terraform-provider-azuread: Error: Could not remove initial owner from service principal with object ID
An error is being thrown when we use the very simple code below gotten mainly from the official terraform/azuread documentation. We are tagging this as a bug, given that this example is so simple and uses code from official documentation.
What specific syntax must be changed in the specific terraform code given at bottom below in order to resolve the
Error: Could not remove initial owner from service principal with object ID
error message which is currently being thrown?
COMMAND THAT TRIGGERS ERROR:
The following command triggers the error message below it when the following command invokes the terraform at bottom below.
terraform apply -var="instanceName=tfBackend-myOrg" -var="resourceGroupName=admin" -var="resourceGroupRegion=westus" -var-file="C:\path\to\keys.tfvars"
The contents of the keys.tfvars
referred to in the above command are:
subscriptionId="actual-subscription-id-redacted"
tenantId="actual-tenant-id-redacted"
clientId="actual-client-id-redacted"
clientSecret="actual-secret-redacted"
CONFIGURATION:
The provider version given in the terraform.lock.hcl
file is as follows:
provider "registry.terraform.io/hashicorp/azuread" {
version = "2.0.1"
hashes = [ hashes redacted for brevity/security ]
}
The version of terraform is v1.0.5
.
The roles assigned to the clientId
used to run the terraform command above include:
- Subscription: Owner
- Active Directory: Global Administrator
ERROR LOG:
The complete error log is as follows:
module.ad-admin.azuread_service_principal.appRegistrationSP: Still creating... [2m0s elapsed]
2021/08/27 12:18:42 [DEBUG] module.ad-admin.azuread_service_principal.appRegistrationSP: apply errored, but we're indicating that via the Error pointer rather than returning it: Could not remove initial owner from service principal with object ID: "guid-alpha-numeric-string": ServicePrincipalsClient.BaseClient.Get(): Get "https://graph.microsoft.com/beta/tenant-id-alpha-numeric-string/servicePrincipals/guid-alpha-numeric-string/owners/guid-alpha-numeric-string/$ref?%24select=id%2Curl": GET https://graph.microsoft.com/beta/tenant-id-alpha-numeric-string/servicePrincipals/guid-alpha-numeric-string/owners/guid-alpha-numeric-string/$ref?%24select=id%2Curl giving up after 9 attempt(s)
2021/08/27 12:18:42 [TRACE] EvalMaybeTainted: module.ad-admin.azuread_service_principal.appRegistrationSP encountered an error during creation, so it is now marked as tainted
2021/08/27 12:18:42 [TRACE] EvalWriteState: recording 1 dependencies for module.ad-admin.azuread_service_principal.appRegistrationSP
2021/08/27 12:18:42 [TRACE] EvalWriteState: writing current state object for module.ad-admin.azuread_service_principal.appRegistrationSP
2021/08/27 12:18:42 [TRACE] EvalApplyProvisioners: azuread_service_principal.appRegistrationSP is tainted, so skipping provisioning
2021/08/27 12:18:42 [TRACE] EvalMaybeTainted: module.ad-admin.azuread_service_principal.appRegistrationSP was already tainted, so nothing to do
2021/08/27 12:18:42 [TRACE] EvalWriteState: recording 1 dependencies for module.ad-admin.azuread_service_principal.appRegistrationSP
2021/08/27 12:18:42 [TRACE] EvalWriteState: writing current state object for module.ad-admin.azuread_service_principal.appRegistrationSP
2021/08/27 12:18:42 [TRACE] vertex "module.ad-admin.azuread_service_principal.appRegistrationSP": visit complete
2021/08/27 12:18:42 [TRACE] dag/walk: upstream of "module.ad-admin.azuread_service_principal_password.appRegistrationSP_pwd" errored, so skipping
2021/08/27 12:18:42 [TRACE] dag/walk: upstream of "module.ad-admin.provider[\"registry.terraform.io/hashicorp/azuread\"] (close)" errored, so skipping
2021/08/27 12:18:42 [TRACE] ExecuteWriteOutput: Saving Create change for module.ad-admin.output.application_id in changeset
2021/08/27 12:18:42 [TRACE] EvalWriteOutput: Saving value for module.ad-admin.output.application_id in state
2021/08/27 12:18:42 [TRACE] vertex "module.ad-admin.output.application_id": visit complete
2021/08/27 12:18:42 [TRACE] vertex "module.ad-admin.output.application_id (expand)": dynamic subgraph completed successfully
2021/08/27 12:18:42 [TRACE] vertex "module.ad-admin.output.application_id (expand)": visit complete
2021/08/27 12:18:42 [TRACE] dag/walk: visiting "output.application_id"
2021/08/27 12:18:42 [TRACE] vertex "output.application_id": starting visit (*terraform.NodeApplyableOutput)
2021/08/27 12:18:42 [TRACE] dag/walk: upstream of "module.ad-admin (close)" errored, so skipping
2021/08/27 12:18:42 [TRACE] ExecuteWriteOutput: Saving NoOp change for output.application_id in changeset
2021/08/27 12:18:42 [TRACE] EvalWriteOutput: Saving value for output.application_id in state
2021/08/27 12:18:42 [TRACE] vertex "output.application_id": visit complete
2021/08/27 12:18:42 [TRACE] dag/walk: upstream of "meta.count-boundary (EachMode fixup)" errored, so skipping
2021/08/27 12:18:42 [TRACE] dag/walk: upstream of "root" errored, so skipping
2021/08/27 12:18:42 [TRACE] statemgr.Filesystem: have already backed up original terraform.tfstate to terraform.tfstate.backup on a previous write
2021/08/27 12:18:42 [TRACE] statemgr.Filesystem: state has changed since last snapshot, so incrementing serial to 14
2021/08/27 12:18:42 [TRACE] statemgr.Filesystem: writing snapshot at terraform.tfstate
2021/08/27 12:18:42 [TRACE] statemgr.Filesystem: removing lock metadata file .terraform.tfstate.lock.info
2021/08/27 12:18:42 [TRACE] statemgr.Filesystem: unlocked by closing terraform.tfstate
