Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

azurerm_management_group_subscription_association throws error '"subscription_id" expected to be valid subscription ID' when referencing an azurerm_subscription resource #13422

Open
kensykora opened this issue Sep 20, 2021 · 2 comments
Open

azurerm_management_group_subscription_association throws error '"subscription_id" expected to be valid subscription ID' when referencing an azurerm_subscription resource #13422

kensykora opened this issue Sep 20, 2021 · 2 comments
Labels
bug service/subscription v/2.x (legacy) v/3.x

Comments

@kensykora
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request

Terraform (and AzureRM Provider) Version

Terraform v1.0.6
on linux_amd64
+ provider registry.terraform.io/hashicorp/azurerm v2.75.0

Terraform Configuration Files

resource "azurerm_subscription" "dev" {
  alias             = "dev"
  subscription_name = "Dev"
  subscription_id   = "e42c1859-1c46-4c0b-a52c-36d09f272ac2"
}

resource "azurerm_management_group_subscription_association" "dev" {
  subscription_id     = azurerm_subscription.dev.subscription_id
  management_group_id = azurerm_management_group.dev.id
}

Trying to apply the above produces the error:

│ Error: "subscription_id" expected to be valid subscription ID, got "e42c1859-1c46-4c0b-a52c-36d09f272ac2"
│ 
│   with azurerm_management_group_subscription_association.dev,
│   on subscriptions.tf line 19, in resource "azurerm_management_group_subscription_association" "dev":
│   19:   subscription_id     = azurerm_subscription.dev.subscription_id
│ 
╵

Additionally, trying to use the .id property instead of .subscription_id gives a similar error:

Error: "subscription_id" expected to be valid subscription ID, got "/providers/Microsoft.Subscription/aliases/dev"

Description / Feedback

Scenario: Subscriptions existed pre-terraform, and the subscriptions were brought into terraform using the methodology described under Adding an alias to an existing subscription

The azurerm_management_group_subscription_association resource expects the subscription_id to be in the format /subscriptions/{subscriptionid} and there isn't a direct attribute output from the azurerm_subscription resource that matches this.

This is further confused by the terraform example in the documentation, which using the data provider for azurerm_subscription which shows this same approach, just using a data.azurerm_subscription block instead of a resource azurerm_subscription block.

data "azurerm_management_group" "example" {
  name = "exampleManagementGroup"
}

data "azurerm_subscription" "example" {
  subscription_id = "12345678-1234-1234-1234-123456789012"
}

resource "azurerm_management_group_subscription_association" "example" {
  management_group_id = data.azurerm_management_group.example.id
  subscription_id     = data.azurerm_subscription.example.id
}

I would expect the data block to behave similarly to the resource block. I would also expect that the azurerm_management_group_subscription_association resource would accept subscription_id in a simple uuid format (typical convention used in many other parts of this resource provider) so it can be directly referenced by a managed subscription in terraform.

Workaround

Format the subscription_id directly like the provider expects:

resource "azurerm_subscription" "dev" {
  alias             = "dev"
  subscription_name = "Dev"
  subscription_id   = "e42c1859-1c46-4c0b-a52c-36d09f272ac2"
}

resource "azurerm_management_group_subscription_association" "dev" {
  subscription_id     = "/subscriptions/${azurerm_subscription.dev.subscription_id}"
  management_group_id = azurerm_management_group.dev.id
}
@jasmineteh
Copy link

jasmineteh commented May 29, 2023
edited
Loading

We had the same issue and the workaround for azurerm_management_group_subscription_association worked once.

resource "azurerm_management_group" "test_mg" {
  name                       = "test_mg"
  display_name               = "test_mg"
  parent_management_group_id = "<parent_management_group_id_here>"
}

resource "azurerm_subscription" "test_sub" {
  billing_scope_id  = "<ea_account_scope_id_here>"
  subscription_name = "test_sub"
}

resource "azurerm_management_group_subscription_association" "test_sub" {
  subscription_id     = "/subscriptions/${azurerm_subscription.test_sub.subscription_id}"
  management_group_id = azurerm_management_group.test_mg.id
}

However, when the pipeline failed for other resources, a different error is raised for the azurerm_management_group resource itself when the job is retried:
Error: unable to create Management Group "test_mg": managementgroups.Client#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: Code="BadRequest" Message="Circular dependency detected"

Does anyone see this behavior too?

Version used
hashicorp/azurerm: 2.78.0

@jasmineteh
Copy link

Sorry, please ignore the circular dependency error as it was due to a bug in the parent management group ID retrieval.
The workaround is working. 👍

@L1ghtman2k L1ghtman2k mentioned this issue Jul 20, 2023
Open
1 task
@rcskosir rcskosir added the v/3.x label Jul 26, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug service/subscription v/2.x (legacy) v/3.x
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@kensykora @jasmineteh @catriona-m @rcskosir