azurerm_eventhub_namespace_customer_managed_key alwasy have error for user assigned identity '<managed identity id>' must also be assigned to the parent event hub

[Scarlettliuyc]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the

Terraform Version

1.xx

AzureRM Provider Version

3.97.1

Affected Resource(s)/Data Source(s)

azurerm_eventhub_namespace_customer_managed_key

Terraform Configuration Files

main.tf: follow this document :https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/eventhub_namespace_customer_managed_key#infrastructure_encryption_enabled
#refer to a dns for private-endpoint
data "azurerm_private_dns_zone" "dns_pry" {
  provider = azurerm.hubsub
  name                = var.event_hub_namespace.private_endpoint.dns_zone_name
  resource_group_name = var.event_hub_namespace.private_endpoint.dns_zone_rg_pry
}

data "azurerm_private_dns_zone" "dns_sec" {
  provider = azurerm.hubsub
  name                = var.event_hub_namespace.private_endpoint.dns_zone_name
  resource_group_name = var.event_hub_namespace.private_endpoint.dns_zone_rg_sec
}

data "azurerm_client_config" "this" {}
data "azurerm_resource_group" "this" {
  name = var.resource_group_name
}

data "azurerm_user_assigned_identity" "uami" {
  count = var.event_hub_namespace.user_assigned_mi_name != null ? 1 : 0
  name                = var.event_hub_namespace.user_assigned_mi_name
  resource_group_name = var.event_hub_namespace.user_assigned_mi_rg
}

data "azurerm_subnet" "this" {
  for_each             = var.event_hub_namespace.network_endpoints.virtual_network_subnets
  name                 = each.value.subnet_name
  virtual_network_name = each.value.virtual_network_name
  resource_group_name  = each.value.resource_group_name
}
data "azurerm_storage_account" "this" {
  for_each = local.storage_account_map
  name                = each.value.storage_account_name
  resource_group_name = each.value.resource_group_name
}
data "azurerm_key_vault" "enckv" {
  name                = var.event_hub_namespace.encryptionkeyvault
  resource_group_name = var.event_hub_namespace.encryptionkeyvaultrg
}
data "azurerm_key_vault_key" "enckvk" {
  name         = var.event_hub_namespace.encryptionkeyname
  key_vault_id = data.azurerm_key_vault.enckv.id
}
resource "azurerm_eventhub_namespace" "this" {
  name                = var.event_hub_namespace.name
  location            = data.azurerm_resource_group.this.location
  resource_group_name = data.azurerm_resource_group.this.name
  sku                 = var.event_hub_namespace.sku
  capacity            = var.event_hub_namespace.capacity
  auto_inflate_enabled = var.event_hub_namespace.auto_inflate_enabled
  local_authentication_enabled = var.event_hub_namespace.local_authentication_enabled != null ? var.event_hub_namespace.local_authentication_enabled : false
  public_network_access_enabled = var.event_hub_namespace.public_network_access_enabled != null ? var.event_hub_namespace.public_network_access_enabled : false
  maximum_throughput_units = var.event_hub_namespace.maximum_throughput_units 
  zone_redundant      = var.event_hub_namespace.zone_redundant
  dynamic "network_rulesets" {
    for_each = var.event_hub_namespace.network_endpoints != null ? [var.event_hub_namespace.network_endpoints] : []
    content {
      default_action = network_rulesets.value.default_action
      public_network_access_enabled = var.event_hub_namespace.public_network_access_enabled != null ? var.event_hub_namespace.public_network_access_enabled : false
      trusted_service_access_enabled = network_rulesets.value.trusted_service_access_enabled != null ? network_rulesets.value.trusted_service_access_enabled : true
      dynamic "virtual_network_rule" {
        for_each = network_rulesets.value.virtual_network_subnets
        content {
         subnet_id = data.azurerm_subnet.this[virtual_network_rule.key].id
        }
      }
      dynamic "ip_rule" {
        for_each = network_rulesets.value.ip_rules
        content {
         ip_mask = ip_rule.value
         action = "Allow"
        }
      }
    }   
  }

