so i am looking for advice not just a solution here:
I have a function app that needs write permission on another resource:
i have been trying to pass in a service principle id into the Identity block
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#identity
so i created a service_principal and output the id:
output "principal_id" {
value = azuread_service_principal.example.application_id
}
in a different module:
resource "azurerm_function_app" "ams" {
name = "func-${var.application}-${var.enviro}0"
location = var.azlocname
resource_group_name = var.rg_name
app_service_plan_id = var.app_service_plan_id/
storage_account_name = var.storage_account_name_am
storage_account_access_key = var.storage_account_access_key_ams
os_type = "linux"
https_only = true
identity {
type = "SystemAssigned"
identity_ids = [var.principal_id]
}
tags = {}
}
but terraform doesn’t seem to like the ID of that service principle:
Error: Cannot parse Azure ID: parse "######-###-##-##": invalid URI for request
on function\main.tf line 1, in resource "azurerm_function_app" "ams":
1: resource "azurerm_function_app" "ams" {
so i thought i would just let the function app define the identity:
so i took out the identity block and put in an output:
output "ams_principal_id" {
value = azurerm_function_app.ams.identity[0].principal_id
}
and then trying to use that principal_id to define a role:
resource "azurerm_role_definition" "example" {
name = "ams-writer"
scope = var.rg_id
permissions {
actions = ["Microsoft.Media/mediaServices/assets/write"]
not_actions = []
}
assignable_scopes = [
var.rg_id,
]
}
resource "azurerm_role_assignment" "example" {
scope = var.rg_id
role_definition_id = azurerm_role_definition.example.role_definition_resource_id
principal_id = var.ams_principal_id
}
but terraform doesn’t seam to be setting this principal_id
but as per the page i linked to:
The
identity
block exports the following:
principal_id
- The Principal ID for the Service Principal associated with the Managed Service Identity of this App Service.tenant_id
- The Tenant ID for the Service Principal associated with the Managed Service Identity of this App Service.
how can i / should i set a custom role assignment - for the azure function?
thanks