Unable to create ARM Service Connection Using a Workload Identity Federation (Automatic) connection

[clumsyhands]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and Azure DevOps Provider) Version

TF Version: v1.6.6
Azure DevOps Provider: 1.1.0

Affected Resource(s)

• azuredevops_serviceendpoint_azurerm

Terraform Configuration Files

terraform {
  required_providers {
    azuredevops = {
      source  = "microsoft/azuredevops"
      version = "1.1.0"
    }
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~>3.65.0"
    }
  }
  backend "azurerm" {
    tenant_id            = "qwe123"
    subscription_id      = "qwe123"
    resource_group_name  = "rg-storage"
    storage_account_name = "storage"
    container_name       = "tfstate"
    key                  = "id-poc.tfstate"
  }
}

provider "azurerm" {
  features {}
}

provider "azuredevops" {
  org_service_url = "https://dev.azure.com/qwe123/"
  client_id          = "qwe123"
  tenant_id          = "qwe123"
  client_secret	     = "qwe123"
}

resource "azuredevops_serviceendpoint_azurerm" "azdo-sc" {
  project_id                             = "qwe123"
  service_endpoint_name                  = "sc-id-poc-00"
  service_endpoint_authentication_scheme = "WorkloadIdentityFederation"
  azurerm_spn_tenantid                   = "qwe123"
  azurerm_subscription_id                = "qwe123"
  azurerm_subscription_name              = "Sandbox"
  resource_group			 	 = "rg-id-poc"
}

Panic Output

│ Error:  waiting for service endpoint ready. Error looking up service endpoint given ID (ec3a329b-3110-4c04-9664-934fc14c9193) and project ID (6433a9cc-df1b-4f50-bf57-07437f64d9d3): map[severity:<nil> state:Failed statusMessage:TF14045: The identity with type 'Microsoft.VisualStudio.Services.Claims.AadServicePrincipal' could not be found.]

Expected Behavior

It should create the Azure DevOps Service Connection object, and then the Azure Entra Service Connection/App Reg

Actual Behavior

• It creates the Azure DevOps Service Connection object
• Whilst waiting for creation of the Azure Entra Service Connection/App Reg, after 20 seconds the error above appears.
• The Azure DevOps Service Connection object exists but no Azure Entra Service Connection

Steps to Reproduce

1. Create a Workload Identity Federation (Automatic) service connection
2. Run TF apply

Important Factoids

• The Service Connection that Terraform is running with has the following rights:
  • Azure DevOps : Project Collection Administrator.
  • Azure : "Application Developer" role, which allows it to create app registrations.
  • Azure: User Access Admin rights on the subscription that the RG is in, so it can configure access permissions.
• Service Connection that Terraform uses is able to create resources via the Azure CLI

References

• #0000