  identity {
    type         = var.event_hub_namespace.user_assigned_mi_name == null ? "SystemAssigned" : "SystemAssigned, UserAssigned"
    identity_ids = var.event_hub_namespace.user_assigned_mi_name == null ? [] : [data.azurerm_user_assigned_identity.uami[0].id]
  }

  tags = var.tags
}

resource "azurerm_key_vault_access_policy" "kvpolicy-smi" {
  // kv permission model is access policy and system managed identity
  // If the access policy is associated with key vault, create this resource
  count              = var.event_hub_namespace.user_assigned_mi_name == null && data.azurerm_key_vault.enckv.enable_rbac_authorization == false ? 1 : 0
  key_vault_id = data.azurerm_key_vault.enckv.id
  tenant_id    = data.azurerm_client_config.this.tenant_id
  object_id    = azurerm_eventhub_namespace.this.identity[0].principal_id
  key_permissions = ["Get", "List", "WrapKey", "UnwrapKey"]
  secret_permissions = ["Get","List"]
  depends_on = [azurerm_eventhub_namespace.this]
}

resource "azurerm_role_assignment" "rassign-smi" {
  // If KV's permission model is RBAC and system managed identity
  // If keyvault's access policy is RBAC, create this resource
  count                = var.event_hub_namespace.user_assigned_mi_name == null && data.azurerm_key_vault.enckv.enable_rbac_authorization == true ? 1 : 0
  scope                = data.azurerm_key_vault.enckv.id
  role_definition_name = "Key Vault Crypto Service Encryption User"
  principal_id         = azurerm_eventhub_namespace.this.identity[0].principal_id
  depends_on = [azurerm_eventhub_namespace.this]
}

resource "azurerm_eventhub_namespace_customer_managed_key" "identity" {
  eventhub_namespace_id = azurerm_eventhub_namespace.this.id
  key_vault_key_ids     = [data.azurerm_key_vault_key.enckvk.versionless_id]
  user_assigned_identity_id = var.event_hub_namespace.user_assigned_mi_name != null ? data.azurerm_user_assigned_identity.uami[0].id : null
  depends_on = [azurerm_eventhub_namespace.this, azurerm_key_vault_access_policy.kvpolicy-smi, azurerm_role_assignment.rassign-smi]
}

resource "azurerm_eventhub" "this" {
  for_each = var.event_hub
  name                = each.value.name
  namespace_name      = azurerm_eventhub_namespace.this.name
  resource_group_name = data.azurerm_resource_group.this.name
  partition_count     = each.value.partition_count
  message_retention   = each.value.message_retention
  dynamic "capture_description" {
  for_each = each.value.capture_description != null ? [each.value.capture_description] : []
  content {
    enabled             = capture_description.value.enabled
    encoding            = capture_description.value.encoding
    interval_in_seconds = capture_description.value.interval_in_seconds
    size_limit_in_bytes = capture_description.value.size_limit_in_bytes
    skip_empty_archives = capture_description.value.skip_empty_archives
    destination {
      name                = capture_description.value.destination.name
      archive_name_format = capture_description.value.destination.archive_name_format
      blob_container_name = capture_description.value.destination.archive_storage.blob_container_name
      storage_account_id  = data.azurerm_storage_account.this["${each.value.name}.${capture_description.value.destination.archive_storage.storage_account_name}.${capture_description.value.destination.archive_storage.resource_group_name}"].id
    }
    }   
  }
  depends_on = [azurerm_eventhub_namespace.this, azurerm_eventhub_namespace_customer_managed_key.identity]
}
resource "azurerm_eventhub_authorization_rule" "this" {
  for_each = local.event_hub_authrule_map
  name                = each.value.name
  namespace_name      = azurerm_eventhub_namespace.this.name
  eventhub_name       = each.value.event_hub_name
  resource_group_name = data.azurerm_resource_group.this.name
  listen              = each.value.listen
  send                = each.value.send
  manage              = each.value.manage
  depends_on = [
    azurerm_eventhub.this
  ]
}
resource "azurerm_eventhub_consumer_group" "this" {
  for_each = local.event_hub_consumergrp_map
  name                = each.value.name
  namespace_name      = azurerm_eventhub_namespace.this.name
  eventhub_name       = each.value.event_hub_name
  resource_group_name = data.azurerm_resource_group.this.name
  user_metadata       = each.value.user_metadata
  depends_on = [
    azurerm_eventhub.this
  ]
}
//Create Private Endpoint
module "eventhub-pe" {
  for_each = local.private_endpoint_map
  source          = "../modules/private-endpoint"
  private_endpoint = each.value
  providers = {
    azurerm.pepsub = azurerm.pepsub
  }
  tags = var.tags
  depends_on = [
    azurerm_eventhub_namespace.this
  ]
}

Debug Output/Panic Output

Part of debug log:
2024-03-27T08:42:38.6877978Z 2024-03-27T04:42:38.658-0400 [DEBUG] backend/local: Skipping interactive prompts for variables because input is disabled
2024-03-27T08:42:38.6878614Z 2024-03-27T04:42:38.658-0400 [DEBUG] Building and walking validate graph
2024-03-27T08:42:38.6879508Z 2024-03-27T04:42:38.659-0400 [DEBUG] ProviderTransformer: "data.azurerm_user_assigned_identity.uami" (*terraform.NodeValidatableResource) needs provider["registry.terraform.io/hashicorp/azurerm"]
2024-03-27T08:42:38.6880525Z 2024-03-27T04:42:38.659-0400 [DEBUG] ProviderTransformer: "data.azurerm_subnet.this" (*terraform.NodeValidatableResource) needs provider["registry.terraform.io/hashicorp/azurerm"]
2024-03-27T08:42:38.6881572Z 2024-03-27T04:42:38.659-0400 [DEBUG] ProviderTransformer: "data.azurerm_private_dns_zone.dns_sec" (*terraform.NodeValidatableResource) needs provider["registry.terraform.io/hashicorp/azurerm"].hubsub
2024-03-27T08:42:38.6882817Z 2024-03-27T04:42:38.659-0400 [DEBUG] ProviderTransformer: "data.azurerm_resource_group.this" (*terraform.NodeValidatableResource) needs provider["registry.terraform.io/hashicorp/azurerm"]
2024-03-27T08:42:38.6883823Z 2024-03-27T04:42:38.659-0400 [DEBUG] ProviderTransformer: "module.eventhub-pe.null_resource.sequential_lock" (*terraform.NodeValidatableResource) needs provider["registry.terraform.io/hashicorp/null"]
2024-03-27T08:42:38.6884880Z 2024-03-27T04:42:38.660-0400 [DEBUG] ProviderTransformer: "azurerm_eventhub_namespace.this" (*terraform.NodeValidatableResource) needs provider["registry.terraform.io/hashicorp/azurerm"]
2024-03-27T08:42:38.6885911Z 2024-03-27T04:42:38.660-0400 [DEBUG] ProviderTransformer: "data.azurerm_client_config.this" (*terraform.NodeValidatableResource) needs provider["registry.terraform.io/hashicorp/azurerm"]
2024-03-27T08:42:38.6886933Z 2024-03-27T04:42:38.660-0400 [DEBUG] ProviderTransformer: "azurerm_key_vault_access_policy.kvpolicy-smi" (*terraform.NodeValidatableResource) needs provider["registry.terraform.io/hashicorp/azurerm"]
2024-03-27T08:42:38.6887999Z 2024-03-27T04:42:38.660-0400 [DEBUG] ProviderTransformer: "data.azurerm_key_vault.enckv" (*terraform.NodeValidatableResource) needs provider["registry.terraform.io/hashicorp/azurerm"]
2024-03-27T08:42:38.6888952Z 2024-03-27T04:42:38.660-0400 [DEBUG] ProviderTransformer: "data.azurerm_storage_account.this" (*terraform.NodeValidatableResource) needs provider["registry.terraform.io/hashicorp/azurerm"]
2024-03-27T08:42:38.6890069Z 2024-03-27T04:42:38.660-0400 [DEBUG] ProviderTransformer: "module.eventhub-pe.data.azurerm_subnet.subnetpe" (*terraform.NodeValidatableResource) needs provider["registry.terraform.io/hashicorp/azurerm"].pepsub
2024-03-27T08:42:38.6891045Z 2024-03-27T04:42:38.660-0400 [DEBUG] ProviderTransformer: "data.azurerm_key_vault_key.enckvk" (*terraform.NodeValidatableResource) needs provider["registry.terraform.io/hashicorp/azurerm"]
2024-03-27T08:42:38.6974379Z 2024-03-27T04:42:38.660-0400 [DEBUG] ProviderTransformer: "azurerm_eventhub_namespace_customer_managed_key.identity" (*terraform.NodeValidatableResource) needs provider["registry.terraform.io/hashicorp/azurerm"]
2024-03-27T08:42:38.6975688Z 2024-03-27T04:42:38.660-0400 [DEBUG] ProviderTransformer: "data.azurerm_private_dns_zone.dns_pry" (*terraform.NodeValidatableResource) needs provider["registry.terraform.io/hashicorp/azurerm"].hubsub
2024-03-27T08:42:38.6976976Z 2024-03-27T04:42:38.660-0400 [DEBUG] ProviderTransformer: "module.eventhub-pe.azurerm_private_endpoint.endpoint" (*terraform.NodeValidatableResource) needs provider["registry.terraform.io/hashicorp/azurerm"].pepsub
2024-03-27T08:42:38.6978374Z 2024-03-27T04:42:38.660-0400 [DEBUG] ProviderTransformer: "azurerm_role_assignment.rassign-smi" (*terraform.NodeValidatableResource) needs provider["registry.terraform.io/hashicorp/azurerm"]
2024-03-27T08:42:38.6979501Z 2024-03-27T04:42:38.660-0400 [DEBUG] ProviderTransformer: "module.eventhub-pe.data.azurerm_resources.rg" (*terraform.NodeValidatableResource) needs provider["registry.terraform.io/hashicorp/azurerm"]
2024-03-27T08:42:38.6980420Z 2024-03-27T04:42:38.660-0400 [DEBUG] pruning unused provider["registry.terraform.io/hashicorp/azuread"]
2024-03-27T08:42:38.6981152Z 2024-03-27T04:42:38.660-0400 [DEBUG] pruning unused provider["registry.terraform.io/azure/azapi"]
2024-03-27T08:42:38.6981925Z 2024-03-27T04:42:38.660-0400 [DEBUG] pruning unused provider["registry.terraform.io/hashicorp/azurerm"].sourcesub
2024-03-27T08:42:38.6982745Z 2024-03-27T04:42:38.660-0400 [DEBUG] pruning unused provider["registry.terraform.io/hashicorp/azurerm"].image_subscription
2024-03-27T08:42:38.6983560Z 2024-03-27T04:42:38.660-0400 [DEBUG] pruning unused provider["registry.terraform.io/hashicorp/kubernetes"]
2024-03-27T08:42:38.6984219Z 2024-03-27T04:42:38.660-0400 [DEBUG] created provider logger: level=debug
2024-03-27T08:42:38.6984867Z 2024-03-27T04:42:38.660-0400 [INFO]  provider: configuring client automatic mTLS
2024-03-27T08:42:38.6986364Z 2024-03-27T04:42:38.680-0400 [DEBUG] provider: starting plugin: path=.terraform/providers/registry.terraform.io/hashicorp/azurerm/3.97.1/linux_amd64/
...
2024-03-27T08:42:39.0417868Z 2024-03-27T04:42:39.036-0400 [DEBUG] ReferenceTransformer: "data.azurerm_subnet.this" references: [var.event_hub_namespace]
2024-03-27T08:42:39.0418347Z 2024-03-27T04:42:39.036-0400 [DEBUG] ReferenceTransformer: "data.azurerm_key_vault.enckv" references: [var.event_hub_namespace var.event_hub_namespace]
2024-03-27T08:42:39.0418842Z 2024-03-27T04:42:39.036-0400 [DEBUG] ReferenceTransformer: "local.event_hub_authrule_map (expand)" references: [local.event_hub_authrule_list (expand)]
