terraform-provider-azuread: Error: Could not remove initial owner from service principal with object ID

An error is being thrown when we use the very simple code below gotten mainly from the official terraform/azuread documentation. We are tagging this as a bug, given that this example is so simple and uses code from official documentation.

What specific syntax must be changed in the specific terraform code given at bottom below in order to resolve the Error: Could not remove initial owner from service principal with object ID error message which is currently being thrown?

COMMAND THAT TRIGGERS ERROR:

The following command triggers the error message below it when the following command invokes the terraform at bottom below.

terraform apply -var="instanceName=tfBackend-myOrg" -var="resourceGroupName=admin" -var="resourceGroupRegion=westus" -var-file="C:\path\to\keys.tfvars"

The contents of the keys.tfvars referred to in the above command are:

subscriptionId="actual-subscription-id-redacted"
tenantId="actual-tenant-id-redacted"
clientId="actual-client-id-redacted"
clientSecret="actual-secret-redacted"

CONFIGURATION:

The provider version given in the terraform.lock.hcl file is as follows:

provider "registry.terraform.io/hashicorp/azuread" {
  version = "2.0.1"
  hashes = [ hashes redacted for brevity/security ]
}

The version of terraform is v1.0.5.

The roles assigned to the clientId used to run the terraform command above include:

  • Subscription: Owner
  • Active Directory: Global Administrator

ERROR LOG:

The complete error log is as follows:

module.ad-admin.azuread_service_principal.appRegistrationSP: Still creating... [2m0s elapsed]
2021/08/27 12:18:42 [DEBUG] module.ad-admin.azuread_service_principal.appRegistrationSP: apply errored, but we're indicating that via the Error pointer rather than returning it: Could not remove initial owner from service principal with object ID: "guid-alpha-numeric-string": ServicePrincipalsClient.BaseClient.Get(): Get "https://graph.microsoft.com/beta/tenant-id-alpha-numeric-string/servicePrincipals/guid-alpha-numeric-string/owners/guid-alpha-numeric-string/$ref?%24select=id%2Curl": GET https://graph.microsoft.com/beta/tenant-id-alpha-numeric-string/servicePrincipals/guid-alpha-numeric-string/owners/guid-alpha-numeric-string/$ref?%24select=id%2Curl giving up after 9 attempt(s)
2021/08/27 12:18:42 [TRACE] EvalMaybeTainted: module.ad-admin.azuread_service_principal.appRegistrationSP encountered an error during creation, so it is now marked as tainted
2021/08/27 12:18:42 [TRACE] EvalWriteState: recording 1 dependencies for module.ad-admin.azuread_service_principal.appRegistrationSP
2021/08/27 12:18:42 [TRACE] EvalWriteState: writing current state object for module.ad-admin.azuread_service_principal.appRegistrationSP
2021/08/27 12:18:42 [TRACE] EvalApplyProvisioners: azuread_service_principal.appRegistrationSP is tainted, so skipping provisioning
2021/08/27 12:18:42 [TRACE] EvalMaybeTainted: module.ad-admin.azuread_service_principal.appRegistrationSP was already tainted, so nothing to do
2021/08/27 12:18:42 [TRACE] EvalWriteState: recording 1 dependencies for module.ad-admin.azuread_service_principal.appRegistrationSP
2021/08/27 12:18:42 [TRACE] EvalWriteState: writing current state object for module.ad-admin.azuread_service_principal.appRegistrationSP
2021/08/27 12:18:42 [TRACE] vertex "module.ad-admin.azuread_service_principal.appRegistrationSP": visit complete
2021/08/27 12:18:42 [TRACE] dag/walk: upstream of "module.ad-admin.azuread_service_principal_password.appRegistrationSP_pwd" errored, so skipping
2021/08/27 12:18:42 [TRACE] dag/walk: upstream of "module.ad-admin.provider[\"registry.terraform.io/hashicorp/azuread\"] (close)" errored, so skipping
2021/08/27 12:18:42 [TRACE] ExecuteWriteOutput: Saving Create change for module.ad-admin.output.application_id in changeset
2021/08/27 12:18:42 [TRACE] EvalWriteOutput: Saving value for module.ad-admin.output.application_id in state
2021/08/27 12:18:42 [TRACE] vertex "module.ad-admin.output.application_id": visit complete
2021/08/27 12:18:42 [TRACE] vertex "module.ad-admin.output.application_id (expand)": dynamic subgraph completed successfully
2021/08/27 12:18:42 [TRACE] vertex "module.ad-admin.output.application_id (expand)": visit complete
2021/08/27 12:18:42 [TRACE] dag/walk: visiting "output.application_id"
2021/08/27 12:18:42 [TRACE] vertex "output.application_id": starting visit (*terraform.NodeApplyableOutput)
2021/08/27 12:18:42 [TRACE] dag/walk: upstream of "module.ad-admin (close)" errored, so skipping
2021/08/27 12:18:42 [TRACE] ExecuteWriteOutput: Saving NoOp change for output.application_id in changeset
2021/08/27 12:18:42 [TRACE] EvalWriteOutput: Saving value for output.application_id in state
2021/08/27 12:18:42 [TRACE] vertex "output.application_id": visit complete
2021/08/27 12:18:42 [TRACE] dag/walk: upstream of "meta.count-boundary (EachMode fixup)" errored, so skipping
2021/08/27 12:18:42 [TRACE] dag/walk: upstream of "root" errored, so skipping
2021/08/27 12:18:42 [TRACE] statemgr.Filesystem: have already backed up original terraform.tfstate to terraform.tfstate.backup on a previous write
2021/08/27 12:18:42 [TRACE] statemgr.Filesystem: state has changed since last snapshot, so incrementing serial to 14
2021/08/27 12:18:42 [TRACE] statemgr.Filesystem: writing snapshot at terraform.tfstate
2021/08/27 12:18:42 [TRACE] statemgr.Filesystem: removing lock metadata file .terraform.tfstate.lock.info
2021/08/27 12:18:42 [TRACE] statemgr.Filesystem: unlocked by closing terraform.tfstate
2021-08-27T12:18:42.831-0700 [WARN]  plugin.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"

