azurerm_search_service can't enable SystemAssigned identity and apply azurerm_role_assignment in same plan

[aeimer]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.9.2

AzureRM Provider Version

~> 3.85

Affected Resource(s)/Data Source(s)

azurerm_search_service, azurerm_role_assignment

Terraform Configuration Files

resource "azurerm_search_service" "this" {
  # This is an existing search service WIHTOUT the identity block
  identity {
    type = "SystemAssigned"
  }
}

resource "azurerm_cognitive_account" "this" {
  # Some existing cognitive account
}

resource "azurerm_role_assignment" "cognitiveaccount_search_reader" {
  # This RBAC is new
  scope                = azurerm_search_service.this.id
  role_definition_name = "Search Index Data Reader"
  principal_id         = azurerm_cognitive_account.this.identity[0].principal_id
}

Debug Output/Panic Output

╷
│ Error: Missing required argument
│ 
│   with azurerm_role_assignment.azuresearch["swc-openai-s0"],
│   on cognitiveaccount.tf line 43, in resource "azurerm_role_assignment" "azuresearch":
│   43:   principal_id         = module.azuresearch.identity.principal_id
│ 
│ The argument "principal_id" is required, but no definition was found.
╵

Expected Behaviour

The provider should be able to enable the identity first and then using the generated values.

Actual Behaviour

The provider fails as the current state does not have the required properties.

Steps to Reproduce

1. apply the code above without the azurerm_search_service identity block and without the RBAC assignment
2. comment in the identity block and RBAC assignment
3. apply again

Important Factoids

No response

References

No response

[liuwuliuyun]

Hi @aeimer , thank you for bringing this to our attention. I've confirmed the issue on my end as well. It occurs because Terraform attempts to locate the principal_id for the azurerm_role_assignment resource during plan generation, but fails since the principal_id hasn't been created yet. As a temporary solution, you can include the identity block for the initial terraform apply run. Afterwards, incorporate the azurerm_role_assignment and execute terraform apply again.

[liuwuliuyun]

Mininal template to reproduce:

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "3.85"
    }
  }
}

provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "example" {
  name     = "yunliuGHTest"
  location = "East US"

  lifecycle {
    ignore_changes = [tags]
  }
}

resource "azurerm_cognitive_account" "example" {
  name                = "example-account"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  kind                = "SpeechServices"

  sku_name = "S0"

  tags = {
    Acceptance = "Test"
  }
}

resource "azurerm_search_service" "example" {
  name                = "example-search222"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  sku                 = "basic"

  identity {
    type = "SystemAssigned"
  }
}

resource "azurerm_role_assignment" "cognitiveaccount_search_reader" {
  scope                = azurerm_search_service.example.id
  role_definition_name = "Search Index Data Reader"
  principal_id         = azurerm_cognitive_account.example.identity[0].principal_id
}

Error details

╷
│ Error: Invalid index
│
│   on main.tf line 51, in resource "azurerm_role_assignment" "cognitiveaccount_search_reader":
│   51:   principal_id         = azurerm_cognitive_account.example.identity[0].principal_id
│     ├────────────────
│     │ azurerm_cognitive_account.example.identity is empty list of object
│
│ The given key does not identify an element in this collection value: the collection has no elements.