2024-03-27T08:42:39.0419591Z 2024-03-27T04:42:39.037-0400 [DEBUG] ReferenceTransformer: "local.private_endpoint_map (expand)" references: [local.private_endpoint_pry (expand) local.private_endpoint_pry (expand) local.private_endpoint_pry (expand) local.private_endpoint_sec (expand) local.private_endpoint_sec (expand) local.private_endpoint_sec (expand)]
2024-03-27T08:42:39.0420182Z 2024-03-27T04:42:39.037-0400 [DEBUG] ReferenceTransformer: "local.event_hub_consumergrp_list (expand)" references: [var.event_hub]
2024-03-27T08:42:39.0420877Z 2024-03-27T04:42:39.037-0400 [DEBUG] ReferenceTransformer: "azurerm_key_vault_access_policy.kvpolicy-smi" references: [azurerm_eventhub_namespace.this var.event_hub_namespace data.azurerm_key_vault.enckv azurerm_eventhub_namespace.this data.azurerm_key_vault.enckv data.azurerm_client_config.this]
2024-03-27T08:42:39.0421759Z 2024-03-27T04:42:39.037-0400 [DEBUG] ReferenceTransformer: "azurerm_eventhub_namespace_customer_managed_key.identity" references: [azurerm_eventhub_namespace.this azurerm_key_vault_access_policy.kvpolicy-smi azurerm_role_assignment.rassign-smi data.azurerm_key_vault_key.enckvk data.azurerm_user_assigned_identity.uami azurerm_eventhub_namespace.this]
...
2024-03-27T08:42:40.1811123Z 2024-03-27T04:42:40.180-0400 [DEBUG] ReferenceTransformer: "azurerm_eventhub_namespace_customer_managed_key.identity (expand)" references: [azurerm_eventhub_namespace.this (expand) azurerm_key_vault_access_policy.kvpolicy-smi (expand) azurerm_role_assignment.rassign-smi (expand) data.azurerm_user_assigned_identity.uami (expand) azurerm_eventhub_namespace.this (expand) data.azurerm_key_vault_key.enckvk (expand)]
2024-03-27T08:42:40.1812443Z 2024-03-27T04:42:40.180-0400 [DEBUG] ReferenceTransformer: "local.private_dns_zone_pry_ids (expand)" references: [local.dns_zone_list_pry (expand)]
2024-03-27T08:42:40.1813368Z 2024-03-27T04:42:40.180-0400 [DEBUG] ReferenceTransformer: "local.event_hub_consumergrp_map (expand)" references: [local.event_hub_consumergrp_list (expand)]
2024-03-27T08:42:40.1814217Z 2024-03-27T04:42:40.180-0400 [DEBUG] ReferenceTransformer: "output.eventhub_namespace (expand)" references: [azurerm_eventhub_namespace.this (expand)]
2024-03-27T08:42:40.1815369Z 2024-03-27T04:42:40.180-0400 [DEBUG] ReferenceTransformer: "local.private_dns_zone_sec_ids (expand)" references: [local.dns_zone_list_sec (expand)]
2024-03-27T08:42:40.1816206Z 2024-03-27T04:42:40.180-0400 [DEBUG] ReferenceTransformer: "provider[\"registry.terraform.io/hashicorp/azurerm\"].pepsub" references: []
2024-03-27T08:42:40.1818428Z 2024-03-27T04:42:40.180-0400 [DEBUG] ReferenceTransformer: "module.eventhub-pe (expand)" references: [azurerm_eventhub_namespace.this (expand) local.private_endpoint_map (expand)]
