Share via

azure rover caf terraform landing zone errors

Gomis, Cheikh 25 Reputation points
2023-05-09T00:23:42.9266667+00:00

Hello, with the current versions of the caf framework for landing zones with terraform

https://github.com/Azure/caf-terraform-landingzones-platform-starter

https://github.com/Azure/caf-terraform-landingzones.git

I am getting 2 errors. Could you help?

landingzones git:(a8a12df) >....                                                                                                 
  -tfstate_subscription_id xxxxx-xxx-xxx-xxxxxxx \
  -target_subscription xxxxx-xxx-xxx-xxxxxxx \
  -tfstate caf_launchpad.tfstate \
  -launchpad \
  -env contosocon \
  -level level0 \
  -p ${TF_DATA_DIR}/caf_launchpad.tfstate.tfplan \
  -a plan

  /$$$$$$   /$$$$$$  /$$$$$$$$       /$$$$$$$
 /$$__  $$ /$$__  $$| $$_____/      | $$__  $$
| $$  \__/| $$  \ $$| $$            | $$  \ $$  /$$$$$$  /$$    /$$/$$$$$$   /$$$$$$
| $$      | $$$$$$$$| $$$$$         | $$$$$$$/ /$$__  $$|  $$  /$$/$$__  $$ /$$__  $$
| $$      | $$__  $$| $$__/         | $$__  $$| $$  \ $$ \  $$/$$/ $$$$$$$$| $$  \__/
| $$    $$| $$  | $$| $$            | $$  \ $$| $$  | $$  \  $$$/| $$_____/| $$
|  $$$$$$/| $$  | $$| $$            | $$  | $$|  $$$$$$/   \  $/ |  $$$$$$$| $$
 \______/ |__/  |__/|__/            |__/  |__/ \______/     \_/   \_______/|__/


              version: aztfmod/rover:1.2.5-2208.0208

@calling verify_azure_session
Checking existing Azure session
@calling process_target_subscription
Set subscription to -target_subscription xxxxx-xxx-xxx-xxxxxxx
caf_command launchpad
target_subscription_id xxxxx-xxx-xxx-xxxxxxx
TF_VAR_tfstate_subscription_id xxxxx-xxx-xxx-xxxxxxx
Resources from this landing zone are going to be deployed in the following subscription:
{
  "environmentName": "AzureCloud",
  "homeTenantId": "yyyyyy-yyy-yy-yyy-yyyyyyyyy",
  "id": "xxxxx-xxx-xxx-xxxxxxx",
  "isDefault": true,
  "managedByTenants": [],
  "name": "Pay-As-You-Go",
  "state": "Enabled",
  "tenantId": "yyyyyy-yyy-yy-yyy-yyyyyyyyy",
  "user": {
    "name": "******@gmail.com",
    "type": "user"
  }
}
debug: xxxxx-xxx-xxx-xxxxxxx
Tfstates subscription set to xxxxx-xxx-xxx-xxxxxxx (Pay-As-You-Go)


mode                          : 'launchpad'
terraform command output file : ''
terraform plan output file    : '/home/vscode/.terraform.cache/caf_launchpad.tfstate.tfplan'
directory cache               : '/home/vscode/.terraform.cache/contosocon'
tf_action                     : 'plan'
command and parameters        : '-var-file /tf/caf/configuration/level0/launchpad/azuread_api_permissions.tfvars -var-file /tf/caf/configuration/level0/launchpad/azuread_applications.tfvars -var-file /tf/caf/configuration/level0/launchpad/azuread_group_members.tfvars -var-file /tf/caf/configuration/level0/launchpad/azuread_groups.tfvars -var-file /tf/caf/configuration/level0/launchpad/azuread_roles.tfvars -var-file /tf/caf/configuration/level0/launchpad/azuread_service_principals.tfvars -var-file /tf/caf/configuration/level0/launchpad/dynamic_keyvault_secrets.tfvars -var-file /tf/caf/configuration/level0/launchpad/global_settings.tfvars -var-file /tf/caf/configuration/level0/launchpad/keyvault_access_policies.tfvars -var-file /tf/caf/configuration/level0/launchpad/keyvaults.tfvars -var-file /tf/caf/configuration/level0/launchpad/landingzone.tfvars -var-file /tf/caf/configuration/level0/launchpad/resource_groups.tfvars -var-file /tf/caf/configuration/level0/launchpad/role_mapping.tfvars -var-file /tf/caf/configuration/level0/launchpad/storage_accounts.tfvars'

level (current)               : 'level0'
environment                   : 'contosocon'
workspace                     : 'tfstate'
terraform backend type        : 'azurerm'
backend_type_hybrid           : 'true'
tfstate                       : 'caf_launchpad.tfstate'
tfstate subscription id       : 'xxxxx-xxx-xxx-xxxxxxx'
target subscription           : 'Pay-As-You-Go'
CI/CD enabled                 : 'false'
Symphony Yaml file path       : ''
Run all tasks                 : 'true'
TF_IN_AUTOMATION              : 'true'

@calling process_actions
@calling verify_parameters
landingzone                   : '/tf/caf/landingzones/caf_launchpad'
@deploy for gitops_terraform_backend_type set to 'azurerm'
@calling deploy_azurerm
@calling get_storage_id
@calling_get_logged_user_object_id
 - AZURE_ENVIRONMENT: AzureCloud
 - ARM_ENVIRONMENT: public
Initalizing az cloud variables
 - logged in user objectId: f86d92f3-3831-4894-b71b-da835b07942c (cloudone100_gmail.com#EXT#@cloudone100gmail.onmicrosoft.com)
Initializing state with user: cloudone100_gmail.com#EXT#@cloudone100gmail.onmicrosoft.com
No launchpad found.
Deploying from scratch the launchpad
@calling initialize_state
Checking required permissions
@checking if current user (object_id: f86d92f3-3831-4894-b71b-da835b07942c) is Owner of the subscription - only for launchpad
User is Owner of the subscription
Installing launchpad from /tf/caf/landingzones/caf_launchpad
Terraform version 0.15 or greater
Upgrading modules...
Downloading registry.terraform.io/aztfmod/caf/azurerm 5.5.5 for dynamic_keyvault_secrets...
Downloading registry.terraform.io/aztfmod/caf/azurerm 5.5.5 for launchpad...
Initializing the backend...
Initializing provider plugins...
- Finding latest version of hashicorp/time...
- Finding latest version of hashicorp/local...
- Finding aztfmod/azurecaf versions matching "~> 1.2.0"...
- Finding hashicorp/null versions matching "~> 3.1.0"...
- Finding hashicorp/azurerm versions matching "~> 2.88.1"...
- Finding hashicorp/azuread versions matching "~> 1.4.0"...
- Finding hashicorp/external versions matching "~> 2.2.0"...
- Finding hashicorp/tls versions matching "~> 3.1.0"...
- Finding hashicorp/random versions matching "~> 3.1.0"...
- Installing hashicorp/azuread v1.4.0...
- Installing hashicorp/external v2.2.3...
- Installing hashicorp/random v3.1.3...
- Installing hashicorp/azurerm v2.88.1...
- Installing hashicorp/tls v3.1.0...
- Installing hashicorp/time v0.9.1...
- Installing hashicorp/local v2.4.0...
- Installing aztfmod/azurecaf v1.2.25...
- Installing hashicorp/null v3.1.1...
Partner and community providers are signed by their developers.
If you'd like to know more about provider signing, you can read about it here:
https://www.terraform.io/docs/cli/plugins/signing.html
Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.
Terraform has been successfully initialized!
Line 112 - Terraform init return code 0
calling plan
@calling plan
