Can't read principal id from azurerm_mssql_server after it has been created

[linak-lukasmendez]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.2.8

AzureRM Provider Version

3.46.0

Affected Resource(s)/Data Source(s)

azurerm_mssql_server and azuread_directory_role_assignment

Terraform Configuration Files

resource "azurerm_mssql_server" "global" {
  name                         = "sql-${var.environment.system_code}-${local.common_resources_name}-${var.environment.location_code}-${var.environment.environment_code}${local.discriminator}"
  resource_group_name          = azurerm_resource_group.global.name
  location                     = azurerm_resource_group.global.location
  version                      = "12.0"
  minimum_tls_version          = "1.2"

  azuread_administrator {
    login_username = "OneConnect SQL Admin"
    object_id      = data.azuread_group.sql_administrators.object_id
    azuread_authentication_only = true
  }

  identity{
    type = "SystemAssigned"
  }

  tags = local.common_tags
}

data "azuread_directory_roles" "current" {}

# Give the identity Directory Reader permission 
resource "azuread_directory_role_assignment" "global" {
  role_id             = data.azuread_directory_roles.current.roles[index(data.azuread_directory_roles.current.roles.*.display_name, "Directory Readers")].template_id
  principal_object_id = azurerm_mssql_server.global.identity[0].principal_id
}

Debug Output/Panic Output

│ Error: Missing required argument
│
│   with azuread_directory_role_assignment.global,
│   on sql_server.tf line 43, in resource "azuread_directory_role_assignment" "global":
│   43:   principal_object_id = azurerm_mssql_server.global.identity[0].principal_id
│
│ The argument "principal_object_id" is required, but no definition was found.

Expected Behaviour

I expect the principal id from azurerm_mssql_server to be read, even though it was created in another terraform execution and be able to use it in another resource

Actual Behaviour

I get an error saying that the "principal_object_id" is required, but no definition is found

Steps to Reproduce

Just apply it and the error will be shown

Important Factoids

I've solved it by adding the azurerm_mssql_server as a datasource and then reading the principal id from there instead, like here:

# There is an issue when trying to read the principal_id after it has been created. So I've created this workaround temporarly. 
# I've created a bug: https://github.com/hashicorp/terraform-provider-azurerm/issues/20767
data "azurerm_mssql_server" "global" {
  name                = azurerm_mssql_server.global.name
  resource_group_name = azurerm_mssql_server.global.resource_group_name
}

data "azuread_directory_roles" "current" {}

# Give the identity Directory Reader permission 
resource "azuread_directory_role_assignment" "global" {
  role_id             = data.azuread_directory_roles.current.roles[index(data.azuread_directory_roles.current.roles.*.display_name, "Directory Readers")].template_id
  principal_object_id = data.azurerm_mssql_server.global.identity[0].principal_id
}

References

No response

[sinbai]

@linak-lukasmendez thanks for opening this issue. Could you provide the terraform log to help troubleshoot for this case?

[linak-lukasmendez]

Yes, here you have it:

terraform.log

This is only from running my apply command

[sinbai]

@linak-lukasmendez thanks for your response. Per the line 5857 in provided terraform.log, we could find that the API does not return the identity (e.g. the following identity) information when terraform calls GET /subscriptions/XXX/resourceGroups/rg-moc-global-weu-test-q7r8/providers/Microsoft.Sql/servers/sql-moc-global-weu-test-q7r8?api-version=2021-02-01-preview (in line 5836 of terraform.log). Also, whether data.azurerm_mssql_server.global.identity[0].principal_id or azurerm_mssql_server.global.identity[0].principal_id calls the same flattenSqlServerIdentity method in terraform code. There is no difference in the implementation of terraform. So I am assuming that this is an Azure API issue. Could you file an issue for your case in Azure API repo for troubleshooting?

"identity":{
      "principalId":"0000000-0000-0000-0000-00000000",
      "type":"SystemAssigned",
      "tenantId":"12345678-0000-0000-0000-000000000"
   }