Azure Data Factory Managed identity not available in first run sometime

[ashikansal]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform v0.14.8
provider.azuread v1.4.0
provider.azurerm v2.56.0

Affected Resource(s)

• azuread_group_member
• azurerm_data_factory

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

terraform {
  required_providers {
    azurerm = {
      source = "hashicorp/azurerm"
      version = "=2.56.0"
    }
  }
  backend "azurerm" {}
}

provider "azurerm" {
  features {
    key_vault {
      purge_soft_delete_on_destroy = false
      recover_soft_deleted_key_vaults = true
    }
  }
}

provider "azuread" {}

locals{
  common_tags = {
    environment              = var.environment_identifier
    location                 = var.location
    owner                    = var.owner
    resource-dri             = var.directly_responsible_individual
    data-product-entity-name = var.dp_name
  }
}

resource "azurerm_data_factory" "dp_adf" {
  name                = var.datafactory_name
  location            = var.location
  resource_group_name = var.adf_rg_name

tags = local.common_tags

  identity {
    type = "SystemAssigned"
  }
}

resource "azuread_group_member" "shir_group_member" {
  group_object_id = var.adf_shared_self_hosted_ir_link_ad_group_id
  member_object_id = azurerm_data_factory.dp_adf.identity[0].principal_id
}
resource "azuread_group_member" "list_access_group_member" {
  group_object_id = var.list_access_ad_group
  member_object_id = azurerm_data_factory.dp_adf.identity[0].principal_id
}
  

Debug Output

Panic Output

Error: Adding group member
on main.tf line 43, in resource "azuread_group_member" "shir_group_member":
43: resource "azuread_group_member" "shir_group_member" {
adding group member "0f2f3a05-20b4-45c3-bc2c-94ad60161801" to Group with ID
"3209d52b-707c-4456-bdec-fa9318140cee": graphrbac.GroupsClient#AddMember:
Failure responding to request: StatusCode=404 -- Original Error:
autorest/azure: Service returned an error. Status=404 Code="Unknown"
Message="Unknown service error"
Details=[{"odata.error":{"code":"Request_ResourceNotFound","date":"2021-04-29T15:27:04","message":{"lang":"en","value":"Resource
'0f2f3a05-20b4-45c3-bc2c-94ad60161801' does not exist or one of its queried
reference-property objects are not
present."},"requestId":"b8761e0a-8e72-4ebd-bbfe-88d2855febe6"}}]

Expected Behavior

Azure data factory Managed identity should get added to AD group on first run every time

Actual Behavior

Azure data factory Managed identity not getting added to AD group sometimes on first run as managed identity taking time in creation properly and on second run succeed as it is available till then

Steps to Reproduce

1. terraform apply
   This issue is not always though. But occurs on first time if happen.

Important Factoids

References

• azuread_service_principal delay before being usable #4

[manicminer]

Hi @ashikansal, thanks for reporting this. I believe this is an API consistency issue which although we can potentially work around, this would require brute force and would only be a best effort. However, such a workaround will be negated soon as we migrate to the newer Microsoft Graph API where these types of inconsistencies are much rarer. As we are getting close to releasing this newer API support, I'm not sure we'll be able to work on this specifically right now, but it will likely be resolved anyway in the next release.

[ashikansal]

Thanks @manicminer for your reply.
Also i tried using "azuread_service_principal" data source, for fetching managed identity and it always return error on new deployment.
Error: Service Principal with object ID "f32c7367-c166-49b9-804c-ec39b647cbc0" was not found │ │ with data.azuread_service_principal.adf_msi, │ on main.tf line 20, in data "azuread_service_principal" "adf_msi": │ 20: object_id = azurerm_data_factory.adftest.identity[0].principal_id

Code:

`
resource "azurerm_data_factory" "adftest" {
name = "adf1805"
location = "Eastus"
resource_group_name = "ash1805"
identity {
type = "SystemAssigned"
}
}

data "azuread_service_principal" "adf_msi" {
object_id = azurerm_data_factory.adftest.identity[0].principal_id
}

resource "azuread_group_member" "adf_msi" {
group_object_id = "f725c855-52ab-459d-b725-a62844a8f8ba"
member_object_id = data.azuread_service_principal.adf_msi.object_id
}
`

Am i doing something wrong here?? On re-run , it works as MSI is already created by that time.
Also if i put explicit delay of 20s or more between resource "azurerm_data_factory" and data "azuread_service_principal" , then this error goes away.

[manicminer]

@ashikansal You aren't doing anything wrong in your configuration. This is unfortunately likely to be the same API consistency issue. The Azure Active Directory Graph API that is currently used by the AzureAD provider generally exhibits a delay in read and write operations, which is why the artificial delay you introduced tends to sidestep the issue. Whilst we have added workarounds in places where it's most needed, we don't have a blanket read retry mechanism in place - if we were to add this it would more significantly affect the apply time of a Terraform apply run, with no guarantees of mitigation in all cases. Additionally, due to the ongoing API transition to Microsoft Graph (where these consistncy issues are much reduced or eliminated), we're currently in an effective change freeze excepting any major bugs that might come up.

I believe you'll see this issue go away in the next release if you enable the upcoming beta support for Microsoft Graph; please keep an eye on the releases over the next few days and look out for updated provider documentation once the release lands.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.