terraform-provider-azuredevops icon indicating copy to clipboard operation
terraform-provider-azuredevops copied to clipboard

Published 20 hours ago verified publisher icon microsoft

azuredevops_serviceendpoint_azurecr failing to destroy

Open bwesolowskicf opened this issue 6 months ago • 3 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and Azure DevOps Provider) Version

Terraform v1.9.0 microsoft/azuredevops v1.2.0

Affected Resource(s)

  • azuredevops_serviceendpoint_azurecr

Terraform Configuration Files

resource "azurerm_user_assigned_identity" "devops_acr" {
  location            = data.azurerm_resource_group.identity.location
  name                = "identity-shared-devops-acr-${var.app_short_name}"
  resource_group_name = data.azurerm_resource_group.identity.name
}

resource "azuredevops_serviceendpoint_azurecr" "acr" {
  project_id                             = local.azuredevops_project.id
  service_endpoint_name                  = "DOCKER-ACR-${var.app_short_name}"
  resource_group                         = "RG"
  service_endpoint_authentication_scheme = "WorkloadIdentityFederation"
  azurecr_spn_tenantid                   = "TENANT_ID"
  azurecr_name                           = "ACRNAME"
  azurecr_subscription_id                = "SUB_ID"
  azurecr_subscription_name              = "SUB_NAME"
  credentials {
    serviceprincipalid = azurerm_user_assigned_identity.devops_acr.client_id
  }
}

resource "azurerm_federated_identity_credential" "acr_identity_credential" {
  depends_on          = [azuredevops_serviceendpoint_azurecr.acr]
  name                = "acr_identity_credential_${var.app_short_name}"
  resource_group_name = azurerm_user_assigned_identity.devops_acr.resource_group_name
  parent_id           = azurerm_user_assigned_identity.devops_acr.id
  audience            = ["api://AzureADTokenExchange"]
  issuer              = azuredevops_serviceendpoint_azurecr.acr.workload_identity_federation_issuer
  subject             = azuredevops_serviceendpoint_azurecr.acr.workload_identity_federation_subject
}

Debug Output

Panic Output

Expected Behavior

We have yaml files for team-specific configuration and we create resources such as Azure DevOps project per such yaml file. In our QA pipeline we have tests for creating new resources and (since we had some issues with terraform destroy in the past) we achieve that by deploying all resources, running some tests and then we delete the yaml file and run terraform apply. That way all "Temp" resources are deleted and on next run we can recreate them again.

What we expect here is for the service endpoint to be deleted.

Actual Behavior

We get an error.

Error:  Delete service endpoint error Cannot delete manually created Workload Identity Federation Docker Registry service connection while related App Registration <ID OF THE CREATED IDENTITY> exists in Azure under tenant <OUR AZURE TENANT ID>.

Steps to Reproduce

  1. Put the above code as a module and invoke the module in main.tf
  2. terraform apply
  3. Remove the module invocation from main.tf
  4. terraform apply - this will try to remove all resources and fail on the service connection

Important Factoids

References

  • #0000

bwesolowskicf avatar Aug 15 '24 11:08 bwesolowskicf