terraform-provider-azuread: intermittent failure to create service principal

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
Please do not leave “+1” or “me too” comments, they generate extra noise for issue followers and do not help prioritise the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

terraform 1.0.2, azuread 2.0.1

Affected Resource(s)

azuread_service_principal

Terraform Configuration Files

Part of larger configuration that I mostly can’t share, but configuring service principals like this:

resource "azuread_service_principal" "timer" {
  count                        = var.aad_timer_name == "" ? 0 : 1
  application_id               = azuread_application.timer[0].application_id
  app_role_assignment_required = true
  owners                       = [data.azuread_client_config.current.object_id]
}

Will do my best to provide more details if needed.

Debug Output

Panic Output

Expected Behavior

We have a large configuration that creates several azuread_application and azuread_service_principal, all following the same pattern.

Expect all configuration to succeed,

Actual Behavior

Intermittently, some of the service principals fail to create:

│ Error: Could not create service principal
│ 
│   with module.aad.azuread_service_principal.timer[0],
│   on aad/main.tf line 599, in resource "azuread_service_principal" "timer":
│  599: resource "azuread_service_principal" "timer" {
│ 
│ ServicePrincipalsClient.BaseClient.Post(): unexpected status 403 with OData
│ error: Authorization_RequestDenied: When using this permission, the backing
│ application of the service principal being created must in the local tenant
╵

Can this really be an Azure permissions error?

The app that we are using to run terraform has the Application.ReadWrite.OwnedBy permission in the Graph API.
some service principals are successfully created in the very same terraform apply where others fail
the entire configuration is sometimes successfully applied

Steps to Reproduce

terraform apply

Important Factoids

References

About this issue

Original URL
State: closed
Created 3 years ago
Reactions: 2
Comments: 24 (10 by maintainers)

Most upvoted comments

After speaking with several parties seemingly affected by this issue, for each case it was resolved by double checking the Terraform configuration in question and ensuring that the owners field is specified for both the linked application and the service principal itself. We’ll seek to document this to help future practitioners from falling afoul here.

To clarify, owners must be set for both the application and the service principal, e.g.

data "azuread_client_config" "current" {}

resource "azuread_application" "myapp" {
  display_name = "myapp"
  owners = [
    data.azuread_client_config.current.object_id,
    # ... plus any other desired owners
  ]
}

resource "azuread_service_principal" "myapp" {
  application_id = azuread_application.myapp.application_id
  owners = [
    data.azuread_client_config.current.object_id,
    # ... plus any other desired owners
  ]
}

As such I’m going to close this issue as resolved. Terraform appears to be doing the right thing given the correct configuration. If anyone is still experiencing this after double checking their configuration, please feel free to post a further comment with your exact configuration and debug logs, and I will be happy to help investigate.

Thanks!

manicminer on Sep 9, 2021

I just re-tested with version 1.0 and beta and am now getting a 200 response with both 😕

There definitely seem to be some consistency issues here.

manicminer on Sep 3, 2021

Alas, I don’t have the power to do that in my organisation

dimbleby on Aug 31, 2021