running terraform plan with -var-file /tf/caf/configuration/level0/launchpad/azuread_api_permissions.tfvars -var-file /tf/caf/configuration/level0/launchpad/azuread_applications.tfvars -var-file /tf/caf/configuration/level0/launchpad/azuread_group_members.tfvars -var-file /tf/caf/configuration/level0/launchpad/azuread_groups.tfvars -var-file /tf/caf/configuration/level0/launchpad/azuread_roles.tfvars -var-file /tf/caf/configuration/level0/launchpad/azuread_service_principals.tfvars -var-file /tf/caf/configuration/level0/launchpad/dynamic_keyvault_secrets.tfvars -var-file /tf/caf/configuration/level0/launchpad/global_settings.tfvars -var-file /tf/caf/configuration/level0/launchpad/keyvault_access_policies.tfvars -var-file /tf/caf/configuration/level0/launchpad/keyvaults.tfvars -var-file /tf/caf/configuration/level0/launchpad/landingzone.tfvars -var-file /tf/caf/configuration/level0/launchpad/resource_groups.tfvars -var-file /tf/caf/configuration/level0/launchpad/role_mapping.tfvars -var-file /tf/caf/configuration/level0/launchpad/storage_accounts.tfvars
 -TF_VAR_workspace: tfstate
 -state: /home/vscode/.terraform.cache/contosocon/tfstates/level0/tfstate/caf_launchpad.tfstate
 -plan:  /home/vscode/.terraform.cache/contosocon/tfstates/level0/tfstate/caf_launchpad.tfplan
/tf/caf/landingzones/caf_launchpad
Running Terraforn plan...
@calling terraform_plan -- azurerm
module.launchpad.module.azuread_groups_membership["caf_platform_maintainers"].data.azuread_user.upn["cloudone100_gmail.com#EXT#@cloudone100gmail.onmicrosoft.com"]: Reading...
module.launchpad.module.azuread_groups_membership["caf_platform_maintainers"].data.azuread_user.upn["cloudone100_gmail.com#EXT#@cloudone100gmail.onmicrosoft.com"]: Read complete after 2s [id=f86d92f3-3831-4894-b71b-da835b07942c]
module.launchpad.data.azurerm_client_config.current: Reading...
module.launchpad.data.azurerm_subscription.primary: Reading...
module.launchpad.data.azurerm_client_config.current: Read complete after 0s [id=2023-05-08 21:01:00.503276323 +0000 UTC]
module.launchpad.data.azurerm_management_group.level["root"]: Reading...
module.launchpad.data.azurerm_subscription.primary: Read complete after 1s [id=/subscriptions/xxxxx-xxx-xxx-xxxxxxx]
module.launchpad.data.azurerm_management_group.level["root"]: Read complete after 1s [id=/providers/Microsoft.Management/managementGroups/yyyyyy-yyy-yy-yyy-yyyyyyyyy]
data.azurerm_client_config.current: Reading...
data.azurerm_client_config.current: Read complete after 0s [id=2023-05-08 21:01:05.349971919 +0000 UTC]
╷
│ Error: Incorrect attribute value type
│ 
│   on /home/vscode/.terraform.cache/contosocon/modules/launchpad/modules/azuread/groups/group.tf line 6, in resource "azuread_group" "group":
│    6:   owners = coalescelist(
│    7:     try(tolist(var.azuread_groups.owners), []),
│    8:     [
│    9:       var.client_config.object_id
│   10:     ]
│   11:   )
│     ├────────────────
│     │ var.azuread_groups.owners is tuple with 1 element
│     │ var.client_config.object_id is "f86d92f3-3831-4894-b71b-da835b07942c"
│ 
│ Inappropriate value for attribute "owners": incorrect set element type: string required.
╵
╷
│ Error: Incorrect attribute value type
│ 
│   on /home/vscode/.terraform.cache/contosocon/modules/launchpad/modules/azuread/groups/group.tf line 6, in resource "azuread_group" "group":
│    6:   owners = coalescelist(
│    7:     try(tolist(var.azuread_groups.owners), []),
│    8:     [
│    9:       var.client_config.object_id
│   10:     ]
│   11:   )
│     ├────────────────
│     │ var.azuread_groups.owners is tuple with 1 element
│     │ var.client_config.object_id is "f86d92f3-3831-4894-b71b-da835b07942c"
│ 
│ Inappropriate value for attribute "owners": incorrect set element type: string required.
╵
╷
│ Error: Incorrect attribute value type
│ 
