terraform-provider-azuread icon indicating copy to clipboard operation
terraform-provider-azuread copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

azuread_app_role_assignment unexpected status 404 with OData

Open ibacalu opened this issue 3 years ago • 11 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Affected Resource(s)

  • azuread_2.12.0
  • azuread_application
  • azuread_service_principal
  • azuread_app_role_assignment

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

Debug Output

Terraform will perform the following actions:
  # module.azuread_app_role_assignment["Grafana"].azuread_app_role_assignment.this will be created
  + resource "azuread_app_role_assignment" "this" {
      + app_role_id            = "8dd86c8c-1234-1234-1234-abcb511923cc"
      + id                     = (known after apply)
      + principal_display_name = (known after apply)
      + principal_object_id    = "0e092536-1234-1234-1234-f9681a4fac7d"
      + principal_type         = (known after apply)
      + resource_display_name  = (known after apply)
      + resource_object_id     = "d05d818b-1234-1234-1234-216bd3d0ed80"
    }
Plan: 1 to add, 0 to change, 0 to destroy.

...
╷
│ Error: Could not create app role assignment
│ 
│   with module.azuread_app_role_assignment["Grafana"].azuread_app_role_assignment.this,
│   on ../azuread_app_role_assignment/main.tf line 1, in resource "azuread_app_role_assignment" "this":
│    1: resource "azuread_app_role_assignment" "this" {
│ 
│ AppRoleAssignedToClient.BaseClient.Post(): unexpected status 404 with OData
│ error: Request_ResourceNotFound: Resource
│ 'd05d618b-1234-1234-1234-216bd3d0ed80' does not exist or one of its queried
│ reference-property objects are not present.

Panic Output

Expected Behavior

module.azuread_app_role_assignment["Grafana"].azuread_app_role_assignment.this: Creating...
module.azuread_app_role_assignment["Grafana"].azuread_app_role_assignment.this: Creation complete after 1s [id=d05d818b-1234-1234-1234-216bd3d0ed80/appRoleAssignment/NiUJDhdhzUKfZvloGk-ABCDE]

Actual Behavior

Steps to Reproduce

  1. terraform apply

Important Factoids

  • This randomly fails when creating the AppRegistration/Enterprise Application in the same run
  • Works perfectly on subsequent apply
  • Is there a way to retry/wait for the azuread_service_principal(Enterprise Application) to be up?

References

ibacalu avatar Dec 13 '21 16:12 ibacalu

Hi @ibacalu, thanks for reporting this! I believe this is an eventual consistency issue with the API, which we might be able to mitigate. Given the scenario I'm pretty sure where this is happening so I don't think I need a debug log at this time.

manicminer avatar Dec 13 '21 17:12 manicminer

Thank you for the fast response @manicminer !

ibacalu avatar Dec 16 '21 11:12 ibacalu

Hi @manicminer,

the error still exists. Is there any progress on this issue?

levmel avatar Feb 01 '22 10:02 levmel

@ibacalu, @levmel I've been looking into this, but it seems we do already have some mitigation for eventual consistency related errors here. If either could try to reproduce this and send a debug log covering the failure, that would be super helpful in narrowing down why this mitigation isn't helping. Thanks!

manicminer avatar Mar 07 '22 22:03 manicminer

Hi everybody, is there any progress here? I have this issue at the moment. Latest azuread-provider. One TF-script, which creates the app and then set the role assignment for the group. The group already exists and is not managed via TF.

resource "azuread_app_role_assignment" "existing_ad_group" { app_role_id = random_uuid.app_role_user_id.result principal_object_id = "Existing Group Object ID" resource_object_id = "Enterprise Application Object ID" }

TF apply:

│ Error: Service principal not found for resource (Object ID: "Enterprise Application Object ID") │ │ with azuread_app_role_assignment.existing_ad_group, │ on frontend.tf line 82, in resource "azuread_app_role_assignment" "existing_ad_group": │ 82: principal_object_id = "Enterprise Application Object ID" │ │ ServicePrincipalsClient.BaseClient.Get(): unexpected status 404 with OData │ error: Request_ResourceNotFound: Resource │ 'Enterprise Application Object ID' does not exist or one of its queried │ reference-property objects are not present.

cwissmann avatar Apr 04 '22 11:04 cwissmann

@cwissmann Please send a debug log if you can, this will aid in tracking down the source of this error. Thanks!

