I am trying to assign User Assigned Managed identity to AAD group. I have following Terraform code:
resource "azurerm_user_assigned_identity" "myid" {
name = "my_identity"
resource_group_name = azurerm_resource_group.somerg.name
location = azurerm_resource_group.somerg.location
}
data "azuread_group" "existinggroup" {
display_name = "existing_group"
security_enabled = true
}
resource "azuread_group_member" "mygrpmember" {
group_object_id = data.azuread_group.existinggroup.id
member_object_id = azurerm_user_assigned_identity.myid.id
}
During plan
operation, I get following error:
Error: Value must be a valid UUID
When I change myid.id
to myid.principal_id
in last line of above code, I get an error during apply
operation:
Error: Could not retrieve member principal object "4e83cd6b-d984-4484-8fb2-3ae6e1667ef9"
ODataId was nil
When I try with myid.client_id
I get this during apply
:
Error: Could not retrieve principal object "838c2662-5fe2-484c-bb52-f70994fa1d8b"
DirectoryObjects.BaseClient.Get(): Get "https://graph.microsoft.com/v1.0/5989ece0-f90e-40bf-9c79-1a7beccdb861/directoryObjects/838c2662-5fe2-484c-bb52-f70994fa1d8b": GET https://graph.microsoft.com/v1.0/5989ece0-f90e-40bf-9c79-1a7beccdb861/directoryObjects/838c2662-5fe2-484c-bb52-f70994fa1d8b giving up after 9 attempt(s)
What am I doing wrong?
CodePudding user response:
It will work if you give myid.principal_id
only . Please use the latest versions i.e. terraform Version v1.1.0
, azuread version v2.13.0
and azurerm version v2.89.0
:
I tested the same code in my environment like below :
provider "azuread"{}
provider "azurerm"{
features {}
}
data "azurerm_resource_group" "somerg"{
name = "ansuman-resourcegroup"
}
resource "azurerm_user_assigned_identity" "myid" {
name = "ansuman-identity"
resource_group_name = data.azurerm_resource_group.somerg.name
location = data.azurerm_resource_group.somerg.location
}
data "azuread_group" "existinggroup" {
display_name = "TestQA"
security_enabled = true
}
resource "azuread_group_member" "mygrpmember" {
group_object_id = data.azuread_group.existinggroup.id
member_object_id = azurerm_user_assigned_identity.myid.principal_id
}
Output: