event_grid_domain identity block is not detected in plan

[brennfoster]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v1.0.11 azurerm v2.84.0

Affected Resource(s)

resource "azurerm_eventgrid_domain" "current" {
  name                = var.event_grid_domain_name
  resource_group_name = var.resource_group_name
  location            = var.location

  identity {
    type = "SystemAssigned"
  }

  lifecycle {
    ignore_changes = [
      tags
    ]
  }
}

Expected Behaviour

System Identity should have been created and connected to Event Grid Domain resource.

Actual Behaviour

Identity is never created so when attempting to assign a role to the identity I get the following message:

│ Error: Missing required argument
│ 
│   resource "azurerm_role_assignment" "example":
│   principal_id  = azurerm_eventgrid_domain.current.identity[0].principal_id
│ 
│ The argument "principal_id" is required, but no definition was found.
╵
##[error]Error: The process '/usr/local/bin/terraform' failed with exit code 1

[xiaxyi]

@brennfoster , I tested the event grid identity but seems it's working as expected. Can you try output the value to see if there is a value?

output "identity" {
  value = azurerm_eventgrid_domain.current.identity[0].principal_id
}

[brennfoster]

@xiaxyi It only worked for me when I manually created the identity in the portal. It's not a problem with outputting the identity id but with trying to create the identity from terraform. I will try to find some time today or early next week to test again.

[xiaxyi]

@brennfoster may I know if you get any chance to test the behavior again?

[xiaxyi]

@brennfoster any news on the test? :)

[Annesars90]

I have exactly this problem. I even added a depends on in the role assignment but it will not work. Code adding the identity to existing topic:

resource "azurerm_eventgrid_system_topic" "aces_eventgrid" { name = "aces-eventgrid-${var.subscription_name}" resource_group_name = azurerm_resource_group.Aces-Util.name location = "Global" source_arm_resource_id = data.azurerm_subscription.current.id topic_type = "Microsoft.Resources.Subscriptions" lifecycle { ignore_changes = [ tags ] } identity { type = "SystemAssigned" } }

resource "azurerm_role_assignment" "data_sender_event_grid" { depends_on = [ azurerm_eventgrid_system_topic.aces_eventgrid ] scope = data.azurerm_servicebus_namespace.aces_servicebus_namespace.id role_definition_name = "Azure Service Bus Data Sender" principal_id = azurerm_eventgrid_system_topic.aces_eventgrid.identity[0].principal_id }

---

output pipeline:

│ Error: Missing required argument │ │ with azurerm_role_assignment.data_sender_event_grid, │ on aces-util.tf line 199, in resource "azurerm_role_assignment" "data_sender_event_grid": │ 199: principal_id = azurerm_eventgrid_system_topic.aces_eventgrid.identity[0].principal_id │ │ The argument "principal_id" is required, but no definition was found.

When I add the identity by hand in the portal or by code but without the assignment and then add the assignment later, it will work. Not at the same time though.

[humanascode]

I just got this error when using a managed identity in a role assignment resource. I added a data component and used it instead of the actual resource (which was a VM in this case) and it solved the issue.

data "azurerm_virtual_machine" "vm_data" {
  name = azurerm_linux_virtual_machine.lnxSrv1.name
  resource_group_name = azurerm_linux_virtual_machine.lnxSrv1.resource_group_name
}

resource "azurerm_role_assignment" "sa_blob_reader" {
  scope = var.sa_id
  role_definition_name = "Storage Blob Data Reader"
  principal_id = data.azurerm_virtual_machine.vm_data.identity[0].principal_id
}