Terraform fails to find service principal associated with Azure Batch if Batch Account hasn't been created yet under given Azure tenant. Unfortunately, I need that SPN before Batch gets created in order to grant AzBatch Contributor role on subscription level (required when UserSubscription model is being used).
Do you know if there's any way to force AAD to register enterprise application for Azure Batch first?
Here's part of my terraform that fails on pristine tenant but works on one where AzBatch has been provisioned already:
data "azurerm_client_config" "current" {}
data "azuread_client_config" "current" {}
data "azuread_application_published_app_ids" "well_known" {}
# following line will fail
data "azuread_service_principal" "batch_spn" {
client_id = data.azuread_application_published_app_ids.well_known.result.AzureBatch
}
# but it's needed for this to work:
resource "azurerm_role_assignment" "batch_subscription_role" {
# Azure Batch requires this once created in UserSubscription mode
scope = "/subscriptions/${data.azurerm_client_config.current.subscription_id}"
role_definition_name = "Contributor"
principal_id = data.azuread_service_principal.batch_spn.object_id
skip_service_principal_aad_check = true
}
It's a shame I cannot hardcode SPN because it is different on each tenant (unlike AzBatch application ID)