Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

azuread >3.x creates a wrong azuread_service_principal id for MS API #1570

Open
Skyb0rg opened this issue Nov 18, 2024 · 3 comments
Open

azuread >3.x creates a wrong azuread_service_principal id for MS API #1570

Skyb0rg opened this issue Nov 18, 2024 · 3 comments

Comments

@Skyb0rg
Copy link

Skyb0rg commented Nov 18, 2024

Terraform (and AzureAD Provider) Version

Terraform v1.9.5
on windows_amd64

  • provider registry.terraform.io/hashicorp/azuread v3.0.2
  • provider registry.terraform.io/hashicorp/azurerm v4.10.0
  • provider registry.terraform.io/hashicorp/tls v4.0.6

Affected Resource(s)

  • azurerm_role_assignment
  • azuread_service_principal

Terraform Configuration Files

data "azuread_application" "tf_xxx" {
  display_name = "Terraform xxx"
}

data "azuread_service_principal" "sp_tf_xxx" {
  client_id = data.azuread_application.tf_xxx.client_id
}

resource "azurerm_role_assignment" "prod_contributor_tf_xxx" {
  for_each = var.rg_prod_set 
  scope                = azurerm_resource_group.by_prod_set["${each.value}"].id
  role_definition_name = "Contributor"
  principal_id         = data.azuread_service_principal.sp_tf_xxx.id
}

Panic Output

~ principal_id = "3efd3513-xxxx-xxxx-xxxx-ed35f98315a0" -> "/servicePrincipals/3efd3513-xxxx-xxxx-xxxx-ed35f98315a0" # forces replacement

after apply:

Error: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=400
-- Original Error: autorest/azure: Service returned an error. Status=400 Code="InvalidPrincipalId" 
Message="The Principal ID '/servicePrincipals/3efd3513-xxxx-xxxx-xxxx-ed35f98315a0' is not valid. Principal ID must be a GUID."

Expected Behavior

Id should be only the id without "/servicePrincipals/"

Actual Behavior

id is "/servicePrincipals/3efd3513-xxxx-xxxx-xxxx-ed35f98315a0" and forces replacements, with are not allowed by azure API

Steps to Reproduce

  • create ressouces with azuread 2.x
  • upgrade to azuread 3.x
  • terraform plan or apply
@Bouke
Copy link

Bouke commented Dec 5, 2024

I ran into this as well, I've resorted to using object_id instead: data.azuread_service_principal.example.object_id

@manicminer
Copy link
Contributor

This is expected behavior - object_id is the correct attribute to use here.

@Skyb0rg
Copy link
Author

Skyb0rg commented Dec 21, 2024

uld be only the id without "/servicePrincipals/"

OK but why does it break the configs when upgrading to the 3.x version? Or was it already a bug before?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Bouke @manicminer @Skyb0rg