azurerm_federated_identity_credential drops issuer from request and fails creation

[MrDrMcCoy]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.3.7

AzureRM Provider Version

3.41.0

Affected Resource(s)/Data Source(s)

azurerm_federated_identity_credential

Terraform Configuration Files

locals {
  aks_clusters = {
    for region, cluster in data.terraform_remote_state.infra.outputs.az_resource_groups[var.resource_group].azurerm_kubernetes_cluster_anark
      : region => cluster if contains(var.regions, cluster.location)
  }
}

resource "azurerm_user_assigned_identity" "tenant" {
  resource_group_name = var.resource_group
  location = "centralus"
  name = var.tenant
}

resource "azurerm_federated_identity_credential" "tenant" {
  for_each = local.aks_clusters
  name = "${var.tenant}-federated-${each.key}"
  resource_group_name = var.resource_group
  audience = ["api://AzureADTokenExchange"]
  issuer = each.value.oidc_issuer_url
  parent_id = azurerm_user_assigned_identity.tenant.id
  subject = "system:serviceaccount:${var.tenant}:${var.tenant}"
}

Debug Output/Panic Output

# azurerm_federated_identity_credential.tenant["centralus"] will be created
  + resource "azurerm_federated_identity_credential" "tenant" {
      + audience            = [
          + "api://AzureADTokenExchange",
        ]
      + id                  = (known after apply)
      + name                = "test2-federated-centralus"
      + parent_id           = "/subscriptions/7e3520f4-1eda-46e9-a2b4-22bcc8691b9a/resourceGroups/dev2/providers/Microsoft.ManagedIdentity/userAssignedIdentities/test2"
      + resource_group_name = "dev2"
      + subject             = "system:serviceaccount:test2:test2"
    }

...

│ Error: creating Federated Identity Credential (Subscription: "7e3520f4-1eda-46e9-a2b4-22bcc8691b9a"
│ Resource Group Name: "dev2"
│ User Assigned Identity Name: "test2"
│ Federated Identity Credential Name: "test2-federated-centralus"): managedidentities.ManagedIdentitiesClient#FederatedIdentityCredentialsCreateOrUpdate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="BadRequest" Message="The request format was unexpected. Federated Identity Credential must specify 'issuer', 'subject' and 'audience'."
│ 
│   with azurerm_federated_identity_credential.tenant["centralus"],
│   on identity.tf line 16, in resource "azurerm_federated_identity_credential" "tenant":
│   16: resource "azurerm_federated_identity_credential" "tenant" {
│ 
│ creating Federated Identity Credential (Subscription:
│ "7e3520f4-1eda-46e9-a2b4-22bcc8691b9a"
│ Resource Group Name: "dev2"
│ User Assigned Identity Name: "test2"
│ Federated Identity Credential Name: "test2-federated-centralus"):
│ managedidentities.ManagedIdentitiesClient#FederatedIdentityCredentialsCreateOrUpdate:
│ Failure responding to request: StatusCode=400 -- Original Error: autorest/azure:
│ Service returned an error. Status=400 Code="BadRequest" Message="The request format was
│ unexpected. Federated Identity Credential must specify 'issuer', 'subject' and
│ 'audience'."

Expected Behaviour

azurerm_federated_identity_credential resource should be created with all specified arguments.

Actual Behaviour

azurerm_federated_identity_credential silently drops issuer argument and the API responds with an error.

Steps to Reproduce

1. Create AKS cluster with oidc_issuer_enabled and workload_identity_enabled set to true.
2. Create User Assigned Identity for AKS tenant application.
3. Create Federated Identity Credential referencing the AKS cluster's oidc_issuer_url and the User Assigned Identity.
4. Observe failure.

Important Factoids

No response

References

No response

[sinbai]

@MrDrMcCoy thanks for opening this issue. Could you provide the actual value of "each.value.oidc_issuer_url" passed to terraform to help troubleshoot when the above error occurs?

[MrDrMcCoy]

@sinbai A wise man once told me that by asking the right questions, you're already most of the way to your answer.

We have our Terraform split into multiple states. There's an "infra" state, managing common resources like AKS clusters, and various "tenant" states that manages individual deployments on that infrastructure. The tenant state uses the terraform_remote_state data source to reference resources in the infra state.

The AKS cluster in the infra state has the following: module.az_resource_group["dev2"].azurerm_kubernetes_cluster_anark["centralus"].oidc_issuer_url = "https://centralus.oic.prod-aks.azure.com/<redacted>/<redacted>/"

The tenant state, even after running terraform refresh, has this: data.terraform_remote_state.infra.outputs.az_resource_groups[var.resource_group].azurerm_kubernetes_cluster_anark["centralus"].oidc_issuer_url = ""

So it would seem that this isn't really an issue with the azurerm provider, but rather an issue with Terraform itself refusing to pull the latest remote state data. Would you happen to know any tricks for forcing this to update properly?

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.