Running Kusto script on ADX fails through Terraform, succeeds manually

[sruthikilari]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.5.7

AzureRM Provider Version

3.52.0

Affected Resource(s)/Data Source(s)

azurerm_kusto_script

Terraform Configuration Files

#create blob to store the managed identity policy
resource "azurerm_storage_blob" "nativeingestionpolicy" {
  name                   = "native_ingestion.kql"
  storage_account_name   = azurerm_storage_account.this.name
  storage_container_name = azurerm_storage_container.scripts.name
  type                   = "Block"
  source_content         = ".alter-merge cluster policy managed_identity \"[{ 'ObjectId' : '${azurerm_user_assigned_identity.terraform.principal_id}', 'AllowedUsages' : 'NativeIngestion' }]\""
  depends_on = [azurerm_storage_container.scripts, azurerm_user_assigned_identity.terraform]
  lifecycle {
    replace_triggered_by = [
      null_resource.always_run
    ]
  }
}

#enable native ingestion using the script inside the container
resource "azurerm_kusto_script" "policy" {
  name                               = "metricsdbmsipolicy"
  database_id                        = azurerm_kusto_database.database.id
  url                                = azurerm_storage_blob.nativeingestionpolicy.id
  sas_token                          = data.azurerm_storage_account_sas.this.sas
  continue_on_errors_enabled         = true
  force_an_update_when_value_changed = "first"
  depends_on = [azurerm_kusto_database.database]
}

Debug Output/Panic Output

Failed to run script 'metricsdbmsipolicy' on database. Reason: Command is not allowed.

Expected Behaviour

Expecting policy to be added when I run ".show cluster policy managed identity" but it comes up blank

Actual Behaviour

The command fails through the script, but succeeds when I paste the same command in my database immediately after in portal

Steps to Reproduce

SP and user have both been added as AllDatabaseAdmin on the cluter and Admin on the database through Terraform

Important Factoids

No response

References

No response

[sruthikilari]

Have tried using source content field as well instead of reading the command from blob, same error

resource "azurerm_kusto_script" "metricsdbnativeingestionpolicy" {
  name                               = "metricsdbnativeingestionpolicy"
  database_id                        = azurerm_kusto_database.database.id
  continue_on_errors_enabled         = true
  force_an_update_when_value_changed = "first"
  depends_on = [azurerm_kusto_cluster_principal_assignment.user, azurerm_user_assigned_identity.terraform, azurerm_kusto_cluster_principal_assignment.this, azurerm_kusto_cluster_principal_assignment.msi]

  script_content = <<SCRIPT
    .alter-merge cluster policy managed_identity "[{ 'ObjectId' : '${azurerm_user_assigned_identity.terraform.principal_id}', 'AllowedUsages' : 'NativeIngestion' }]"
SCRIPT
}