Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't update service principal client secret #3375

Closed
guitmz opened this issue May 3, 2019 · 3 comments · Fixed by #4469
Closed

Can't update service principal client secret #3375

guitmz opened this issue May 3, 2019 · 3 comments · Fixed by #4469
Assignees
@tombuildsstuff
Labels
bug service/kubernetes-cluster
Milestone
v1.35.0

Comments

@guitmz
Copy link

guitmz commented May 3, 2019
edited
Loading

Terraform (and AzureRM Provider) Version

terraform v0.11.7
azurerm 1.25.0

Affected Resource(s)

azurerm_kubernetes_cluster

Terraform Configuration Files

resource "azurerm_kubernetes_cluster" "main" {
...
  service_principal {
    client_id     = "my-client-id"
    client_secret = "my-client-secret"
  }
...
}

Expected Behavior

Client secret should be changed. I imagine terraform should do something equivalent to this: https://docs.microsoft.com/en-us/azure/aks/update-credentials#update-aks-cluster-with-new-credentials

By the way, following the steps in the link above and changing the service principal secret using the CLI works fine.

Actual Behavior

Terraform tries change the service principal secret

  ~ azurerm_kubernetes_cluster.main
      service_principal.#:                        "1" => "1"
      service_principal.2995281661.client_id:     "client-id-here" => "client-id-here"
      service_principal.2995281661.client_secret: <sensitive> => <sensitive> (attribute changed)

And fails with:

* azurerm_kubernetes_cluster.main: Error creating/updating Managed Kubernetes Cluster "myCluster" (Resource Group "myResourceGroup"): containerservice.ManagedClustersClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="LinkedInvalidPropertyId" Message="Property id '' at path 'properties.addonProfiles.omsagent.config.logAnalyticsWorkspaceResourceID' is invalid. Expect fully qualified resource Id that start with '/subscriptions/{subscriptionId}' or '/providers/{resourceProviderNamespace}/'."

Steps to Reproduce

  1. Create cluster with terraform
  2. Go to Azure Portal, change your service principal client secret
  3. Run terraform plan and try to apply it.

I have mentioned this in my other issue here #2993 and also in AKS github issue #3239 where the author got the same error performing a different operation.
@landro
Copy link

landro commented Jul 3, 2019

I don't believe the error you're seeing @guitmz is related to the actual issue.
Currently both service_principal's client_id and client_secret have ForceNew set to True since previously AKS didn't allow for updating the SP - however now one can (see below), and the azurerm provider should be updated to support this as well.

https://github.com/terraform-providers/terraform-provider-azurerm/blob/63baf1a89eeb8305756713c3e3437d1f09fbac46/vendor/github.com/Azure/azure-sdk-for-go/services/containerservice/mgmt/2019-02-01/containerservice/managedclusters.go#L983

@landro landro mentioned this issue Jul 3, 2019
Closed
@tombuildsstuff tombuildsstuff self-assigned this Oct 1, 2019
@tombuildsstuff tombuildsstuff added this to the v1.35.0 milestone Oct 1, 2019
@tombuildsstuff tombuildsstuff mentioned this issue Oct 1, 2019
Merged
@ghost
Copy link

ghost commented Oct 4, 2019

This has been released in version 1.35.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 1.35.0"
}
# ... other configuration ...

@ghost
Copy link

ghost commented Mar 29, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!

@ghost ghost locked and limited conversation to collaborators Mar 29, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@tombuildsstuff tombuildsstuff

Labels
bug service/kubernetes-cluster
Projects
None yet
Milestone
v1.35.0
4 participants
@landro @tombuildsstuff @katbyte @guitmz