API Management System-Assigned Principal Id can't be used in Key Vault Access Policy before manual creation

[meilz381]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v1.0.4
azurerm version 2.76.0

Affected Resource(s)

• azurerm_api_management
• azurerm_key_vault_access_policy

Terraform Configuration Files

resource "azurerm_key_vault_access_policy" "access_policy" {
  for_each = var.kv_params.objects

  key_vault_id = azurerm_key_vault.kv.id
  tenant_id    = var.tenant_id
  object_id    = each.value.object_id

  key_permissions = each.value.key_permissions

  secret_permissions = each.value.secret_permissions

  certificate_permissions = each.value.certificate_permissions
}

resource "azurerm_api_management" "apim" {
  name                = "${var.general_params.environment}-${var.general_params.region_name}-${var.general_params.project_short_name}-apim"
  location            = var.general_params.region
  resource_group_name = var.resource_group_name
  publisher_name      = "#####"
  publisher_email     = "#####"

  sku_name = "${var.apim_params.tier}_${var.apim_params.deployed_units}"

  identity {
    type              = var.apim_params.identity_type 
  }

  tags = merge(
    var.common_tags,
    {mic_shared = "false"}
  )
}

output "object_id_api_managment" {
  value = azurerm_api_management.apim.identity[0].principal_id
}

excerpt of a larger file used for configuration:

....
apim_params = {
    tier                        = "Developer"
    deployed_units              = 1
    identity_type               = "SystemAssigned"
   ...
} 
...
key_vault = {
  apim_kv = {
    params = {
      description                 = "apim"
      soft_delete_retention_days  = 7
      purge_protection_enabled    = false
      sku_name                    = "standard"
      objects = {
        api_managment = {
          object_id               = module.apim.object_id_api_managment
          key_permissions = []
          secret_permissions = [
            "Get",
            "List",
          ]
          certificate_permissions = []
        }
      }
    }
  }
}
....

Debug Output

Expected Behaviour

The access policy gets created after the API management instance and the system-assigned identity is created.
I assume my configuration is correct because when I first create the APIM and the system-assigned identity, and then, in a second step, add the access policy everything works.

Actual Behaviour

The creation fails since the principal id isn't defined before the creation of the API management and the registration of the APIM in the AAD.

module.keyvault["apim_kv"].azurerm_key_vault_access_policy.access_policy["#####"]: Refreshing state... [id=/subscriptions/007be5f8-9421-4d38-ae33-28072fc16c47/resourceGroups/dev-euw-#####-rg/providers/Microsoft.KeyVault/vaults/dev-euw-####-apim-kv/objectId/802a607c-8ff3-434c-80c1-fff964bd642c]
╷
│ Error: Missing required argument
│ 
│   with module.keyvault["apim_kv"].azurerm_key_vault_access_policy.access_policy["api_managment"],
│   on key-vault/access_policy.tf line 6, in resource "azurerm_key_vault_access_policy" "access_policy":
│    6:   object_id    = each.value.object_id
│ 
│ The argument "object_id" is required, but no definition was found.

Steps to Reproduce

1. terraform apply

[Marcus-James-Adams]

This also occurs with creating rbac access policies that use azurerm_app_service you have to crete the app service first and then the access policies on a second apply run

[jeanpaulsmit]

This also occurs with creating rbac access policies that use azurerm_app_service you have to crete the app service first and then the access policies on a second apply run

I can confirm this.
When updating an existing azurerm_app_service resource to contain the following, it seems that change is ignored (leading to the same issue, introducing key vault after provisioning an app service is a pain atm).

  identity {
    type = "SystemAssigned"
  }

[cwoodcox]

I have the same issue with an azurerm_windows_virtual_machine, I added an identity block and attempted to reference that identity block in an azurerm_key_vault_access_policy and it refuses to run. If I apply the identity {} changes and then plan again, it works as expected.

[andre-laskawy]

I had the same problem, but only if the resource existed before. I could fix it by adding the service identity manually in azure. Afterwards, it worked fine. Or you create all resources from scratch. That should also work.

[meilz381]

Yes, I also recognized that. When the resource is created from scratch it works.

To summarize the other posts: Several resources are affected. When the resource exists and the managed identity should be added (the resource gets updated) it fails.

[RockyMM]

I just now faced this issue by simply following documentation on managing certificates in API Management.

Any ideas about a workaround which could be contained only in Terraform?

[dehimb]

Any ideas about a workaround which could be contained only in Terraform?

As a workaround, you can use azurerm_user_assigned_identity. Worked for me

[RockyMM]

Any ideas about a workaround which could be contained only in Terraform?

As a workaround, you can use azurerm_user_assigned_identity. Worked for me

You are right. Also within hidden comments, there was an exact workaround. Maybe such comments should not be hidden?

EDIT: actually, it was yours comment :D