User Assigned Identities property keys should only be empty json objects, null or the resource exisiting property

caldwell2000 · February 16, 2021, 7:31pm

Within the past week azurerm_kubernetes_cluster started throwing and error with no code changes. We are using User Assigned Identities for our AKS cluster. The code in question is below and the resulting error. Any thoughts on what changed or how to troubleshoot the source of the issue?

# Create User Assigned Identity for the AKS Cluster
resource "azurerm_user_assigned_identity" "aks_id" {
  name                = "aks-${var.suffix}-${var.tags.environment}"
  resource_group_name = data.azurerm_resource_group.aks_rg.name
  location            = data.azurerm_resource_group.aks_rg.location
}

# Assign "Network Contributor rol on the resource group containing the subnet where the aks cluster will be deployed
resource "azurerm_role_assignment" "aks_role" {
  scope                = data.azurerm_resource_group.aks_vnet.id
  role_definition_name = "Network Contributor"
  principal_id         = azurerm_user_assigned_identity.aks_id.principal_id
}

# Create AKS Cluster
resource "azurerm_kubernetes_cluster" "main" {
......
identity {
type = "UserAssigned"
user_assigned_identity_id = azurerm_user_assigned_identity.aks_id.id
}
}

# Create User Assigned Identity for the AKS Cluster
resource "azurerm_user_assigned_identity" "aks_id" {
name = "aks-${var.suffix}-${var.tags.environment}"
resource_group_name = data.azurerm_resource_group.aks_rg.name
location = data.azurerm_resource_group.aks_rg.location
}

Error: updating Managed Kubernetes Cluster "bokf-4321-dev-eastus-aks-enterprise" (Resource Group "bokf-4321-dev-eastus-rg-enterprise-aks"): containerservice.ManagedClustersClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="InvalidIdentityValues" Message="Invalid value for the identities '/subscriptions/xxxxxxxx-xxxx-xxxxx-xxxx-xxxxxxxxxxxx/resourceGroups/xxxx-4321-dev-eastus-rg-enterprise-aks/providers/Microsoft.ManagedIdentity/userAssignedIdentities/aks-enterprise-dev'. The 'UserAssignedIdentities' property keys should only be empty json objects, null or the resource exisiting property."
on .terraform/modules/aks/modules/compute/aks/aks_module.tf line 86, in resource "azurerm_kubernetes_cluster" "main":
86: resource "azurerm_kubernetes_cluster" "main" {

caldwell2000 · February 16, 2021, 3:05pm

I can delete the AKS cluster and recreate it from scratch without error. If I then try to make no changes to the terraform code and simply run another apply. I get the same error. The only way to get past this error is to delete the AKS cluster and recreate any time I run an apply regardless of any or no changes to the code. Please advise.