Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

azurerm_role_assignment: lost 30 minutes just to see 400 error #11417

Open
morsik opened this issue Apr 21, 2021 · 2 comments
Open

azurerm_role_assignment: lost 30 minutes just to see 400 error #11417

morsik opened this issue Apr 21, 2021 · 2 comments
Labels
question service/roles v/2.x (legacy)

Comments

@morsik
Copy link

morsik commented Apr 21, 2021

Community Note

  • Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v0.14.6
+ provider registry.terraform.io/hashicorp/azurerm v2.46.0
+ provider registry.terraform.io/hashicorp/helm v2.0.3

Affected Resource(s)

  • azurerm_role_assignment

Terraform Configuration Files

I'm just following official Microsoft documentation to create Application Gateway and there are 2 resources that needs Principal ID (step 6). And I just used wrong Principal ID - and I expect to see error about that immiedately, not after 30 minutes of previous time in my life and my company.

resource "azurerm_role_assignment" "ra1" {
  scope                = data.azurerm_subnet.kubesubnet.id
  role_definition_name = "Network Contributor"
  principal_id         = var.aks_service_principal_object_id 

  depends_on = [azurerm_virtual_network.test]
}

resource "azurerm_role_assignment" "ra2" {
  scope                = azurerm_user_assigned_identity.testIdentity.id
  role_definition_name = "Managed Identity Operator"
  principal_id         = var.aks_service_principal_object_id
  depends_on           = [azurerm_user_assigned_identity.testIdentity]
}

Debug Output

Expected Behaviour

400 API error should be showed immiedately

Actual Behaviour

azurerm_role_assignment.ra1: Still creating... [30m0s elapsed]

Error: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="PrincipalNotFound" Message="Principal XXXX does not exist in the directory YYYY."

Steps to Reproduce

  1. Try to create role assignment which can't be created because of missing Principal.
  2. Waste half hour of your time just to finally see 400 error from Azure API.
@jmyers82
Copy link

This is not a fix but a possible work around.
skip_service_principal_aad_check - (Optional) If the principal_id is a newly provisioned Service Principal set this value to true to skip the Azure Active Directory check which may fail due to replication lag. This argument is only valid if the principal_id is a Service Principal identity. Defaults to false.

@karl18
Copy link

karl18 commented Nov 21, 2023

Hi, I'm facing the same error, I didn't try to set the skip_service_principal_aad_check - (Optional)

but what could be a proper solution here ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question service/roles v/2.x (legacy)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@morsik @favoretti @jmyers82 @karl18 @catriona-m