You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Managed identity to be created, and the underlying service principal added as a group member.
Actual Behavior
Most of the time, for initial deploy there seems to be a delay. The managed identity gets created, but AzureAD provider complains that the service principal does not exist to be added as a member to the group. This sounds like same situation as mentioned in ticket #1035. Re-running the plan and apply results in it succeeding.
Gist contains logs for provider 3.0.2 failing, then the re-run of it succeeding. Also provided logs from 2.53.1 where the issue does not seem to occur, seems to be a difference in the version of Graph API used.
Have rolled back to 2.53.1 of the provider for now.
Steps to Reproduce
Create an Entra group to be used as data source (jwtest in the example given)
I can add that we have the same issue. For time being setting up time sleep resolved problem but still waiting for proper solution. In our case below code generated error message:
resource"time_sleep""wait_30_seconds_after_module.adf" {
depends_on=[module.adf]
create_duration="30s"triggers={
# Deplay the time at each switch of an module.adf.adf_id
wait_for = module.adf.adf_id
}
}
# add ADF MI as member to ACL writer groupresource"azuread_group_member""adf_acl_sg_membership" {
count=var.create_adf=="True"?1:0group_object_id=data.azuread_group.sg_acl_writer.object_idmember_object_id=module.adf[0].adf.identity[0].principal_iddepends_on=[time_sleep.wait_30_seconds_after_module.adf]
}
# add ADF MI as member to cicd groupresource"azuread_group_member""adf_cicd_sg_membership" {
count=var.create_adf=="True"?1:0group_object_id=data.azuread_group.sg_principal.object_idmember_object_id=module.adf[0].adf.identity[0].principal_iddepends_on=[time_sleep.wait_30_seconds_after_module.adf]
}
Thanks for the suggestion. Our main scenario is cross module with people consuming our modules where module A creates a bunch of stuff including managed identity, then module B takes input from that including identity info to add the identity to groups.
Initially thought I would be stuck doing the delay in the consuming projects between the modules, but managed to add a delay to the modules outputting the identity info using a time_sleep combined with a terraform_data resource.
Community Note
Terraform (and AzureAD Provider) Version
Terraform v1.9.8
on windows_amd64
Affected Resource(s)
azuread_group_member
Terraform Configuration Files
Debug Output
https://gist.github.com/jamesw4/e163427ae58ebb24b2688a59759c255a
Panic Output
Expected Behavior
Managed identity to be created, and the underlying service principal added as a group member.
Actual Behavior
Most of the time, for initial deploy there seems to be a delay. The managed identity gets created, but AzureAD provider complains that the service principal does not exist to be added as a member to the group. This sounds like same situation as mentioned in ticket #1035. Re-running the plan and apply results in it succeeding.
Gist contains logs for provider 3.0.2 failing, then the re-run of it succeeding. Also provided logs from 2.53.1 where the issue does not seem to occur, seems to be a difference in the version of Graph API used.
Have rolled back to 2.53.1 of the provider for now.
Steps to Reproduce
jwtest
in the example given)terraform apply
Important Factoids
References
The text was updated successfully, but these errors were encountered: