Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Race condition with msi.UserAssignedIdentity and role.Assignment #142

Closed
mpp-oliverh opened this issue Nov 8, 2018 · 3 comments
Closed

Race condition with msi.UserAssignedIdentity and role.Assignment #142

mpp-oliverh opened this issue Nov 8, 2018 · 3 comments
Assignees
@jen20
Labels
customer/feedback Feedback from customers
Milestone
0.19

Comments

@mpp-oliverh
Copy link

mpp-oliverh commented Nov 8, 2018
edited
Loading

If I create a new UserAssignedIdentity then immediately try to assign it a role it complains that the principalId doesn't exist in the directory.

I assume this is a bug / peculiarity with Azure itself because the dependency chain looks fine... is there a way of working around this?

Thanks,

export function createManagedIdentity(
    name: string,
    resourceGroup: azure.core.ResourceGroup,
    location: string | Output<string>
) {
    const azIdentity = new azure.msi.UserAssignedIdentity(
        `msi-${name}`,
        {
            name: `msi-${name}`,
            location: location,
            resourceGroupName: resourceGroup.name
        }
    );
    return {
        identity: azIdentity
    }
}
    const name = "app";
    const msi = createManagedIdentity(name, resourceGroup, config.location);

    new azure.role.Assignment(`${name}-kv-role`, {
        principalId: msi.identity.principalId,
        scope: keyVault.id,
        roleDefinitionName: "Reader"
    });
2018-11-08T15:36:56.3485999Z  +  azure:msi:UserAssignedIdentity msi-app creating 
2018-11-08T15:36:57.8096273Z  +  azure:msi:UserAssignedIdentity msi-app created 
2018-11-08T15:36:58.0442362Z  +  azure:role:Assignment app-kv-role creating 
2018-11-08T15:37:00.1007517Z  +  azure:role:Assignment app-kv-role creating error: Plan apply failed: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="PrincipalNotFound" Message="Principal 12bd9f9c9c1541b8a727c892ed19e1f2 does not exist in the directory ***."
2018-11-08T15:37:00.1014845Z  +  azure:role:Assignment app-kv-role **creating failed** error: Plan apply failed: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="PrincipalNotFound" Message="Principal 12bd9f9c9c1541b8a727c892ed19e1f2 does not exist in the directory ***."
@mpp-oliverh mpp-oliverh changed the title Strange race condition with new UserAssignedIdentity() and new Race condition with msi.UserAssignedIdentity and role.Assignment Nov 8, 2018
@mpp-oliverh
Copy link
Author

I should add that when I ran pulumi up the second time it worked fine.

@lukehoban
Copy link
Member

This looks like the same issue as #103, which is itself ultimately https://github.com/terraform-providers/terraform-provider-azurerm/issues/1635 in the upstream Terraform AzureRM provider. As soon as that issue is fixed and merged, we'll bring it into the @pulumi/azure provider.

@lukehoban lukehoban added this to the 0.19 milestone Nov 8, 2018
@lukehoban
Copy link
Member

Actually - appears this was just fixed a couple days ago - and will be in the next release: hashicorp/terraform-provider-azurerm#2204

@lukehoban lukehoban added the customer/feedback Feedback from customers label Nov 8, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jen20 jen20

Labels
customer/feedback Feedback from customers
Projects
None yet
Milestone
0.19
Development

No branches or pull requests
3 participants
@lukehoban @jen20 @mpp-oliverh