Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Identity is empty list of objects for access_policy #11022

Closed
TehFamine opened this issue Mar 18, 2021 · 2 comments
Closed

Identity is empty list of objects for access_policy #11022

TehFamine opened this issue Mar 18, 2021 · 2 comments
Labels
upstream/terraform This issue is blocked on an upstream issue within Terraform (Terraform Core/CLI, The Plugin SDK etc)

Comments

@TehFamine
Copy link

TehFamine commented Mar 18, 2021
edited
Loading

I've seen a couple issues on these and they were closed. I just wanted to raise this one again. When you define a azurerm_function_app resource that has been deployed without the SystemAssigned attribute assigned AND THEN update the function to use SystemAssigned. Any resources that rely on the identity of that resource will fail in planning stages. This is for (hashicorp/azurerm) 2.51.0.

azurerm_function_app.your_function_name is empty list of object.
The given key does not identify an element in this collection value.

Reference code for the resource targeting the function identity.

resource "azurerm_key_vault_access_policy" "my_access_polcy" {
  key_vault_id = azurerm_key_vault.my_key_vault.id
  tenant_id    = data.azurerm_client_config.current.tenant_id
  object_id    = azurerm_function_app.your_function_name.identity[0].principal_id

  secret_permissions = [
    "Get",
    "List",
    "Delete",
    "Backup",
    "Restore",
    "Set",
  ]
}

Steps To Reproduce

  1. Define and deploy a azurerm_function_app without the identity attribute.
  2. Define and deploy a azurerm_key_vault resource.
  3. Once deployed, add the identity attribute to azurerm_function_app with type = "SystemAssigned"
  4. Define a new azurerm_key_vault_access_policy that targets the azurerm_function_app.function.identity[0].principal_id for the object_id of the policy.
  5. Note the failure in planning as: identity is empty list of object.
@tombuildsstuff tombuildsstuff added the upstream/terraform This issue is blocked on an upstream issue within Terraform (Terraform Core/CLI, The Plugin SDK etc) label Mar 19, 2021
@tombuildsstuff
Copy link
Contributor

hi @TehFamine

Thanks for opening this issue.

Taking a look through here unfortunately this appears to be a bug in Terraform Core where the Plan isn't accounting for the new changes being applied, since this needs be fixed there I'd suggest opening an issue on that repository so that someone from that team can take a look, but since this is an issue with Terraform Core rather than an issue with the Azure Provider I'm going close this issue for the moment.

Thanks!

@ghost
Copy link

ghost commented Apr 18, 2021

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!

@ghost ghost locked as resolved and limited conversation to collaborators Apr 18, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
upstream/terraform This issue is blocked on an upstream issue within Terraform (Terraform Core/CLI, The Plugin SDK etc)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tombuildsstuff @TehFamine