Creating a function app with system assigned identity and adding it as a key vault access policy in one run

jwshive · September 17, 2021, 1:20pm

I am defining my azurerm_function_app with a SystemAssigned identity block.
In the same update to the environment, I want to add the SystemIdentity that will be created to my azure key vault access policy list.
I receive: The argument "object_id" is required, but no definition was found.

resource "azurerm_key_vault_access_policy" "ingest-function-app-smi" {
  key_vault_id = azurerm_key_vault.key_vault.id
  tenant_id    = data.azurerm_client_config.current_client_config.tenant_id
  object_id    = azurerm_function_app.function-app-ingest.identity[0].principal_id

  secret_permissions = ["Get", "List"]
}

I know that if i create the identity manually or before I try to add it to the key vault, it’s ok. But I’m trying to do them inline.

resource "azurerm_function_app" "function-app-ingest" {
  name                       = "${local.resource-name-prefix}-ingest-fn"
  location                   = var.resource-location
  resource_group_name        = local.resource-group-name
  app_service_plan_id        = azurerm_app_service_plan.function-app-sp.id
  storage_account_name       = azurerm_storage_account.ingest-storage-account.name
  storage_account_access_key = azurerm_storage_account.ingest-storage-account.primary_access_key
  os_type                    = "linux"
  https_only                 = true
  client_cert_mode           = "Required"
  enable_builtin_logging     = false
  version                    = var.app-service-plan-version

  identity {
    type = "SystemAssigned"
  }
  tags = merge(local.common_tags, tomap({ "type" = "function-app" }))
}

I tried to toss a depends_on block on the key vault access policy, but that doesn’t change the resulting output. What’s the best way to do this?

cthia · January 11, 2023, 4:02am

I am getting the same problem here as well. Trying to avoid the work around.

apparentlymart · January 11, 2023, 9:42pm

Hi @jwshive and @cthia,

I’m not specifically familiar with these resource types but reading the configuration example and error message in the original report above suggests to me that the AzureRM provider is reporting that azurerm_function_app.function-app-ingest.identity[0].principal_id attribute as null, and so the azurerm_key_vault_access_policy resource understands that as the object_id argument being unset.

If so, I think the main question here is why that attribute is null. I’m not familiar enough with the provider or underlying APIs to know whether it makes sense for that attribute to be null in this case or if that seems like a bug in the provider. If you suspect it’s a bug – that is, if this behavior doesn’t match what’s documented or doesn’t match how the underlying Azure API behaves – I would suggest instead reporting that in the Azure provider’s GitHub repository, because that is the place that the maintainers of that provider primarily look to find bug reports. Thanks!

apparentlymart · January 11, 2023, 9:49pm

Although it’s discussing a different source resource type, this existing issue in the provider repository seems like it’s describing a similar symptom:

github.com/hashicorp/terraform-provider-azurerm

Issue with referencing the system identity on a storage account

opened 09:41AM - 24 Sep 21 UTC

subesokun

question service/storage

### Community Note * Please vote on this issue by adding a 👍 [reaction](https://blog.github.com/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/) to the original issue to help the community and maintainers prioritize this request * Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request * If you are interested in working on this issue or have submitted a pull request, please leave a comment ### Terraform (and AzureRM Provider) Version v2.77.0 ### Affected Resource(s) * `azurerm_storage_account` ### Terraform Configuration Files Before: ```terraform resource "azurerm_storage_account" "ingress" { name = "ingress" resource_group_name = azurerm_resource_group.base.name location = azurerm_resource_group.base.location account_tier = "Standard" account_replication_type = "LRS" } ``` After: ```terraform resource "azurerm_storage_account" "ingress" { name = "ingress" resource_group_name = azurerm_resource_group.base.name location = azurerm_resource_group.base.location account_tier = "Standard" account_replication_type = "LRS" identity { type = "SystemAssigned" } } resource "azurerm_key_vault_access_policy" "ingress_storage" { key_vault_id = azurerm_key_vault.mykv.id tenant_id = var.arm_tenant_id object_id = azurerm_storage_account.ingress.identity.0.principal_id key_permissions = ["get", "create", "list", "restore", "recover", "unwrapkey", "wrapkey", "purge", "encrypt", "decrypt", "sign", "verify"] } ``` ### Debug Output ``` │ Error: Missing required argument │ │ with azurerm_key_vault_access_policy.ingress_storage, │ on storage.tf line 36, in resource "azurerm_key_vault_access_policy" "ingress_storage": │ 36: object_id = azurerm_storage_account.ingress.identity.0.principal_id │ │ The argument "object_id" is required, but no definition was found. ``` ### Expected Behaviour TF plan is successful and is able to resolve the dependencies (i.e. knows that the identity will be computed as part of the TF apply) ### Actual Behaviour TF plan fails because it tries to access the identity which is about to be created in the apply step. ### Steps to Reproduce 1. Create a storage account with disabled system identity 2. `terraform apply` 3. Enable system identity and reference identity in a single plan step 4. `terraform plan` -> Fails with above error

The discussion there or in one of the linked issues might have some additional information on how to work around this bug. Since it does seem to be a bug (Azure provider contributors say so in comments there) I don’t think there will be a non-workaround solution until the bug is fixed.