Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

v3 - Managed Identity Service Principals not immediately available for use - Request_ResourceNotFound - 404. #1563

Open
jamesw4 opened this issue Nov 6, 2024 · 2 comments

Comments

@jamesw4
Copy link

jamesw4 commented Nov 6, 2024

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform v1.9.8
on windows_amd64

  • provider registry.terraform.io/hashicorp/azuread v3.0.2
  • provider registry.terraform.io/hashicorp/azurerm v4.8.0

Affected Resource(s)

  • azuread_group_member

Terraform Configuration Files

provider "azurerm" {
  features {

  }
  subscription_id = "##REDACTED##"
}

resource "azurerm_resource_group" "test" {
  name     = "test"
  location = "uksouth"
}

resource "azurerm_user_assigned_identity" "test" {
  name                = "test"
  resource_group_name = azurerm_resource_group.test.name
  location            = azurerm_resource_group.test.location
}

data "azuread_group" "test" {
  display_name = "jwtest"
}

resource "azuread_group_member" "test" {
  group_object_id  = data.azuread_group.test.object_id
  member_object_id = azurerm_user_assigned_identity.test.principal_id
}

Debug Output

https://gist.github.com/jamesw4/e163427ae58ebb24b2688a59759c255a

Panic Output

Expected Behavior

Managed identity to be created, and the underlying service principal added as a group member.

Actual Behavior

Most of the time, for initial deploy there seems to be a delay. The managed identity gets created, but AzureAD provider complains that the service principal does not exist to be added as a member to the group. This sounds like same situation as mentioned in ticket #1035. Re-running the plan and apply results in it succeeding.

Gist contains logs for provider 3.0.2 failing, then the re-run of it succeeding. Also provided logs from 2.53.1 where the issue does not seem to occur, seems to be a difference in the version of Graph API used.

Have rolled back to 2.53.1 of the provider for now.

Steps to Reproduce

  1. Create an Entra group to be used as data source (jwtest in the example given)
  2. terraform apply

Important Factoids

References

@bartoszkubiakpl
Copy link

bartoszkubiakpl commented Nov 8, 2024

I can add that we have the same issue. For time being setting up time sleep resolved problem but still waiting for proper solution. In our case below code generated error message:

resource "time_sleep" "wait_30_seconds_after_module.adf" {
  depends_on      = [module.adf]
  create_duration = "30s"

  triggers = {
    # Deplay the time at each switch of an module.adf.adf_id
    wait_for = module.adf.adf_id
  }
}


# add ADF MI as member to ACL writer group
resource "azuread_group_member" "adf_acl_sg_membership" {
  count            = var.create_adf == "True" ? 1 : 0
  group_object_id  = data.azuread_group.sg_acl_writer.object_id
  member_object_id = module.adf[0].adf.identity[0].principal_id
  depends_on       = [time_sleep.wait_30_seconds_after_module.adf]
}

# add ADF MI as member to cicd group
resource "azuread_group_member" "adf_cicd_sg_membership" {
  count            = var.create_adf == "True" ? 1 : 0
  group_object_id  = data.azuread_group.sg_principal.object_id
  member_object_id = module.adf[0].adf.identity[0].principal_id
  depends_on       = [time_sleep.wait_30_seconds_after_module.adf]
}

@jamesw4
Copy link
Author

jamesw4 commented Nov 20, 2024

Thanks for the suggestion. Our main scenario is cross module with people consuming our modules where module A creates a bunch of stuff including managed identity, then module B takes input from that including identity info to add the identity to groups.

Initially thought I would be stuck doing the delay in the consuming projects between the modules, but managed to add a delay to the modules outputting the identity info using a time_sleep combined with a terraform_data resource.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants