[Bug]: error updating MongoDB Network Peering Connection - 400 (request "INVALID_ATTRIBUTE") Invalid attribute azureDirectoryId specified

Question

[Bug]: error updating MongoDB Network Peering Connection - 400 (request "INVALID_ATTRIBUTE") Invalid attribute azureDirectoryId specified

milesbarnard opened this issue 8 months ago · 7 comments

milesbarnard commented 8 months ago

Is there an existing issue for this?

I have searched the existing issues

Provider Version

v1.16.0

Terraform Version

v1.8.3

Terraform Edition

Terraform Open Source (OSS)

Current Behavior

When attempting to create a networking peering with Azure using Terraform I get the error:

│ Error: error updating MongoDB Network Peering Connection (<>): PATCH https://cloud.mongodb.com/api/atlas/v1.0/groups/<>/peers/<>: 400 (request "INVALID_ATTRIBUTE") Invalid attribute azureDirectoryId specified.

Terraform configuration to reproduce the issue

resource "mongodbatlas_network_peering" "peering" {
  project_id    = local.project_id
  container_id  = mongodbatlas_network_container.container.container_id
  provider_name = "AZURE"
  azure_directory_id    = local.azure_directory_id
  azure_subscription_id = local.azure_subscription_id
  resource_group_name   = local.azure_resources_group_name
  vnet_name             = local.azure_vnet_name
  depends_on            = [mongodbatlas_network_container.container]
}

Steps To Reproduce

Using Terraform v1.8.3, mongodbatlas provider version v1.16.0 apply the above configuration

Logs

No response

Code of Conduct

I agree to follow this project's Code of Conduct

Answer 1 · 2024-05-15T12:18:32.000Z

Thanks for opening this issue! Please make sure you've followed our guidelines when opening the issue. In short, to help us reproduce the issue we need:

Terraform configuration file used to reproduce the issue
Terraform log files from the run where the issue occurred
Terraform Atlas provider version used to reproduce the issue
Terraform version used to reproduce the issue
Confirmation if Terraform OSS, Terraform Cloud, or Terraform Enterprise deployment

The ticket CLOUDP-249269 was created for internal tracking.

Answer 2 · 2024-05-16T10:18:39.000Z

Hi @milesbarnard, it looks like you are passing an invalid azure directory_id.
May I ask what is the help needed here?

Few things I suggest:

have a look at our official API documentation
try to use the Atlas CLI to have immediate response about what value works
Please if you are still unable to figure out what is the right value, I'd need to ask you to send us more information, such as the full .tf script (without any sensitive information) and execute the tf apply with DEBUG logs (without sensitive information) and send it to us so that we can better help you.

Answer 3 · 2024-05-16T15:31:35.000Z

Hi @marcosuma - this code worked previously, with the only change being I'm moving the peering to a different VNET. I tried it with the CLI command and it worked.

Code: Please note I have tried adding the subscription id and directory id directly also
`

locals {
project_id = ""

needed for Azure Only

azure_directory_id = data.azurerm_client_config.current.tenant_id
azure_subscription_id = data.azurerm_client_config.current.subscription_id
azure_resources_group_name = "rg-base-${local.environment}-${local.region}-${local.instance_number}"
azure_vnet_name = "vnet-${local.name}-${local.environment}-${local.region}-${local.instance_number}"
}

resource "azurerm_role_definition" "atlas_peering_role" {
name = "AtlasPeering/${local.azure_subscription_id}/${local.azure_resources_group_name}/${local.azure_vnet_name}"
scope = "/subscriptions/${local.azure_subscription_id}"
description = "Grants MongoDB access to manage peering connections on network /${local.azure_subscription_id}/resourceGroups/${local.azure_resources_group_name}/providers/Microsoft.Network/virtualNetworks/${local.azure_vnet_name}"

permissions {
actions = [
"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read",
"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write",
"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete",
"Microsoft.Network/virtualNetworks/peer/action"
]
not_actions = []
}

assignable_scopes = [
"/subscriptions/${local.azure_subscription_id}"
]

provider = azurerm.connectivity
}

data "azurerm_client_config" "current" {}

resource "azurerm_role_assignment" "atlas_peering_role" {
scope = "/subscriptions/${local.azure_subscription_id}"
role_definition_name = azurerm_role_definition.atlas_peering_role.name
principal_id = ""
skip_service_principal_aad_check = true
depends_on = [azurerm_role_definition.atlas_peering_role]
provider = azurerm.connectivity
}

data "azurerm_key_vault_secret" "mongodb-pubkey" {
name = "mongodb-pubkey"
key_vault_id = module.key_vault.key_vault_id
}

data "azurerm_key_vault_secret" "mongodb-privkey" {
name = "mongodb-privkey"
key_vault_id = module.key_vault.key_vault_id
}

Configure the MongoDB Atlas Provider

provider "mongodbatlas" {
public_key = data.azurerm_key_vault_secret.mongodb-pubkey.value
private_key = data.azurerm_key_vault_secret.mongodb-privkey.value
}

Ensure you have created the required Azure service principal first, see

see https://docs.atlas.mongodb.com/security-vpc-peering/

Container example provided but not always required,

see network_container documentation for details.

resource "mongodbatlas_network_container" "container" {
project_id = local.project_id
atlas_cidr_block = ""
provider_name = "AZURE"
region = "UK_SOUTH"
depends_on = [azurerm_role_assignment.atlas_peering_role]
}

Create the peering connection request

resource "mongodbatlas_network_peering" "peering" {
project_id = local.project_id
container_id = mongodbatlas_network_container.container.container_id
provider_name = "AZURE"
azure_directory_id = local.azure_directory_id
azure_subscription_id = local.azure_subscription_id
resource_group_name = local.azure_resources_group_name
vnet_name = local.azure_vnet_name
depends_on = [mongodbatlas_network_container.container]
}

Create the cluster once the peering connection is completed

resource "mongodbatlas_cluster" "data-explorer" {
project_id = local.project_id
name = "cluster-${local.name}-${local.environment}-${local.region}-${local.instance_number}"

cluster_type = "REPLICASET"
replication_specs {
num_shards = 1
regions_config {
region_name = "UK_SOUTH"
electable_nodes = 3
priority = 7
read_only_nodes = 0
}
}

auto_scaling_disk_gb_enabled = true
mongo_db_major_version = "6.0"

Provider Settings "block"

provider_name = "AZURE"
provider_disk_type_name = "P4"
provider_instance_size_name = "M10"

depends_on = [mongodbatlas_network_peering.peering]
}`

The debug section is enormous and doesn't seem to contain anything more useful than this at first glance:
│ Error: error updating MongoDB Network Peering Connection (): PATCH https://cloud.mongodb.com/api/atlas/v1.0/groups//peers/: 400 (request "INVALID_ATTRIBUTE") Invalid attribute azureDirectoryId specified.
│
│ with mongodbatlas_network_peering.peering,
│ on mongodb.tf line 78, in resource "mongodbatlas_network_peering" "peering":
│ 78: resource "mongodbatlas_network_peering" "peering" {
│

Answer 4 · 2024-05-22T10:27:55.000Z

Hi @milesbarnard,
Thanks for the details provided.

I have been able to reproduce your issue and found the root cause. The issue happens because in the PATCH endpoint to update peering connection (both in v1 and v2) have all the attributes as required, as if it was the POST operation used to create it. Terraform provider is only populating the attributes which have changed, so the final request fails because it's missing the other attributes.

I will work on a fix and will let you know once the fix is available.

Thanks again,

Answer 5 · 2024-05-24T14:29:31.000Z

Hi @milesbarnard,
Fix has been merged and will be included in the next release.
Thanks again for opening the issue.

Answer 6 · 2024-05-24T15:57:02.000Z

@oarbusi thanks so much for the speedy fix!

Answer 7 · 2024-05-28T07:45:08.000Z

Hi @milesbarnard, v1.16.1 has been released with the fix.