2021-08-27T12:18:42.831-0700 [WARN] plugin.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"
Error: Could not remove initial owner from service principal with object ID: "guid-alpha-numeric-string"
on ..\..\..\..\modules\ad-admin\active-directory.tf line 65, in resource "azuread_service_principal" "appRegistrationSP":
65: resource "azuread_service_principal" "appRegistrationSP" 2021-08-27T12:18:42.856-0700 [DEBUG] plugin: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/azuread/2.0.1/windows_amd64/terraform-provider-azuread_v2.0.1_x5.exe pid=3556
2021-08-27T12:18:42.856-0700 [DEBUG] plugin: plugin exited
{
ServicePrincipalsClient.BaseClient.Get(): Get
"https://graph.microsoft.com/beta/tenant-id-alpha-numeric-string/servicePrincipals/guid-alpha-numeric-string/owners/guid-alpha-numeric-string/$ref?%24select=id%2Curl":
GET
https://graph.microsoft.com/beta/tenant-id-alpha-numeric-string/servicePrincipals/guid-alpha-numeric-string/owners/guid-alpha-numeric-string/$ref?%24select=id%2Curl
giving up after 9 attempt(s)
NOTE: When we subsequently type az ad sp show --id guid-alpha-numeric-string
in a cloud shell in the Azure Portal, the result is, as expected, a JSON summary of the service principal that was created by the below code while the above command was running. The service principal that is created by running the code in this ticket has "objectId": "guid-alpha-numeric-string"
. So that the code seems to create the service principal but then is not able to “remove initial owner from service principal”, as stated in the error message shown above.
COMPLETE CODE TO REPRODUCE THE ERROR:
The complete code for reproducing this error is as follows:
###############################################################################################
### Input Variables
###############################################################################################
variable "subscriptionId" { }
variable "tenantId" { }
variable "clientId" { }
variable "clientSecret" { }
variable "instanceName" { }
###############################################################################################
### Providers
###############################################################################################
# Configure the Microsoft Azure Active Directory Provider
provider "azuread" {
tenant_id = var.tenantId
client_id = var.clientId
client_secret = var.clientSecret
}
################################################################################################
### Identity Resources
################################################################################################
# Create an application
resource "azuread_application" "appRegistration" {
display_name = var.instanceName
app_role {
allowed_member_types = ["User", "Application"]
description = "Admins can manage roles and perform all task actions"
display_name = "Admin"
value = "administer"
id = "1b19509b-32b1-4e9f-b71d-4992aa991967"
}
}
# Create a service principal
resource "azuread_service_principal" "appRegistrationSP" {
application_id = azuread_application.appRegistration.application_id
}
resource "azuread_service_principal_password" "appRegistrationSP_pwd" {
service_principal_id = azuread_service_principal.appRegistrationSP.id
}
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Reactions: 2
- Comments: 32 (12 by maintainers)
I believe I have found a bug in the marshaler for service principals which seems a likely culprit for the missing initial owner bug. In the current implementation, Terraform is supposed to always set an initial owner even if one isn’t specified (rather than relying on the API to set a default owner, since it does this inconsistently in different tenants).
@jtravell I think I’m following the use case you described, but
instanceName
sounds colloquial to your config. For a complete picture I would need to see an example configuration as module re-use can get complex quite quickly, particularly when using different credentials at different stages. My workaround was a simple suggestion that you’d need to adapt to your topology given that additional complexity.Nonetheless, I’m working on a fix for the original issue and hopefully this resolves the related problems mentioned in this thread.
This functionality has been released in v2.1.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.
For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!
I’m getting this issue as well, following the Azure Active Directory Provider ~docs.
My exact code:
Terraform version:
I’ve e-mailed my trace log to your [at] * [dot] io address - couldn’t see a hashicorp address anywhere in your git commits.
@manicminer I gave your
manicminer/azuread
release a try and set the retry number to 99. The step was now running for 10 minutes until we hitcontext deadline exceeded
.I tested the creation of the service principal multiple times at different hours of the day, so I would say a “busy API” is rather unlikely.
@manicminer , @croeck
The following workaround causes the error to go away:
I will be happy to try the test build you mentioned later when I am back at my computer again.
Thank you for the test build that we will test and also for the workaround that I am showing here as working.
Note however that retrying the
apply
an hour and ten minutes later just now continued to reproduce the same error in the OP. We left theapply
in place for 70 minutes, meaning that the infrastructure was still in place for the entire 70 minutes, and then ranapply
again and received the same exact error. I am skeptical that dialing up theretry_limit
would mitigate a problem that is not resolved by waiting 70 minutes as we did just now.