│   on /home/vscode/.terraform.cache/contosocon/modules/launchpad/modules/azuread/groups/group.tf line 6, in resource "azuread_group" "group":
│    6:   owners = coalescelist(
│    7:     try(tolist(var.azuread_groups.owners), []),
│    8:     [
│    9:       var.client_config.object_id
│   10:     ]
│   11:   )
│     ├────────────────
│     │ var.azuread_groups.owners is tuple with 1 element
│     │ var.client_config.object_id is "f86d92f3-3831-4894-b71b-da835b07942c"
│ 
│ Inappropriate value for attribute "owners": incorrect set element type: string required.
╵
╷
│ Error: Incorrect attribute value type
│ 
│   on /home/vscode/.terraform.cache/contosocon/modules/launchpad/modules/azuread/groups/group.tf line 6, in resource "azuread_group" "group":
│    6:   owners = coalescelist(
│    7:     try(tolist(var.azuread_groups.owners), []),
│    8:     [
│    9:       var.client_config.object_id
│   10:     ]
│   11:   )
│     ├────────────────
│     │ var.azuread_groups.owners is tuple with 1 element
│     │ var.client_config.object_id is "f86d92f3-3831-4894-b71b-da835b07942c"
│ 
│ Inappropriate value for attribute "owners": incorrect set element type: string required.
╵
╷
│ Error: Incorrect attribute value type
│ 
│   on /home/vscode/.terraform.cache/contosocon/modules/launchpad/modules/azuread/groups/group.tf line 6, in resource "azuread_group" "group":
│    6:   owners = coalescelist(
│    7:     try(tolist(var.azuread_groups.owners), []),
│    8:     [
│    9:       var.client_config.object_id
│   10:     ]
│   11:   )
│     ├────────────────
│     │ var.azuread_groups.owners is tuple with 1 element
│     │ var.client_config.object_id is "f86d92f3-3831-4894-b71b-da835b07942c"
│ 
│ Inappropriate value for attribute "owners": incorrect set element type: string required.
╵
╷
│ Error: Incorrect attribute value type
│ 
│   on /home/vscode/.terraform.cache/contosocon/modules/launchpad/modules/azuread/groups/group.tf line 6, in resource "azuread_group" "group":
│    6:   owners = coalescelist(
│    7:     try(tolist(var.azuread_groups.owners), []),
│    8:     [
│    9:       var.client_config.object_id
│   10:     ]
│   11:   )
│     ├────────────────
│     │ var.azuread_groups.owners is tuple with 1 element
│     │ var.client_config.object_id is "f86d92f3-3831-4894-b71b-da835b07942c"
│ 
│ Inappropriate value for attribute "owners": incorrect set element type: string required.
╵
╷
│ Error: Incorrect attribute value type
│ 
│   on /home/vscode/.terraform.cache/contosocon/modules/launchpad/modules/azuread/groups/group.tf line 6, in resource "azuread_group" "group":
│    6:   owners = coalescelist(
│    7:     try(tolist(var.azuread_groups.owners), []),
│    8:     [
│    9:       var.client_config.object_id
│   10:     ]
│   11:   )
│     ├────────────────
│     │ var.azuread_groups.owners is tuple with 1 element
│     │ var.client_config.object_id is "f86d92f3-3831-4894-b71b-da835b07942c"
│ 
│ Inappropriate value for attribute "owners": incorrect set element type: string required.
╵
╷
│ Error: Incorrect attribute value type
│ 
│   on /home/vscode/.terraform.cache/contosocon/modules/launchpad/modules/azuread/groups/group.tf line 6, in resource "azuread_group" "group":
│    6:   owners = coalescelist(
│    7:     try(tolist(var.azuread_groups.owners), []),
│    8:     [
│    9:       var.client_config.object_id
│   10:     ]
│   11:   )
