Home > Net >  How to add Azure User Assigned Managed Identity to Azure AD group in Terraform?
How to add Azure User Assigned Managed Identity to Azure AD group in Terraform?

Time:12-17

I am trying to assign User Assigned Managed identity to AAD group. I have following Terraform code:

resource "azurerm_user_assigned_identity" "myid" {
  name                = "my_identity"
  resource_group_name = azurerm_resource_group.somerg.name
  location            = azurerm_resource_group.somerg.location
}

data "azuread_group" "existinggroup" {
  display_name     = "existing_group"
  security_enabled = true
}

resource "azuread_group_member" "mygrpmember" {
  group_object_id  = data.azuread_group.existinggroup.id
  member_object_id = azurerm_user_assigned_identity.myid.id
}

During plan operation, I get following error:

Error: Value must be a valid UUID

When I change myid.id to myid.principal_id in last line of above code, I get an error during apply operation:

Error: Could not retrieve member principal object "4e83cd6b-d984-4484-8fb2-3ae6e1667ef9"
ODataId was nil

When I try with myid.client_id I get this during apply:

Error: Could not retrieve principal object "838c2662-5fe2-484c-bb52-f70994fa1d8b"
DirectoryObjects.BaseClient.Get(): Get "https://graph.microsoft.com/v1.0/5989ece0-f90e-40bf-9c79-1a7beccdb861/directoryObjects/838c2662-5fe2-484c-bb52-f70994fa1d8b": GET https://graph.microsoft.com/v1.0/5989ece0-f90e-40bf-9c79-1a7beccdb861/directoryObjects/838c2662-5fe2-484c-bb52-f70994fa1d8b giving up after 9 attempt(s)

What am I doing wrong?

CodePudding user response:

It will work if you give myid.principal_id only . Please use the latest versions i.e. terraform Version v1.1.0 , azuread version v2.13.0 and azurerm version v2.89.0 :

enter image description here

I tested the same code in my environment like below :

provider "azuread"{}

provider "azurerm"{
  features {}
}
data "azurerm_resource_group" "somerg"{
  name = "ansuman-resourcegroup"
}
resource "azurerm_user_assigned_identity" "myid" {
  name                = "ansuman-identity"
  resource_group_name = data.azurerm_resource_group.somerg.name
  location            = data.azurerm_resource_group.somerg.location
}

data "azuread_group" "existinggroup" {
  display_name     = "TestQA"
  security_enabled = true
}

resource "azuread_group_member" "mygrpmember" {
  group_object_id  = data.azuread_group.existinggroup.id
  member_object_id = azurerm_user_assigned_identity.myid.principal_id
}

Output:

enter image description here

enter image description here

  • Related