Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

azurerm_search_service can't enable SystemAssigned identity and apply azurerm_role_assignment in same plan #26731

Open
1 task done
aeimer opened this issue Jul 22, 2024 · 2 comments
Open
1 task done

azurerm_search_service can't enable SystemAssigned identity and apply azurerm_role_assignment in same plan #26731

aeimer opened this issue Jul 22, 2024 · 2 comments
Labels
service/authorization service/search v/3.x

Comments

@aeimer
Copy link

aeimer commented Jul 22, 2024

Is there an existing issue for this?

  • I have searched the existing issues

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.9.2

AzureRM Provider Version

~> 3.85

Affected Resource(s)/Data Source(s)

azurerm_search_service, azurerm_role_assignment

Terraform Configuration Files

resource "azurerm_search_service" "this" {
  # This is an existing search service WIHTOUT the identity block
  identity {
    type = "SystemAssigned"
  }
}

resource "azurerm_cognitive_account" "this" {
  # Some existing cognitive account
}

resource "azurerm_role_assignment" "cognitiveaccount_search_reader" {
  # This RBAC is new
  scope                = azurerm_search_service.this.id
  role_definition_name = "Search Index Data Reader"
  principal_id         = azurerm_cognitive_account.this.identity[0].principal_id
}

Debug Output/Panic Output

╷
│ Error: Missing required argument
│ 
│   with azurerm_role_assignment.azuresearch["swc-openai-s0"],
│   on cognitiveaccount.tf line 43, in resource "azurerm_role_assignment" "azuresearch":
│   43:   principal_id         = module.azuresearch.identity.principal_id
│ 
│ The argument "principal_id" is required, but no definition was found.
╵

Expected Behaviour

The provider should be able to enable the identity first and then using the generated values.

Actual Behaviour

The provider fails as the current state does not have the required properties.

Steps to Reproduce

  1. apply the code above without the azurerm_search_service identity block and without the RBAC assignment
  2. comment in the identity block and RBAC assignment
  3. apply again

Important Factoids

No response

References

No response
@rcskosir rcskosir added the v/3.x label Jul 22, 2024
@liuwuliuyun
Copy link
Contributor

Hi @aeimer , thank you for bringing this to our attention. I've confirmed the issue on my end as well. It occurs because Terraform attempts to locate the principal_id for the azurerm_role_assignment resource during plan generation, but fails since the principal_id hasn't been created yet. As a temporary solution, you can include the identity block for the initial terraform apply run. Afterwards, incorporate the azurerm_role_assignment and execute terraform apply again.

@liuwuliuyun
Copy link
Contributor

Mininal template to reproduce:

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "3.85"
    }
  }
}

provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "example" {
  name     = "yunliuGHTest"
  location = "East US"

  lifecycle {
    ignore_changes = [tags]
  }
}

resource "azurerm_cognitive_account" "example" {
  name                = "example-account"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  kind                = "SpeechServices"

  sku_name = "S0"

  tags = {
    Acceptance = "Test"
  }
}

resource "azurerm_search_service" "example" {
  name                = "example-search222"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  sku                 = "basic"

  identity {
    type = "SystemAssigned"
  }
}

resource "azurerm_role_assignment" "cognitiveaccount_search_reader" {
  scope                = azurerm_search_service.example.id
  role_definition_name = "Search Index Data Reader"
  principal_id         = azurerm_cognitive_account.example.identity[0].principal_id
}

Error details

╷
│ Error: Invalid index
│
│   on main.tf line 51, in resource "azurerm_role_assignment" "cognitiveaccount_search_reader":
│   51:   principal_id         = azurerm_cognitive_account.example.identity[0].principal_id
│     ├────────────────
│     │ azurerm_cognitive_account.example.identity is empty list of object
│
│ The given key does not identify an element in this collection value: the collection has no elements.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
service/authorization service/search v/3.x
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@liuwuliuyun @aeimer @rcskosir