Having issues with Identity Bock... when creating Mongo DB

Terraform Providers Azure
1

My code is this:

data “azurerm_resource_group” “chads-rg” {
name = “chads-rg”
}

data “azurerm_user_assigned_identity” “mongo_db” {
name = “mongo_db”
resource_group_name = data.azurerm_resource_group.chads-rg.name
}

output “Assigned_ID” {
value = data.azurerm_user_assigned_identity.mongo_db.principal_id
}

resource “azurerm_resource_group” “chads-rg” {
name = “chads-rg”
location = “EastUS”
}

/*
resource “random_integer” “ri” {
min = 10000
max = 99999
}
*/

resource “azurerm_cosmosdb_account” “db” {
#name = “tfex-cosmos-db-${random_integer.ri.result}”
name = “chads-mongo-db”
location = data.azurerm_resource_group.chads-rg.location
resource_group_name = data.azurerm_resource_group.chads-rg.name
offer_type = “Standard”
kind = “MongoDB”
#Following lines added
network_acl_bypass_for_azure_services = true
mongo_server_version = 4.2
#enable_free_tier = false
#public_network_access_enabled = false

enable_automatic_failover = true

capabilities {
name = “EnableAggregationPipeline”
}

capabilities {
name = “mongoEnableDocLevelTTL”
}

capabilities {
name = “MongoDBv3.4”

}

capabilities {
name = “EnableMongo”
}

consistency_policy {
consistency_level = “BoundedStaleness”
max_interval_in_seconds = 300
max_staleness_prefix = 100000
}

geo_location {
location = “eastus”
failover_priority = 1
}

geo_location {
location = “westus”
failover_priority = 0
}

#following blocks added
backup {
type = “Periodic”
interval_in_minutes = 120
retention_in_hours = 72
storage_redundancy = “Local”
}

timeouts{
create = “60m”
delete = “60m”

}

identity {
type = “UserAssigned”
#identity_ids = d9b84fb8-4f2f-4130-8326-33047f3d4ca0
identity_ids = data.azurerm_user_assigned_identity.mongo_db.principal_id

}

default_identity_type = “UserAssignedIdentity=d9b84fb8-4f2f-4130-8326-33047f3d4ca0”
key_vault_key_id = “https://chads-keyvault.vault.azure.net/keys/cosmos-mongo-db/” #<–Keyvault URI
}

It throws the following error. I can not seem to get the identity_ids in the identity block formatted correct. Whats missing?

2

The identity_ids argument expects a list of strings, however you’ve provided a single string instead. Try changing it to:

identity_ids = [ data.azurerm_user_assigned_identity.mongo_db.principal_id ]
3

Thanks for the reply. Agreed, and I attempted what you mentioned and got the following. How do you use only one value when it expects more than one?


│ Error: parsing “d9b84fb8-4f2f-4130-8326-33047f3d4ca0”: expected 8 segments within the Resource ID but got 1 for “d9b84fb8-4f2f-4130-8326-33047f3d4ca0”

│ with azurerm_cosmosdb_account.db,
│ on cosmos-mongo_account.tf line 92, in resource “azurerm_cosmosdb_account” “db”:
│ 92: identity_ids = [ data.azurerm_user_assigned_identity.mongo_db.principal_id ]

4

So I changed it to this:
identity_ids = [ data.azurerm_user_assigned_identity.mongo_db.id ]

But now I get this error:


│ Error: creating Database Account: (Name “chads-mongo-db” / Resource Group “chads-rg”): waiting for the CosmosDB Account “chads-mongo-db” (Resource Group “chads-rg”) to finish creating/updating: Code=“BadRequest” Message=“Database account creation failed. Operation Id: 2555e898-fb00-405e-8c91-0917cc2b5259, Error : CustomerManagedKeyHelper-GetDefaultMsiProperties: global db account chads-mongo-db doesn’t have UserAssigned identity which resourceId=d9b84fb8-4f2f-4130-8326-33047f3d4ca0.\r\nActivityId: 1e75791d-7e2d-459a-a770-4662a02c78db, Microsoft.Azure.Documents.Common/2.14.0, Microsoft.Azure.Documents.Common/2.14.0, Microsoft.Azure.Documents.Common/2.14.0, Microsoft.Azure.Documents.Common/2.14.0, Microsoft.Azure.Documents.Common/2.14.0”

│ with azurerm_cosmosdb_account.db,
│ on cosmos-mongo_account.tf line 27, in resource “azurerm_cosmosdb_account” “db”:
│ 27: resource “azurerm_cosmosdb_account” “db” {

5

Its almost as if the Identity block is failing to apply, and then when it attempts to use the “Default Identity” which is set to this ID, its throwing this error? Thats an educated guess on my part.

6

Found my error… should have been using the resource ID in the “default ID section”. Also the format should be like this: default_identity_type = “UserAssignedIdentity=/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/resourceGroups/chads-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mongo_db_account”

Note the Xs were put in place to obscure my subscription id.