Using azurerm_kusto_database_principal to add 'App' as user to database fails in provider

[patrickbsf]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v0.12.20

• provider.azuread v0.7.0
• provider.azurerm v1.43.0
• provider.null v2.1.2
• provider.random v2.2.1

Affected Resource(s)

• azurerm_kusto_database_principal

Terraform Configuration Files

If it matters, the 'real' code pulls the values from module outputs, but for simplicity I'm showing synthetic variable names.

resource "azurerm_kusto_database_principal" "sp_rights" {
  resource_group_name = var.resource_group_name
  cluster_name        = var.cluster.name
  database_name       = var.database.name

  role      = "User"
  type      = "App"
  client_id = var.service_principal_tenant_id
  object_id = var.service_principal_id
}

Debug Output

azurerm_kusto_database_principal.sp_rights: Creating...

Error: Provider produced inconsistent result after apply

When applying changes to azurerm_kusto_database_principal.sp_rights, provider
"registry.terraform.io/-/azurerm" produced an unexpected new value for was
present, but now absent.

This is a bug in the provider, which should be reported in the provider's own
issue tracker.

Expected Behavior

I'm trying to add a service principal 'app' as a user to a Kusto database.

Actual Behavior

The permission actually gets applied, but the provider fails reading back the state, and the state never gets updated.
Re-running apply will try to apply the permission again, and always fail the same way.

Steps to Reproduce

1. terraform apply

See #4414

[neil-yechenwei]

@patrickbsf , it seems that I can add app as user to azurerm_kusto_database_principal successfully. Please see below my tf config. Is there anything I missed?

data "azurerm_client_config" "current" {}

resource "azurerm_resource_group" "rg" {
name = "acctestRG-kusto-neil"
location = "westus"
}

resource "azurerm_kusto_cluster" "cluster" {
name = "acctestkcneil"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name

sku {
name = "Dev(No SLA)_Standard_D11_v2"
capacity = 1
}
}

resource "azurerm_kusto_database" "test" {
name = "acctestkd-neil"
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
cluster_name = azurerm_kusto_cluster.cluster.name
}

resource "azurerm_kusto_database_principal" "test" {
resource_group_name = azurerm_resource_group.rg.name
cluster_name = azurerm_kusto_cluster.cluster.name
database_name = azurerm_kusto_database.test.name

role = "User"
type = "App"
client_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.client_id
}

[patrickbsf]

Interesting - once I switched the object_id to the 'right' id (I was using the 'id' of the service principal, not the application-id) then it stopped failing in the provider. It seems like it should handle this better but it's working now at least.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!