Creating Managed System Identity for VM Instances via Terraform in Azure

Question

Attempting to create Managed System Identity for a VM using Terraform. It's erroring out with Status=404 Code="MissingSubscription"

Attempting to create Managed System Identity for a VM. Here is the code snippet:

###############################################################################
# Create Managed System Identity for VMs
###############################################################################

data "azurerm_subscription" "primary" {}

 data "azurerm_builtin_role_definition" "contributor" {
   name = "Contributor"
 }

resource "azurerm_role_assignment" "contributor" {
  name                = "[${element(azurerm_virtual_machine.consul.*.id, count.index + 1)}]"
  scope              = "${var.subscription_id}"
 #scope              = "${data.azurerm_subscription.primary.id}"
  principal_id       = "${var.tenant_object_id}"
  role_definition_id = "${var.subscription_id}${data.azurerm_builtin_role_definition.contributor.id}"
  }

Running terraform apply yields the following error:

Error:

Error: Error applying plan:

1 error(s) occurred:

* azurerm_role_assignment.contributor: 1 error(s) occurred:

* azurerm_role_assignment.contributor: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="MissingSubscription" Message="The request did not have a subscription or a valid tenant level resource provider."

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

I tried to follow the example described here - https://www.terraform.io/docs/providers/azurerm/r/role_assignment.html, but it looks like if I change my scope back to scope = "${data.azurerm_subscription.primary.id}", it errors out with:

* azurerm_role_assignment.contributor: 1 error(s) occurred:

* azurerm_role_assignment.contributor: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=405 -- Original Error: autorest/azure: Service returned an error. Status=405 Code="" Message="The requested resource does not support http method 'PUT'."

J00MZ J00MZ · Accepted Answer · 2019-02-18T21:40:39

Multiple issues here:

The name field of the resource azurerm_role_assignment must be a GUID, in your code it's got square brackets.
The role_definition_id must have a single expression evaluation e.g. only ${data.azurerm_builtin_role_definition.contributor.id}

The correct way to create this example would be:

###############################################################################
# Create Managed System Identity for VMs
###############################################################################

data "azurerm_subscription" "primary" {}

data "azurerm_builtin_role_definition" "contributor" {
  name = "Contributor"
}

resource "azurerm_role_assignment" "contributor" {
  name               = "00000000-0000-0000-0000-000000000000"
  scope              = "${data.azurerm_subscription.primary.id}"
  principal_id       = "${var.tenant_object_id}"
  role_definition_id = "${data.azurerm_builtin_role_definition.contributor.id}"
}

Assuming the tenant_object_id variable is indeed an existing Service Principal id in your primary subscription.

Creating Managed System Identity for VM Instances via Terraform in Azure

1 Answers