Error: Could not remove initial owner from service principal with object ID: "guid-alpha-numeric-string"

  on ..\..\..\..\modules\ad-admin\active-directory.tf line 65, in resource "azuread_service_principal" "appRegistrationSP":
  65: resource "azuread_service_principal" "appRegistrationSP" 2021-08-27T12:18:42.856-0700 [DEBUG] plugin: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/azuread/2.0.1/windows_amd64/terraform-provider-azuread_v2.0.1_x5.exe pid=3556
2021-08-27T12:18:42.856-0700 [DEBUG] plugin: plugin exited
{

ServicePrincipalsClient.BaseClient.Get(): Get
"https://graph.microsoft.com/beta/tenant-id-alpha-numeric-string/servicePrincipals/guid-alpha-numeric-string/owners/guid-alpha-numeric-string/$ref?%24select=id%2Curl":
GET
https://graph.microsoft.com/beta/tenant-id-alpha-numeric-string/servicePrincipals/guid-alpha-numeric-string/owners/guid-alpha-numeric-string/$ref?%24select=id%2Curl
giving up after 9 attempt(s)

NOTE: When we subsequently type az ad sp show --id guid-alpha-numeric-string in a cloud shell in the Azure Portal, the result is, as expected, a JSON summary of the service principal that was created by the below code while the above command was running. The service principal that is created by running the code in this ticket has "objectId": "guid-alpha-numeric-string". So that the code seems to create the service principal but then is not able to “remove initial owner from service principal”, as stated in the error message shown above.