2024-03-27T08:42:40.1827030Z 2024-03-27T04:42:40.181-0400 [DEBUG] ReferenceTransformer: "azurerm_eventhub_namespace.this (expand)" references: [var.event_hub_namespace var.event_hub_namespace var.event_hub_namespace var.event_hub_namespace var.event_hub_namespace var.event_hub_namespace data.azurerm_resource_group.this (expand) data.azurerm_resource_group.this (expand) var.tags var.event_hub_namespace var.event_hub_namespace var.event_hub_namespace var.event_hub_namespace var.event_hub_namespace var.event_hub_namespace var.event_hub_namespace var.event_hub_namespace data.azurerm_subnet.this (expand) data.azurerm_user_assigned_identity.uami (expand)]
...
2024-03-27T08:42:45.9244333Z 2024-03-27T04:42:45.923-0400 [DEBUG] Resource instance state not found for node "azurerm_eventhub_namespace_customer_managed_key.identity", instance azurerm_eventhub_namespace_customer_managed_key.identity
2024-03-27T08:42:45.9245328Z 2024-03-27T04:42:45.923-0400 [INFO]  ReferenceTransformer: reference not found: "azurerm_eventhub_namespace.this"
2024-03-27T08:42:45.9246685Z 2024-03-27T04:42:45.923-0400 [INFO]  ReferenceTransformer: reference not found: "azurerm_key_vault_access_policy.kvpolicy-smi"
2024-03-27T08:42:45.9247489Z 2024-03-27T04:42:45.923-0400 [INFO]  ReferenceTransformer: reference not found: "azurerm_role_assignment.rassign-smi"
2024-03-27T08:42:45.9248316Z 2024-03-27T04:42:45.923-0400 [DEBUG] ReferenceTransformer: "azurerm_eventhub_namespace_customer_managed_key.identity" references: []
2024-03-27T08:42:45.9259651Z 2024-03-27T04:42:45.924-0400 [DEBUG] refresh: azurerm_eventhub_namespace_customer_managed_key.identity: no state, so not refreshing
...
**2024-03-27T08:42:45.9343106Z 2024-03-27T04:42:45.932-0400 [WARN]  Provider "registry.terraform.io/hashicorp/azurerm" produced an invalid plan for azurerm_eventhub_namespace_customer_managed_key.identity, but we are tolerating it because it is using the legacy plugin SDK.
2024-03-27T08:42:45.9343479Z     The following problems may be the cause of any confusing errors from downstream operations:
2024-03-27T08:42:45.9343853Z       - .infrastructure_encryption_enabled: planned value cty.False for a non-computed attribute
2024-03-27T08:42:45.9344317Z 2024-03-27T04:42:45.932-0400 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"
2024-03-27T08:42:45.9344749Z 2024-03-27T04:42:45.933-0400 [DEBUG]** 
...
2024-03-27T08:42:48.2332751Z Terraform will perform the following actions:
2024-03-27T08:42:48.2332893Z 
2024-03-27T08:42:48.2333418Z   # azurerm_eventhub_namespace_customer_managed_key.identity will be created
2024-03-27T08:42:48.2334019Z   + resource "azurerm_eventhub_namespace_customer_managed_key" "identity" {
2024-03-27T08:42:48.2335213Z       + eventhub_namespace_id             = "<event hub id>"
2024-03-27T08:42:48.2336151Z       + id                                = (known after apply)
2024-03-27T08:42:48.2336537Z       + infrastructure_encryption_enabled = false
2024-03-27T08:42:48.2336810Z       + key_vault_key_ids                 = [
2024-03-27T08:42:48.2337213Z           + "https://plte-use2-shsv-kv-inf-02.vault.azure.net/keys/plte-use2-azp-cmk-02/5e96bec044a84ba6a499d04a6d332154",
2024-03-27T08:42:48.2337438Z         ]