manicminer avatar Apr 06 '22 00:04 manicminer

@manicminer It's working now. It seems, I used the wrong resource. With azuread_group. the group is found.

cwissmann avatar Apr 07 '22 05:04 cwissmann

I have the same problem with groups created outside of the terraform file:

data "azuread_group" "poc" { display_name = "poc-group" //Already exists outside of terraform security_enabled = true }

resource "azuread_app_role_assignment" "poc" { app_role_id = azuread_service_principal.poc.app_role_ids["admin_poc"] //Seamlessly created in the same file resource_object_id = data.azuread_group.poc.object_id # poc-group security group principal_object_id = azuread_service_principal.poc.object_id }

module.AppRegistration.azuread_app_role_assignment.poc: Creating... module.AppRegistration.azuread_application.poc: Modifying... [id=4462ea7c-f4ef-4ba1-905a-75dc9299c663] module.AppRegistration.azuread_application.poc: Modifications complete after 3s [id=4462ea7c-f4ef-4ba1-905a-75dc9299c663] module.AppRegistration.azuread_app_role_assignment.poc: Still creating... [10s elapsed] module.AppRegistration.azuread_app_role_assignment.poc: Still creating... [20s elapsed] module.AppRegistration.azuread_app_role_assignment.poc: Still creating... [30s elapsed] module.AppRegistration.azuread_app_role_assignment.poc: Still creating... [40s elapsed] module.AppRegistration.azuread_app_role_assignment.poc: Still creating... [50s elapsed] module.AppRegistration.azuread_app_role_assignment.poc: Still creating... [1m10s elapsed] module.AppRegistration.azuread_app_role_assignment.poc: Still creating... [1m20s elapsed] module.AppRegistration.azuread_app_role_assignment.poc: Still creating... [1m30s elapsed] module.AppRegistration.azuread_app_role_assignment.poc: Still creating... [1m40s elapsed] module.AppRegistration.azuread_app_role_assignment.poc: Still creating... [1m50s elapsed] module.AppRegistration.azuread_app_role_assignment.poc: Still creating... [2m0s elapsed] module.AppRegistration.azuread_app_role_assignment.poc: Still creating... [2m10s elapsed] module.AppRegistration.azuread_app_role_assignment.poc: Still creating... [2m20s elapsed] module.AppRegistration.azuread_app_role_assignment.poc: Still creating... [2m30s elapsed] ╷ │ │ with module.AppRegistration.azuread_app_role_assignment.poc, │ on modules\AppRegistration\main.tf line 142, in resource "azuread_app_role_assignment" "poc": │ 142: principal_object_id = azuread_service_principal.poc.object_id │ │ ServicePrincipalsClient.BaseClient.Get(): unexpected status 404 with OData error: Request_ResourceNotFound: Resource '32804ce8-646e-4087-a04e-87e126392963' does not exist or one of
│ its queried reference-property objects are not present. ╵

NemesiisV avatar Aug 18 '23 15:08 NemesiisV

@NemesiisV It looks like you might have the principal_object_id and resource_object_id attribute values mixed up there? The group is the principal object and the service principal is the resource object?

manicminer avatar Oct 27 '23 13:10 manicminer

Did someone get this fixed?

AstritCepele avatar Feb 06 '24 16:02 AstritCepele

I was able to make it work, but referring resources differently compared to the documentation:

Fix:

resource "azuread_app_role_assignment" "enterprise_applications" {
  app_role_id         = try(data.azuread_application.app.app_role_ids[local.app_id[0]], "00000000-0000-0000-0000-000000000000") # application role ID of App Registration
  principal_object_id = azuread_group.group.object_id # Group Object ID
  resource_object_id  = data.azuread_service_principal.enterpise.object_id # Enterpise Application (Service Principal) Object ID 
}

The issue on my side was referring to the wrong Enterprise Application Object ID. I was using the App registration Object ID.

Though, the error from the provider highlighted (as others have shown) that something is wrong with my Group Object:

   74:   principal_object_id = azuread_group.group.object_id
│ 
│ ServicePrincipalsClient.BaseClient.Get(): unexpected status 404 with OData error: Request_ResourceNotFound: Resource 'XXXXX' does not exist or one of its queried reference-property objects are not present.

This is due to this line: https://github.com/hashicorp/terraform-provider-azuread/blob/42c0bd9e5b98620929fabda682aecaf51aee523b/internal/services/approleassignments/app_role_assignment_resource.go#L96

AstritCepele avatar Feb 08 '24 12:02 AstritCepele