azurerm_service_principal_password sometimes fails to assign to a Service Principal

[robinkb]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.8

• provider.azurerm v1.16.0
• provider.random v2.0.0

Affected Resource(s)

• azurerm_azuread_service_principal
• azurerm_service_principal_password

Terraform Configuration Files

variable "service_principal_name" {
  type    = "string"
  default = "terraform-debug"
}

data "azurerm_client_config" "current" {}
data "azurerm_subscription" "current" {}

# Create a service principal for AKS
resource "azurerm_azuread_application" "kubernetes" {
  name = "${var.service_principal_name}"
}

resource "azurerm_azuread_service_principal" "kubernetes" {
  application_id = "${azurerm_azuread_application.kubernetes.application_id}"
}

resource "random_string" "service_principal_password" {
  length = 40

  # Generate a new password when the Service Principal is changed
  keepers {
    service_principal = "${azurerm_azuread_service_principal.kubernetes.id}"
  }

  min_upper   = 1
  min_lower   = 1
  min_numeric = 1
  min_special = 1
}

resource "azurerm_azuread_service_principal_password" "kubernetes" {
  service_principal_id = "${azurerm_azuread_service_principal.kubernetes.id}"
  value                = "${random_string.service_principal_password.result}"
  end_date             = "2099-01-01T00:00:00Z"
}

resource "azurerm_role_assignment" "kubernetes" {
  scope                = "${data.azurerm_subscription.current.id}/resourceGroups/DefaultResourceGroup-WEU"
  role_definition_name = "Contributor"
  principal_id         = "${azurerm_azuread_service_principal.kubernetes.id}"
}

output "tenant_id" {
  value = "${data.azurerm_client_config.current.tenant_id}"
}

output "username" {
  value = "${azurerm_azuread_application.kubernetes.application_id}"
}

output "password" {
  value = "${random_string.service_principal_password.result}"
}

Debug Output

Response from the Azure API upon attempting to login:

Get Token request returned http error: 401 and server response:

{
	"error": "invalid_client",
	"error_description": "AADSTS70002: Error validating credentials. AADSTS50012: Invalid client secret is provided.\r\nTrace ID: 6d319e23-60c0-46e0-8db9-617ad69a3600\r\nCorrelation ID: ea38ea69-8963-4b01-bd3b-aeffc3d88f3a\r\nTimestamp: 2018-10-16 10:37:23Z",
	"error_codes": [70002, 50012],
	"timestamp": "2018-10-16 10:37:23Z",
	"trace_id": "6d319e23-60c0-46e0-8db9-617ad69a3600",
	"correlation_id": "ea38ea69-8963-4b01-bd3b-aeffc3d88f3a"
}

Expected Behavior

I can authenticate with the service principal credentials.

Actual Behavior

I cannot authenticate with the service principal credentials.

Steps to Reproduce

1. terraform apply
2. az login --service-principal --tenant $(terraform output tenant_id) --username $(terraform output username) --password $(terraform output password)

Important Factoids

The first time I encountered this problem, the issue persisted. I cannot reproduce the issue reliably. One time, I encountered the same problem while logging in, but the problem resolved itself by the time I tried to log in a second time.

References

N/A

[robinkb]

I did some more testing, and it looks like this issue is with Azure, not with Terraform. I will update my main post with my findings for documentation purposes.

[robinkb]

Post updated. It looks like Azure may have had some issues somewhere in the backend?

[tombuildsstuff]

hey @robinkb

Just to confirm - are you saying this was a transitory issue in Azure and is no longer an issue?

Thanks!

[tombuildsstuff]

hi @robinkb

Since we've not heard back here I'm going to close this issue for the moment; however if this is still an issue for you please let us know and we'll re-open this/take another look

Thanks!

[marty2bell]

I have this very issue. When I create the service principal and password I can see the principal in the Azure Portal but there is no password assigned.

This so far doesn't seem transient in that I've never managed to get a password assigned via terraform.

[marty2bell]

as an aside, there might also be a small bug where the "reply_urls.0" property within tfstate is not being set correctly. It's being set to the identifier_uris property even though it is set correctly within Azure.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!