this
resource "azurerm_role_assignment" "app_config_system_identity_log_analytics_contributor" {
  scope                = data.azurerm_resource_group.group.id
  role_definition_name = "Log Analytics Contributor"
  principal_id         = azurerm_app_configuration.app_conf.identity[0].principal_id
}

Debug Output/Panic Output

Error: Missing required argument
│
│   with azurerm_role_assignment.app_config_system_identity_log_analytics_contributor,
│   on app-config.tf line 20, in resource "azurerm_role_assignment" "app_config_system_identity_log_analytics_contributor":
│   20:   principal_id         = azurerm_app_configuration.app_conf.identity[0].principal_id
│
│ The argument "principal_id" is required, but no definition was found.

Expected Behaviour

Should be able to reference identity's principal_id

Actual Behaviour

Error: Missing required argument

Steps to Reproduce

  1. Create azurerm_app_configuration without identity
  2. Update azurerm_app_configuration, adding SystemAssigned identity and add other Terraform that tries to reference the identity

Important Factoids

No response

References

No response

@flcdrg
Copy link
Contributor Author

flcdrg commented Jul 27, 2023

If the SystemAssigned identity already exists, then plan/apply does work without error.

@teowa
Copy link
Contributor

teowa commented Jul 27, 2023

Hi @flcdrg , thanks for submitting this issue,
I can successfully reproduce the error with terraform plan command. This should be a Terraform Core issue rather than the azurerm provider issue. And if creating both resources from scratch, it can succeed.

plan details
-> % terraform plan
azurerm_resource_group.example: Refreshing state... [id=/subscriptions/xxx/resourceGroups/wt-test-apc]
azurerm_app_configuration.app_conf: Refreshing state... [id=/subscriptions/xxx/resourceGroups/wt-test-apc/providers/Microsoft.AppConfiguration/configurationStores/appconfigwt2541]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the
following symbols:
  ~ update in-place

Terraform planned the following actions, but then encountered a problem:

  # azurerm_app_configuration.app_conf will be updated in-place
  ~ resource "azurerm_app_configuration" "app_conf" {
        id                         = "/subscriptions/xxx/resourceGroups/wt-test-apc/providers/Microsoft.AppConfiguration/configurationStores/appconfigwt2541"
        name                       = "appconfigwt2541"
        tags                       = {}
        # (11 unchanged attributes hidden)

      + identity {
          + type = "SystemAssigned"
        }
    }

Plan: 0 to add, 1 to change, 0 to destroy.
╷
│ Error: Missing required argument
│
│   with azurerm_role_assignment.app_config_system_identity_log_analytics_contributor,
│   on main.tf line 36, in resource "azurerm_role_assignment" "app_config_system_identity_log_analytics_contributor":36:   principal_id         = azurerm_app_configuration.app_conf.identity[0].principal_id
│
│ The argument "principal_id" is required, but no definition was found.

workarounds for this are:

  1. as mentioned, use terraform apply -target=azurerm_app_configuration.app_conf to update the app conf first and then create the azurerm_role_assignment
  2. add a datasource and refer the datasource in azurerm_role_assignment, in this way above update and create together can work:
config detail
provider "azurerm" {
  features {}
}
resource "azurerm_resource_group" "example" {
  name     = "wt-test-apc"
  location = "West Europe"
}

resource "azurerm_app_configuration" "app_conf" {
  name                       = "appconfigwt25412"
  location                   = azurerm_resource_group.example.location
  resource_group_name        = azurerm_resource_group.example.name
  sku                        = "standard"
  soft_delete_retention_days = 1

  # Updating resource to add this
  identity {
    type = "SystemAssigned"
  }
}

data "azurerm_app_configuration" "app_conf" {
  name                = azurerm_app_configuration.app_conf.name
  resource_group_name = azurerm_app_configuration.app_conf.resource_group_name
}

## Adding this
resource "azurerm_role_assignment" "app_config_system_identity_log_analytics_contributor" {
  scope                = azurerm_resource_group.example.id
  role_definition_name = "Log Analytics Contributor"
  principal_id         = data.azurerm_app_configuration.app_conf.identity[0].principal_id
}

@rcskosir rcskosir added the upstream/terraform This issue is blocked on an upstream issue within Terraform (Terraform Core/CLI, The Plugin SDK etc) label Jul 27, 2023
@Developer1347
Copy link

I'm having a similar issue with the managed identities on azurerm_windows_web_app and azurerm_windows_web_app_slot. Unfortunately azurerm_windows_web_app_slot does not have a datasource implementation to be able to use the second workaround.

@teowa do you have any additional information that could be entered when creating the bug in the Terraform Core to help explain the problem?

@restfulhead
Copy link

restfulhead commented Dec 8, 2023

Also happens for azurerm_search_service.

resource "azurerm_search_service" "my_search" {
  ...

  identity {
    type = "SystemAssigned"
  }
}

resource "azurerm_role_assignment" "my_role" {
  scope                = azurerm_cosmosdb_account.mydb.id
  role_definition_name = "Cosmos DB Account Reader Role"
  principal_id         = azurerm_search_service.my_search.identity[0].principal_id

  depends_on = [azurerm_search_service.my_search]
}

Causes: The argument "principal_id" is required, but no definition was found.

@julienLemarie
Copy link

Same issue for me and also unable to use the workarround with the slot (azurerm_linux_web_app_slot does not have a datasource implementation).

@manjinder-mckc
Copy link

Happens for azurerm_cognitive_account resource too , using with SpeechServices kind

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
service/app-configuration upstream/terraform This issue is blocked on an upstream issue within Terraform (Terraform Core/CLI, The Plugin SDK etc) v/3.x
Projects
None yet
Development

No branches or pull requests

7 participants