Enabling oidc_issuer_enabled in azurerm_kubernetes_cluster causes downstream plan failure

[fraenkel]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.4.6

AzureRM Provider Version

3.56.0

Affected Resource(s)/Data Source(s)

azurerm_kubernetes_cluster azurerm_federated_identity_credential

Terraform Configuration Files

An existing cluster is enabled the oidc_issuer.

a new federated identity is being created

resource "azurerm_federated_identity_credential" "zzz" {
  name                = "zzz"
  resource_group_name = data.azurerm_resource_group.aks.name
  audience            = ["api://AzureADTokenExchange"]
  issuer              = azurerm_kubernetes_cluster.aks.oidc_issuer_url
  parent_id           = azurerm_user_assigned_identity.zzz.id
  subject             = "system:serviceaccount:ns:zzz"
}

### Debug Output/Panic Output

```shell
~ resource "azurerm_kubernetes_cluster" "aks" {
        id                                  = XXX
        name                                = YYY
      ~ oidc_issuer_enabled                 = false -> true
        tags                                = {}
      ~ workload_identity_enabled           = false -> true

+ resource "azurerm_federated_identity_credential" "zzz" {
      + audience            = [
          + "api://AzureADTokenExchange",
        ]
      + id                  = (known after apply)
      + name                = "zzz"
      + parent_id           = (known after apply)
      + resource_group_name = "rg"
      + subject             = "system:serviceaccount:ns:zzz"
    }

Error: Provider produced inconsistent final plan
│ 
│ When expanding the plan for module.aks.azurerm_federated_identity_credential.zzz to include new values learned so far during apply, provider "registry.terraform.io/hashicorp/azurerm" produced an invalid new value for .issuer: was cty.StringVal(""), but now cty.StringVal("https://westus2.oic.prod-aks.azure.com/************************************/").
│ 
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.

### Expected Behaviour

The apply succeeds.

### Actual Behaviour

The apply fails.

### Steps to Reproduce

_No response_

### Important Factoids

_No response_

### References

_No response_

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.