Creating a function app with system assigned identity and adding it as a key vault access policy in one run

I am defining my azurerm_function_app with a SystemAssigned identity block.
In the same update to the environment, I want to add the SystemIdentity that will be created to my azure key vault access policy list.
I receive: The argument "object_id" is required, but no definition was found.

resource "azurerm_key_vault_access_policy" "ingest-function-app-smi" {
  key_vault_id =
  tenant_id    = data.azurerm_client_config.current_client_config.tenant_id
  object_id    = azurerm_function_app.function-app-ingest.identity[0].principal_id

  secret_permissions = ["Get", "List"]

I know that if i create the identity manually or before I try to add it to the key vault, it’s ok. But I’m trying to do them inline.

resource "azurerm_function_app" "function-app-ingest" {
  name                       = "${local.resource-name-prefix}-ingest-fn"
  location                   = var.resource-location
  resource_group_name        = local.resource-group-name
  app_service_plan_id        =
  storage_account_name       =
  storage_account_access_key = azurerm_storage_account.ingest-storage-account.primary_access_key
  os_type                    = "linux"
  https_only                 = true
  client_cert_mode           = "Required"
  enable_builtin_logging     = false
  version                    =

  identity {
    type = "SystemAssigned"
  tags = merge(local.common_tags, tomap({ "type" = "function-app" }))

I tried to toss a depends_on block on the key vault access policy, but that doesn’t change the resulting output. What’s the best way to do this?

I am getting the same problem here as well. Trying to avoid the work around.

Hi @jwshive and @cthia,

I’m not specifically familiar with these resource types but reading the configuration example and error message in the original report above suggests to me that the AzureRM provider is reporting that azurerm_function_app.function-app-ingest.identity[0].principal_id attribute as null, and so the azurerm_key_vault_access_policy resource understands that as the object_id argument being unset.

If so, I think the main question here is why that attribute is null. I’m not familiar enough with the provider or underlying APIs to know whether it makes sense for that attribute to be null in this case or if that seems like a bug in the provider. If you suspect it’s a bug – that is, if this behavior doesn’t match what’s documented or doesn’t match how the underlying Azure API behaves – I would suggest instead reporting that in the Azure provider’s GitHub repository, because that is the place that the maintainers of that provider primarily look to find bug reports. Thanks!

Although it’s discussing a different source resource type, this existing issue in the provider repository seems like it’s describing a similar symptom:

The discussion there or in one of the linked issues might have some additional information on how to work around this bug. Since it does seem to be a bug (Azure provider contributors say so in comments there) I don’t think there will be a non-workaround solution until the bug is fixed.