new added computed field inside nested block cannot be referred during Update

[teowa]

Terraform Version

Terraform v1.5.0
on linux_amd64
+ provider registry.terraform.io/hashicorp/azurerm v3.67.0

Terraform Configuration Files

first:

provider "azurerm" {
  features {}
}
resource "azurerm_resource_group" "example" {
  name     = "wt-test-apc"
  location = "West Europe"
}

resource "azurerm_app_configuration" "app_conf" {
  name                       = "appconfigwt25412"
  location                   = azurerm_resource_group.example.location
  resource_group_name        = azurerm_resource_group.example.name
  sku                        = "standard"
  soft_delete_retention_days = 1
}

update to

provider "azurerm" {
  features {}
}
resource "azurerm_resource_group" "example" {
  name     = "wt-test-apc"
  location = "West Europe"
}

resource "azurerm_app_configuration" "app_conf" {
  name                       = "appconfigwt25412"
  location                   = azurerm_resource_group.example.location
  resource_group_name        = azurerm_resource_group.example.name
  sku                        = "standard"
  soft_delete_retention_days = 1

  # Update resource to add this
  identity {
    type = "SystemAssigned"
  }
}

## Add this
resource "azurerm_role_assignment" "app_config_system_identity_log_analytics_contributor" {
  scope                = azurerm_resource_group.example.id
  role_definition_name = "Log Analytics Contributor"
  principal_id         = azurerm_app_configuration.app_conf.identity[0].principal_id
}

Debug Output

-> % terraform plan
azurerm_resource_group.example: Refreshing state... [id=/subscriptions/xxx/resourceGroups/wt-test-apc]
azurerm_app_configuration.app_conf: Refreshing state... [id=/subscriptions/xxx/resourceGroups/wt-test-apc/providers/Microsoft.AppConfiguration/configurationStores/appconfigwt2541]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the
following symbols:
  ~ update in-place

Terraform planned the following actions, but then encountered a problem:

  # azurerm_app_configuration.app_conf will be updated in-place
  ~ resource "azurerm_app_configuration" "app_conf" {
        id                         = "/subscriptions/xxx/resourceGroups/wt-test-apc/providers/Microsoft.AppConfiguration/configurationStores/appconfigwt2541"
        name                       = "appconfigwt2541"
        tags                       = {}
        # (11 unchanged attributes hidden)

      + identity {
          + type = "SystemAssigned"
        }
    }

Plan: 0 to add, 1 to change, 0 to destroy.
╷
│ Error: Missing required argument
│
│   with azurerm_role_assignment.app_config_system_identity_log_analytics_contributor,
│   on main.tf line 36, in resource "azurerm_role_assignment" "app_config_system_identity_log_analytics_contributor":
│   36:   principal_id         = azurerm_app_configuration.app_conf.identity[0].principal_id
│
│ The argument "principal_id" is required, but no definition was found.
╵

Expected Behavior

terraform plan no error.

Actual Behavior

terraform plan has error

Steps to Reproduce

1. create azurerm_app_configuration without identity
2. update the config, add a identity block for azurerm_app_configuration and a new azurerm_role_assignment refers to the azurerm_app_configuration.app_conf.identity[0].principal_id, the principal_id is a computed field returned by API.
3. run terraform plan, the error will show.

Additional Context

The identity block is quite common in azurerm. Seems during Update, a new added computed property inside a nested block cannot be referenced. But if all the resources are created from scratch, no error.

References

• https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_configuration#principal_id
• https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment#principal_id
• Referencing the principal_id for an azurerm_app_configuration with SystemAssigned identity terraform-provider-azurerm#22703

[jbardin]

Hi @teowa,

There already seems to be an issue filed for his in the azurerm repository which covers the issue. The problem is that the provider is not marking the new attribute as computed during the plan, which tells Terraform that the value will be null, so Terraform must use that null value in the plan for the azurerm_role_assignment. \

Thanks!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.