"tenant_id" or "object_id" is an invalid UUUID: uuid: UUID string too short: 1

[willgarcia]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

TF: 0.11.7
AzureProvider: 1.15

Affected Resource(s)

• azurerm_key_vault
• azurerm_key_vault_access_policy

Terraform Configuration Files

resource "azurerm_key_vault_access_policy" "myapp" {
  vault_name          = "${azurerm_key_vault.myapp.name}"
  resource_group_name = "${azurerm_key_vault.myapp.resource_group_name}"
  tenant_id           = "${azurerm_app_service_slot.myapp.identity.0.tenant_id}"
  object_id           = "${azurerm_app_service_slot.myapp.identity.0.principal_id}"

  secret_permissions      = ["get", "list"]
  certificate_permissions = ["get"]
  key_permissions = [
    "create",
    "decrypt",
    "encrypt",
...
}

Expected Behavior

The tenant ID or object ID is retrieved from the App service resource.

Actual Behavior

2018-10-17T13:45:37.3307282Z * azurerm_key_vault_access_policy.myapp: "tenant_id" is an invalid UUUID: uuid: UUID string too short: 1
2018-10-17T13:45:37.3307947Z * azurerm_key_vault_access_policy.myapp: "object_id" is an invalid UUUID: uuid: UUID string too short: 1
2018-10-17T13:45:37.3309053Z 

This issue is not systematically reproduced.
When this issue happens, it seems to affect all Azure Key vault/Key vault access policies being applied and part of the same terraform plan.

Adding Terraform dependencies (depends_on) on the azurerm_app_service_slot does not seem to help.

This issue does not seem related to #1667 or #1288.

As mentioned previously, the current setup seems to work intermittently. I'll try to get TF logs when this occurs.

[bojingo]

I notice this is tagged "service/keyvault", however I can add that this does not seem to be limited to usage of the App Service identity by KeyVault.

I get the same error with this code:

resource "azurerm_sql_active_directory_administrator" "application_database_admin" {
  server_name         = "${azurerm_sql_server.database_server.name}"
  resource_group_name = "${var.rg_name}"
  login               = "applicationadmin"
  tenant_id           = "${azurerm_app_service.application.identity.0.tenant_id}"
  object_id           = "${azurerm_app_service.application.identity.0.principal_id}"
}

Results in:

Error: Error running plan: 2 error(s) occurred:

* azurerm_sql_active_directory_administrator.application_database_admin: "tenant_id" is an invalid UUUID: uuid: UUID string too short: 1
* azurerm_sql_active_directory_administrator.application_database_admin: "object_id" is an invalid UUUID: uuid: UUID string too short: 1

(NOTE: I'm not sure I am going about setting up the SQL Database access from my App Service as described here https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-connect-msi correctly with that bit of code, but this is certainly not an error I would have expected.)

This seems to indicate a broader problem than anything specific to "service/keyvault".

Original poster indicates that is intermittent, but it happens consistently for me. I haven't been able to generate a successful plan after over 10 attempts.

[bojingo]

Regarding my comment above, I am using Terraform 0.11.11 and AzureRM provider version 1.22.0.

[bojingo]

I have more to add with respect to my issue described above.

Here's the config in question....

resource "azurerm_app_service" "application" {
  name     = "${var.application_name}"
  location = "${var.location}"
  resource_group_name = "${var.rg_name}"
  app_service_plan_id = "${azurerm_app_service_plan.hosting_plan.id}"
  https_only = true
  
  identity = {
    type = "SystemAssigned"
  }

  site_config = {
    always_on = "${var.application_always_on}"
    use_32_bit_worker_process = "${var.hosting_plan_tier == "Free" ? true : false}"
  }

  app_settings = {
    APPINSIGHTS_INSTRUMENTATIONKEY = "${azurerm_application_insights.website_app_insights.instrumentation_key}"
    "SendGrid:ToEmail" = "${var.admin_email_address}"
    "SendGrid:ToName" = "${var.admin_email_address_name}"
  }

  connection_string {
    name = "ApplicationDatabase"
    type = "SQLServer"
    value = "Server=tcp:${azurerm_sql_server.database_server.name}.database.windows.net,1433;Database=${azurerm_sql_database.application_database.name};User Id=${var.database_server_administrator_username};Password=${var.database_server_administrator_password}"
  }
}

#####################################################
# Config above HAS to apply before the config below #
#####################################################

resource "azurerm_sql_active_directory_administrator" "application_database_admin" {
  server_name         = "${azurerm_sql_server.database_server.name}"
  resource_group_name = "${var.rg_name}"
  login               = "applicationadmin"
  tenant_id           = "${azurerm_app_service.application.identity.0.tenant_id}"
  object_id           = "${azurerm_app_service.application.identity.0.principal_id}"
}

I have to successfully apply the first resource to Azure before I apply the second resource, otherwise I get the error indicated by this issue. I do this by commenting-out the second resource when I plan/apply the first time. Then I un-comment the second resource and plan/apply again and everything succeeds. This indicates that there is no way to create a new clean environment with just a single Terraform config template that achieves what I want.

Clearly azurerm_app_service.application.identity.0.tenant_id and azurerm_app_service.application.identity.0.principal_id are not able to extract these values upon resource creation but are able to extract these values if the resource already existed.

Please fix! My workaround is really not tenable and I'm loath to break this up into a series of Terraform config layers with a more complex staged deployment.

P.S. I am trying to avoid putting the credentials in the connection string of the app service (Server=tcp:${azurerm_sql_server.database_server.name}.database.windows.net,1433;Database=${azurerm_sql_database.application_database.name};User Id=${var.database_server_administrator_username};Password=${var.database_server_administrator_password}), and instead let the application authenticate with the database via the SystemAssigned managed service identity.

[tombuildsstuff]

hey @willgarcia @bojingo

Thanks for opening this issue - apologies for the delayed response here!

Taking a look into this, I believe the underlying issue here is a graph bug in Terraform Core that existed prior to 0.12; as such I believe updating to Terraform 0.12 should fix this - would you be able to take a look and see if upgrading works for you?

Since I believe that upgrading to Terraform 0.12 should fix this issue I'm going to close this issue for the moment however if you're still having issues please let us know and we'll take another look.

Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!