Error: "principal_id": required field is not set - for azurerm_role_assignment

[robkwork]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v0.12.24

• provider.azurerm v2.9.0

Affected Resource(s)

• azurerm_role_assignment

Terraform Configuration Files

data "azurerm_user_assigned_identity" "aci" {
  name                = "aciconnectorlinux-${var.region}-${var.env}-${var.ver}"
  resource_group_name = "MC_${var.region}-${var.env}-${var.ver}_${var.region}-${var.env}-${var.ver}_${var.region}"
}

resource "azurerm_role_assignment" "role_assignment" {
  scope                = data.azurerm_virtual_network.vnet.id
  role_definition_name = "Network Contributor"
  principal_id         = data.azurerm_user_assigned_identity.aci.principal_id
}

Expected Behavior

When running terraform plan or terraform apply, i'm expecting it to parse through and assign the Network Contributor role to the newly created identity while building the AKS cluster.

Actual Behavior

When the above two resources are in the main.tf upon AKS cluster creation, it errors out with:

Error: "principal_id": required field is not set

  on ../terraform/modules/aks/main.tf line 103, in resource "azurerm_role_assignment" "role_assignment":
 103: resource "azurerm_role_assignment" "role_assignment" {

Workaround

I can comment out the bottom resource, run the apply and create the cluster, then uncomment the bottom resource, run the apply again and it will create the network contributor role to the identity.

Steps to Reproduce

1. terraform apply with the azurerm_role_assignment block uncommented

[tombuildsstuff]

hi @robkwork

Thanks for opening this issue.

Taking a look through there's a couple of issues here:

• a bug in the Data Source where an error isn't being raised when the Data Source cannot find the specified resource
• a missing dependency in the Terraform Configuration above between the UAI Data Source and the Kubernetes Cluster resource - meaning that Terraform believes it can lookup the Data Source at the same time as creating the Kubernetes Cluster.

The first of those should be fixed via #7024 - which'll raise an error when a User Assigned Identity is not found - at which point the second error should become more apparent. To solve the second error you can use a depends_on inside the Data Source to wait for the Kubernetes Cluster to be created before looking this up, at which point that information should be available (which should fix your issue in the interim) - would you be able to take a look and see if that works for you?

Thanks!

[robkwork]

Thanks @tombuildsstuff - i'll use the depends_on and see how that goes.

[robkwork]

Thanks again @tombuildsstuff - this worked:

data "azurerm_user_assigned_identity" "aci" {
  name                = "aciconnectorlinux-${var.region}-${var.env}-${var.ver}"
  resource_group_name = "MC_${var.region}-${var.env}-${var.ver}_${var.region}-${var.env}-${var.ver}_${var.region}"
  depends_on = [
    azurerm_kubernetes_cluster.aks,
  ]
}

resource "azurerm_role_assignment" "role_assignment" {
  scope                = data.azurerm_virtual_network.vnet.id
  role_definition_name = "Network Contributor"
  principal_id         = data.azurerm_user_assigned_identity.aci.principal_id
}

[ghost]

This has been released in version 2.11.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 2.11.0"
}
# ... other configuration ...

[cskinfill]

Follow up on this issue, can the azurerm_kubernetes_cluster resource output the aciconnectorlinux-<cluster name> so it can be referenced like azurerm_kubernetes_cluster.my_cluster.aci_identity.principal_id ?

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!