azurerm_cognitive_account in Failed state after adding field custom_question_answering_search_service_key (3.16.0)

[geremy42]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.1.7

AzureRM Provider Version

3.16.0

Affected Resource(s)/Data Source(s)

azurerm_cognitive_account

Terraform Configuration Files

resource "azurerm_cognitive_account" "language" {

  name                  = local.qnamaker_language_name
  location              = azurerm_resource_group.rsg.location
  resource_group_name   = azurerm_resource_group.rsg.name
  kind                  = "TextAnalytics"
  sku_name              = "S"
  custom_question_answering_search_service_id = azurerm_search_service.search.id
  custom_question_answering_search_service_key = azurerm_search_service.search.primary_key 
  custom_subdomain_name = lower(local.qnamaker_language_name)

  public_network_access_enabled      = false

  identity {
    type = "SystemAssigned"
  }

  network_acls {
    default_action             = "Deny"
    ip_rules                   = [var.outbound_ip]
  }
}

resource "azurerm_role_assignment" "language" {
  scope                = "${azurerm_resource_group.rsg.id}/providers/Microsoft.Search/searchServices/${local.search}"
  role_definition_name = "Contributor"
  principal_id         = azurerm_cognitive_account.language.identity.0.principal_id
  depends_on           = [azurerm_cognitive_account.language, azurerm_search_service.search]
}

resource "azurerm_search_service" "search" {
  name                = local.search
  location            = azurerm_resource_group.rsg.location
  resource_group_name = azurerm_resource_group.rsg.name
  sku                 = "standard"

  public_network_access_enabled = false
  allowed_ips         = []
}

Debug Output/Panic Output

╷ │ Error: waiting for creation of Account (Subscription: "00000000-1111-2222-3333-444444444444" │ Resource Group Name: "RSGNAME" │ Account Name: "ACCOUNTNAME"): unexpected state 'Failed', wanted target 'Succeeded'. last error: %!s(<nil>)

Expected Behaviour

New azurerm_cognitive_account resource created without any errors and fully working

Actual Behaviour

The new azurerm_cognitive_account resource got created on Azure portal but with following error:

The resource creation has failed. Keys are not available. Please delete this resource and create a new resource.

Steps to Reproduce

terraform apply

Important Factoids

No response

References

No response

[geremy42]

Linked to #17239

[ms-henglu]

Hi @geremy42 ,

Thank you for taking time to open this issue!

I found that if create the resource with public network access disabled, the last polling request returns Failed state, but then the resource's state becomes Succeeded. I believe this is a server-side bug, a workaround is creating the resource with public network access enabled, then disable it in the next terraform apply.

[ms-henglu]

I've created an issue in the swagger repo: https://github.com/Azure/azure-rest-api-specs/issues/20335

[ms-henglu]

Hi @geremy42 ,

I have an update from the service team,

The issue is happening since disabling private access requires some configurations to be done on the Search resource before the Cognitive account is created..

As an immediate solution I suggest:

1. Create the Azure Cognitive account with public network access enabled
2. Then disable public network access by following the steps in: Network isolation and Private Link -question answering - Azure Cognitive Services | Microsoft Learn