azurerm_machine_learning_compute_cluster Recreates when I change le list of identity_ids for UserAssigned

[Uranium2]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

v1.6.4

AzureRM Provider Version

~>3.0

Affected Resource(s)/Data Source(s)

azurerm_machine_learning_compute_cluster

Terraform Configuration Files

resource "azurerm_machine_learning_compute_cluster" "cluster" {
  name     = "my_compute_cluster"
  location = "westeurope"

  vm_priority                   = "LowPriority"
  vm_size                       = "STANDARD_DS13_V2"
  machine_learning_workspace_id = module.mlw_01.id
  subnet_resource_id            = module.subnet_mlw.id

  ssh_public_access_enabled = false
  node_public_ip_enabled    = false

  identity {
    type = "UserAssigned"
    identity_ids = concat(values( # List of strings of user managed identities
      module.aml_compute_instance_managed_id_databricks_sp)[*].managed_identity.id,
      [azurerm_user_assigned_identity.compute_cluster_managed_identity.id]
    )
  }

  scale_settings {
    min_node_count                       = 0
    max_node_count                       = 10
    scale_down_nodes_after_idle_duration = "PT5M"
  }
}

Debug Output/Panic Output

# azurerm_machine_learning_compute_cluster.cluster["my-compute-cluster"] must be replaced
-/+ resource "azurerm_machine_learning_compute_cluster" "cluster" {
      ~ id                            = "/subscriptions/.../resourceGroups/.../providers/Microsoft.MachineLearningServices/workspaces/XXXXXX/computes/my-compute-cluster" -> (known after apply)
        name                          = "my-compute-cluster"
        # (8 unchanged attributes hidden)

      ~ identity {
          ~ identity_ids = [ # forces replacement
              - "/subscriptions/.../resourceGroups/.../providers/Microsoft.ManagedIdentity/userAssignedIdentities/XXXXXXX-XXXX-identity",
              - "/subscriptions/.../resourceGroups/.../providers/Microsoft.ManagedIdentity/userAssignedIdentities/XXXXXXX-XXXX-identity",
              - "/subscriptions/.../resourceGroups/.../providers/Microsoft.ManagedIdentity/userAssignedIdentities/XXXXXXX-XXXX-identity",
              - "/subscriptions/.../resourceGroups/.../providers/Microsoft.ManagedIdentity/userAssignedIdentities/XXXXXXX-XXXX-identity",
              - "/subscriptions/.../resourceGroups/.../providers/Microsoft.ManagedIdentity/userAssignedIdentities/XXXXXXX-XXXX-identity",
              - "/subscriptions/.../resourceGroups/.../providers/Microsoft.ManagedIdentity/userAssignedIdentities/XXXXXXX-XXXX-identity",
              - "/subscriptions/.../resourceGroups/.../providers/Microsoft.ManagedIdentity/userAssignedIdentities/XXXXXXX-XXXX-identity",
              - "/subscriptions/.../resourceGroups/.../providers/Microsoft.ManagedIdentity/userAssignedIdentities/XXXXXXX-XXXX-identity",
              - "/subscriptions/.../resourceGroups/.../providers/Microsoft.ManagedIdentity/userAssignedIdentities/XXXXXXX-XXXX-identity",
              - "/subscriptions/.../resourceGroups/.../providers/Microsoft.ManagedIdentity/userAssignedIdentities/XXXXXXX-XXXX-identity",
              - "/subscriptions/.../resourceGroups/.../providers/Microsoft.ManagedIdentity/userAssignedIdentities/XXXXXXX-XXXX-identity",
              - "/subscriptions/.../resourceGroups/.../providers/Microsoft.ManagedIdentity/userAssignedIdentities/XXXXXXX-XXXX-identity",
              - "/subscriptions/.../resourceGroups/.../providers/Microsoft.ManagedIdentity/userAssignedIdentities/XXXXXXX-XXXX-identity",
              - "/subscriptions/.../resourceGroups/.../providers/Microsoft.ManagedIdentity/userAssignedIdentities/XXXXXXX-XXXX-identity",
              - "/subscriptions/.../resourceGroups/.../providers/Microsoft.ManagedIdentity/userAssignedIdentities/XXXXXXX-XXXX-identity",
              - "/subscriptions/.../resourceGroups/.../providers/Microsoft.ManagedIdentity/userAssignedIdentities/XXXXXXX-XXXX-identity",
              - "/subscriptions/.../resourceGroups/.../providers/Microsoft.ManagedIdentity/userAssignedIdentities/XXXXXXX-XXXX-identity",
              - "/subscriptions/.../resourceGroups/.../providers/Microsoft.ManagedIdentity/userAssignedIdentities/XXXXXXX-XXXX-identity",
              - "/subscriptions/.../resourceGroups/.../providers/Microsoft.ManagedIdentity/userAssignedIdentities/XXXXXXX-XXXX-identity",
              - "/subscriptions/.../resourceGroups/.../providers/Microsoft.ManagedIdentity/userAssignedIdentities/XXXXXXX-XXXX-identity",
              - "/subscriptions/.../resourceGroups/.../providers/Microsoft.ManagedIdentity/userAssignedIdentities/aml-compute-cluster-XXXX-identity",
            ] -> (known after apply) # forces replacement
          + principal_id = (known after apply)
          ~ tenant_id    = "xxxxxxxxxxxxxxxxxxxxxxxxxxx" -> (known after apply)
            # (1 unchanged attribute hidden)
        }

        # (1 unchanged block hidden)
    }

Expected Behaviour

I expected the ressource to stay the same, and only modify the identity_ids of identity block.

Actual Behaviour

The all ressource is replaced, making all the compute cluster unavailable for 10 minutes when I add a new Managed Identity to each compute clusters.

Steps to Reproduce

Create a Machine Learning Workspace, create X managed Identities in Azure, Create one compute cluster and assign X managed indentities. Apply.
Remove or add a managed identity, reapply

Important Factoids

No response

References

No response