2024-03-27T08:42:48.2337981Z       + user_assigned_identity_id         = "<user assigned identity id"
2024-03-27T08:42:48.2338770Z Plan: 1 to add, 0 to change, 0 to destroy.
2024-03-27T08:42:48.2339333Z 
2024-03-27T08:42:48.2339566Z Changes to Outputs:
...
2024-03-27T08:42:53.8635384Z 2024-03-27T04:42:53.547-0400 [ERROR] provider.terraform-provider-azurerm_v3.97.1_x5: Response contains error diagnostic: tf_proto_version=5.4 @caller=github.com/hashicorp/terraform-plugin-go@v0.19.0/tfprotov5/internal/diag/diagnostics.go:58 @module=sdk.proto diagnostic_detail= diagnostic_summary="user assigned identity '<user assigend managed identity id> ' must also be assigned to the parent event hub" tf_provider_addr=provider diagnostic_severity=ERROR tf_req_id=afcc3a7e-2a0e-a876-105e-45e18bcf6fe4 tf_resource_type=azurerm_eventhub_namespace_customer_managed_key tf_rpc=ApplyResourceChange timestamp=2024-03-27T04:42:53.547-0400
2024-03-27T08:42:53.8636316Z 2024-03-27T04:42:53.548-0400 [DEBUG] State storage *remote.State declined to persist a state snapshot
2024-03-27T08:42:53.8637102Z 2024-03-27T04:42:53.548-0400 [ERROR] vertex "azurerm_eventhub_namespace_customer_managed_key.identity" error: user assigned identity '<user assigned identity id>' must also be assigned to the parent event hub
2024-03-27T08:42:53.8637737Z 2024-03-27T04:42:53.548-0400 [DEBUG] states/remote: state read serial is: 28; serial is: 28
2024-03-27T08:42:53.8638233Z 2024-03-27T04:42:53.548-0400 [DEBUG] states/remote: state read lineage is: 9636bfa1-73f1-65c4-5602-cb47462e6826; lineage is: 9636bfa1-73f1-65c4-5602-cb47462e6826
2024-03-27T08:42:53.8638661Z 2024-03-27T04:42:53.553-0400 [DEBUG] Azure Backend Request: 
2024-03-27T08:42:53.8639001Z HEAD /terragrntbackend/

Expected Behaviour

The encryption should create correct by terraform.

Actual Behaviour

The issue happened from 3/08/2024, tried in both azrm 3.90 and 3.97 version. The identity actually has already added in Event Hub, we can find it in portal. This part of terraform only to create then encryption based on the identity. The role assignment of key vault also created correctly. The error looks from this line: https://github.com/hashicorp/terraform-provider-azurerm/blob/810ce188d48d7b00f9d6516cbe39f0b8accc8bfc/internal/services/eventhub/eventhub_namespace_customer_managed_key_resource.go#L144 We tried to hard code the user assigned managed identity id, but same error occurd.

Steps to Reproduce

Terraform plan Terraform apply

Important Factoids

No response

References

No response

[surendarkaniops]

We are also facing same issue , Any resolution or work around so far ?

[itsmesureshmadineni]

I am also facing the same issue. Tried providing Azure data owner role but still no luck.

[chatelain-io]

+1

[msitte]

+1

[Scarlettliuyc]

this is the RP https://github.com/hashicorp/terraform-provider-azurerm/pull/25809 but haven't push.

[MayureshTiwari]

The issue has been resolved in provider version 3.116.0.