│     ├────────────────
│     │ var.azuread_groups.owners is tuple with 1 element
│     │ var.client_config.object_id is "f86d92f3-3831-4894-b71b-da835b07942c"
│ 
│ Inappropriate value for attribute "owners": incorrect set element type: string required.
╵
╷
│ Error: Incorrect attribute value type
│ 
│   on /home/vscode/.terraform.cache/contosocon/modules/launchpad/modules/azuread/groups/group.tf line 6, in resource "azuread_group" "group":
│    6:   owners = coalescelist(
│    7:     try(tolist(var.azuread_groups.owners), []),
│    8:     [
│    9:       var.client_config.object_id
│   10:     ]
│   11:   )
│     ├────────────────
│     │ var.azuread_groups.owners is tuple with 1 element
│     │ var.client_config.object_id is "f86d92f3-3831-4894-b71b-da835b07942c"
│ 
│ Inappropriate value for attribute "owners": incorrect set element type: string required.
╵
╷
│ Error: expected "object_id" to be a valid UUID, got 
│ 
│   with module.launchpad.module.keyvaults["level0"].module.initial_policy[0].module.object_id["bootstrap_user"].azurerm_key_vault_access_policy.policy,
│   on /home/vscode/.terraform.cache/contosocon/modules/launchpad/modules/security/keyvault_access_policies/access_policy/access_policy.tf line 5, in resource "azurerm_key_vault_access_policy" "policy":
│    5:   object_id               = var.object_id
│ 
╵
╷
│ Error: expected "object_id" to be a valid UUID, got 
│ 
│   with module.launchpad.module.keyvaults["level2"].module.initial_policy[0].module.object_id["bootstrap_user"].azurerm_key_vault_access_policy.policy,
│   on /home/vscode/.terraform.cache/contosocon/modules/launchpad/modules/security/keyvault_access_policies/access_policy/access_policy.tf line 5, in resource "azurerm_key_vault_access_policy" "policy":
│    5:   object_id               = var.object_id
│ 
╵
╷
│ Error: expected "object_id" to be a valid UUID, got 
│ 
│   with module.launchpad.module.keyvaults["level1"].module.initial_policy[0].module.object_id["bootstrap_user"].azurerm_key_vault_access_policy.policy,
│   on /home/vscode/.terraform.cache/contosocon/modules/launchpad/modules/security/keyvault_access_policies/access_policy/access_policy.tf line 5, in resource "azurerm_key_vault_access_policy" "policy":
│    5:   object_id               = var.object_id
│ 
╵
Terraform plan return code: 1
Error on or near line 386: Error running terraform plan; exiting with status 1

@calling clean_up_variables
cleanup variables
clean_up backend_files
➜  landingzones git:(a8a12df)
Community Center | Not monitored
Accepted answer
  1. JimmySalian-2011 42,521 Reputation points
    2023-05-09T07:48:30.8866667+00:00

    Hi,

    I think Terrarform is not supported in Q&A Forums, please can you raise this in StackOverFlow or Terraform forums?

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Qaiser Ali Bangash 0 Reputation points
    2023-05-18T08:00:00.5766667+00:00

    Hi,

    I'm getting the same error. Any updates on this?

    /Qaiser

    0 comments
  2. Rafael Fernández Domínguez 0 Reputation points
    2023-06-30T18:48:56.64+00:00

    For level 0 launchpad:

    • Review the configuration of your keyvaults.tfvars, bootstrap_user section
    • Review owners in azuread_groups.tfvars

    Whenever I search for this problem I come across this entry, so I share the solution.

    Good luck!

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.