Azurerm_function_app identity

Terraform Providers Azure
1

so i am looking for advice not just a solution here:

I have a function app that needs write permission on another resource:
i have been trying to pass in a service principle id into the Identity block
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#identity

so i created a service_principal and output the id:

output "principal_id" {
  value = azuread_service_principal.example.application_id
}

in a different module:

resource "azurerm_function_app" "ams" {
  name                       = "func-${var.application}-${var.enviro}0"
  location                   = var.azlocname
  resource_group_name        = var.rg_name
  app_service_plan_id        = var.app_service_plan_id/
  storage_account_name       = var.storage_account_name_am
  storage_account_access_key = var.storage_account_access_key_ams
  os_type                    = "linux"
  https_only                 = true
  identity {
    type                     = "SystemAssigned"
    identity_ids             = [var.principal_id]
  } 
  tags = {}
}

but terraform doesn’t seem to like the ID of that service principle:

Error: Cannot parse Azure ID: parse "######-###-##-##": invalid URI for request
  on function\main.tf line 1, in resource "azurerm_function_app" "ams":
   1: resource "azurerm_function_app" "ams" {

so i thought i would just let the function app define the identity:

so i took out the identity block and put in an output:

output "ams_principal_id" {
  value = azurerm_function_app.ams.identity[0].principal_id
}

and then trying to use that principal_id to define a role:

resource "azurerm_role_definition" "example" {
  name               = "ams-writer"
  scope              = var.rg_id
  permissions {
    actions     = ["Microsoft.Media/mediaServices/assets/write"]
    not_actions = []
  }
  assignable_scopes = [
    var.rg_id,
  ]
}

resource "azurerm_role_assignment" "example" {
  scope              = var.rg_id
  role_definition_id = azurerm_role_definition.example.role_definition_resource_id
  principal_id       = var.ams_principal_id
}

but terraform doesn’t seam to be setting this principal_id

but as per the page i linked to:

The identity block exports the following:

  • principal_id - The Principal ID for the Service Principal associated with the Managed Service Identity of this App Service.
  • tenant_id - The Tenant ID for the Service Principal associated with the Managed Service Identity of this App Service.

how can i / should i set a custom role assignment - for the azure function?

thanks

2

@donfouts Whenever you’re referencing a service principal for assigning permissions, you generally need to specify the object ID of the SP. Have you tried referencing azuread_service_principal.example.object_id?

3 
Error: Cannot parse Azure ID: parse "99999999-9999-9999-9999-9999999999999": invalid URI for request

  on function\main.tf line 1, in resource "azurerm_function_app" "ams":
   1: resource "azurerm_function_app" "ams" {

the object id seams to be a GUID,
and the azurerm_function_app is looking for a URI of the object