I am defining my azurerm_function_app with a SystemAssigned identity block.
In the same update to the environment, I want to add the SystemIdentity that will be created to my azure key vault access policy list.
I receive: The argument "object_id" is required, but no definition was found.
I’m not specifically familiar with these resource types but reading the configuration example and error message in the original report above suggests to me that the AzureRM provider is reporting that azurerm_function_app.function-app-ingest.identity[0].principal_id attribute as null, and so the azurerm_key_vault_access_policy resource understands that as the object_id argument being unset.
If so, I think the main question here is why that attribute is null. I’m not familiar enough with the provider or underlying APIs to know whether it makes sense for that attribute to be null in this case or if that seems like a bug in the provider. If you suspect it’s a bug – that is, if this behavior doesn’t match what’s documented or doesn’t match how the underlying Azure API behaves – I would suggest instead reporting that in the Azure provider’s GitHub repository, because that is the place that the maintainers of that provider primarily look to find bug reports. Thanks!
Although it’s discussing a different source resource type, this existing issue in the provider repository seems like it’s describing a similar symptom:
The discussion there or in one of the linked issues might have some additional information on how to work around this bug. Since it does seem to be a bug (Azure provider contributors say so in comments there) I don’t think there will be a non-workaround solution until the bug is fixed.