kubernetes_cluster: special characters in `client_secret` are rejected by API

Tazminia commented 2 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform: 1.0.2 azuread: 1.6.0

Affected Resource(s)

azuread_service_principal_password

Terraform Configuration Files

# Service principal
resource "azuread_service_principal" "client_sp" {
  application_id = azuread_application.client_app.application_id
}

# Service principal password
resource "azuread_service_principal_password" "client_pwd" {
  display_name         = var.cluster_name
  service_principal_id = azuread_service_principal.client_sp.id
  end_date_relative    = "87600h"
}

# Create AKS cluster
resource "azurerm_kubernetes_cluster" "cluster" {
  name                            = var.cluster_name
  location                        = azurerm_resource_group.cluster_rg.location
  resource_group_name             = azurerm_resource_group.cluster_rg.name
  #...
  service_principal {
    client_id         = azuread_application.client_app.application_id
    client_secret = azuread_service_principal_password.client_pwd.value
  }
  #...
}

Debug Output

module.cluster.azurerm_kubernetes_cluster.cluster: Creating...

Error: creating Managed Kubernetes Cluster "aks_cluster" (Resource Group "aks_resource_group"): containerservice.ManagedClustersClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: Code="BadRequest" Message="Service principal client secret has invalid characters: ` '" Target="servicePrincipalProfile.secret"

Expected Behavior

Password of service principal should contain no breaking characters and kubernetes cluster creaton should proceed.

Actual Behavior

Cluster creation fails because of strange character in service principal password

Steps to Reproduce

It is hard to reproduce because there is no way to specify the characters to be used for the password.

manicminer commented 2 years ago

Hi @Tazminia, thanks for reporting this issue.

Are you using the Microsoft Graph beta? If not, you should be able to specify the password value as it is generated by the provider. If you are using the beta, the password value is generated by the API and there is unfortunately nothing we can do about the unsupported characters.

Tazminia commented 2 years ago

Hello @manicminer, I am not sure about the Microsoft Graph beta. To be honest, I do not know what it is.

For now, to avoid the issue I am using the following code snippet:

resource "random_string" "client_rnd" {
  keepers = {
    client_app_name = var.client_app_name
  }
  length  = 32
  special = true
}

# Associate the password to the Client App
resource "azuread_service_principal_password" "client_pwd" {
  display_name         = var.cluster_name
  service_principal_id = azuread_service_principal.client_sp.id
  end_date_relative    = "87600h"
  value                = random_string.client_rnd.result
}

manicminer commented 2 years ago

Hi @Tazminia, thanks for the update. This does appear to be an incompatibility on the part of AKS, since the password value is accepted by the AAD API.

MS Graph is the newer API for Azure AD that we are currently in the process of moving to. In the next version of the AzureAD provider, we will be switching to the newer API. It's worth noting that the new API generates very similar passwords and it's possible this issue may persist. Unfortunately, with the new API it's not possible to provide your own password value.

I'm going to transfer this issue to the AzureRM repo and mark it as AKS related for further investigation.

hashicorp / terraform-provider-azurerm