COMPLETE CODE TO REPRODUCE THE ERROR:

The complete code for reproducing this error is as follows:

###############################################################################################
### Input Variables 
###############################################################################################

variable "subscriptionId" { }
variable "tenantId" { }
variable "clientId" { }
variable "clientSecret" { }
variable "instanceName" { }

###############################################################################################
### Providers 
###############################################################################################

# Configure the Microsoft Azure Active Directory Provider
provider "azuread" {
  tenant_id       = var.tenantId
  client_id       = var.clientId
  client_secret   = var.clientSecret
}

################################################################################################
### Identity Resources
################################################################################################

# Create an application
resource "azuread_application" "appRegistration" {
  display_name = var.instanceName
  app_role {
    allowed_member_types  = ["User", "Application"]
    description           = "Admins can manage roles and perform all task actions"
    display_name          = "Admin"
    value                 = "administer"
    id                    = "1b19509b-32b1-4e9f-b71d-4992aa991967"
  }
}

# Create a service principal
resource "azuread_service_principal" "appRegistrationSP" {
  application_id = azuread_application.appRegistration.application_id
}

resource "azuread_service_principal_password" "appRegistrationSP_pwd" {
  service_principal_id = azuread_service_principal.appRegistrationSP.id
}

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Reactions: 2
  • Comments: 32 (12 by maintainers)

Most upvoted comments

I believe I have found a bug in the marshaler for service principals which seems a likely culprit for the missing initial owner bug. In the current implementation, Terraform is supposed to always set an initial owner even if one isn’t specified (rather than relying on the API to set a default owner, since it does this inconsistently in different tenants).

@jtravell I think I’m following the use case you described, but instanceName sounds colloquial to your config. For a complete picture I would need to see an example configuration as module re-use can get complex quite quickly, particularly when using different credentials at different stages. My workaround was a simple suggestion that you’d need to adapt to your topology given that additional complexity.

Nonetheless, I’m working on a fix for the original issue and hopefully this resolves the related problems mentioned in this thread.

This functionality has been released in v2.1.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

I’m getting this issue as well, following the Azure Active Directory Provider ~docs.

My exact code:

# Configure the Azure Active Directory Provider
provider "azuread" {
  tenant_id = "TENANTIDREDACTED"
}

# Retrieve domain information
data "azuread_domains" "example" {
  only_initial = true
}

# Create an application
resource "azuread_application" "example" {
  display_name = "ExampleApp"
}

# Create a service principal
resource "azuread_service_principal" "example" {
  application_id = azuread_application.example.application_id
}

# Create a user
resource "azuread_user" "example" {
  user_principal_name = "ExampleUser@${data.azuread_domains.example.domains.0.domain_name}"
  display_name        = "Example User"
  password            = "PASSWORDREDACTED"
}

Terraform version:

erraform --version
Terraform v1.0.4
on windows_amd64
+ provider registry.terraform.io/hashicorp/azuread v2.0.1

Your version of Terraform is out of date! The latest version
is 1.0.5. You can update by downloading from https://www.terraform.io/downloads.html

I’ve e-mailed my trace log to your [at] * [dot] io address - couldn’t see a hashicorp address anywhere in your git commits.

@manicminer I gave your manicminer/azuread release a try and set the retry number to 99. The step was now running for 10 minutes until we hit context deadline exceeded.

I tested the creation of the service principal multiple times at different hours of the day, so I would say a “busy API” is rather unlikely.

@manicminer , @croeck

The following workaround causes the error to go away:

data "azuread_client_config" "test" {}

# Create an application
resource "azuread_application" "appRegistration" {
  display_name = var.instanceName
  app_role {
    allowed_member_types  = ["User", "Application"]
    description           = "Admins can manage roles and perform all task actions"
    display_name          = "Admin"
    value                 = "administer"
    id                    = "1b19509b-32b1-4e9f-b71d-4992aa991967"
  }
}

# Create a service principal
resource "azuread_service_principal" "appRegistrationSP" {
  application_id = azuread_application.appRegistration.application_id
  owners = [data.azuread_client_config.test.object_id]
}

I will be happy to try the test build you mentioned later when I am back at my computer again.

Thank you for the test build that we will test and also for the workaround that I am showing here as working.

Note however that retrying the apply an hour and ten minutes later just now continued to reproduce the same error in the OP. We left the apply in place for 70 minutes, meaning that the infrastructure was still in place for the entire 70 minutes, and then ran apply again and received the same exact error. I am skeptical that dialing up the retry_limit would mitigate a problem that is not resolved by waiting 70 minutes as we did just now.