Activating "SystemAssigned" Identity in app service and using it in a key vault access policy breaks terraform apply

[joernehlert]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v1.1.4
on linux_amd64
+ provider registry.terraform.io/hashicorp/azurerm v2.94.0

Affected Resource(s)

• azurerm_app_service
• azurerm_key_vault_policy

Terraform Configuration Files

I prepared a terraform configuration to reproduce the issue:

https://github.com/port4949/bugreport-azurerm/blob/master/main.tf

Expected Behaviour

The app service gets a system assigned identity and a key vault access policy is created for this identity.

Actual Behaviour

The apply fails, because the access policy resource tries to read the tenant id and object id of the identity before it is created.

│ Error: Missing required argument
│ 
│   with azurerm_key_vault_access_policy.policy-bugreport-app,
│   on main.tf line 93, in resource "azurerm_key_vault_access_policy" "policy-bugreport-app":
│   93:   tenant_id    = azurerm_app_service.app-bugreport.identity[0].tenant_id
│ 
│ The argument "tenant_id" is required, but no definition was found.
╵
╷
│ Error: Missing required argument
│ 
│   with azurerm_key_vault_access_policy.policy-bugreport-app,
│   on main.tf line 94, in resource "azurerm_key_vault_access_policy" "policy-bugreport-app":
│   94:   object_id    = azurerm_app_service.app-bugreport.identity[0].principal_id
│ 
│ The argument "object_id" is required, but no definition was found.

Steps to Reproduce

1. Download the prepared main.tf (https://github.com/port4949/bugreport-azurerm/blob/master/main.tf)
2. terraform apply
3. Uncomment the identity block in the app service (around line 78) und the key vault access policy block at the end of the file.
4. Now you can apply the configuration again and you will see the error message.

References

• https://github.com/port4949/bugreport-azurerm

[pregress]

@tombuildsstuff could you provide the link to the upstream issue that is causing this?

[BjornVanslembrouck]

We had the same issue in an Azure Data Factory and Key Vault configuration.

Adding this to the top of the file solved it for us:

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = ">=3.36.0"
    }
  }
  backend "azurerm" {}
}

[thatdotnetguy]

Did you ever solve this @joernehlert? I'm getting the same error "The argument "object_id" is required"..... do you know what the fix is?

[pregress]

@thatdotnetguy multiple ways to fix this:

• Use User assigned identities, (added benefit if you use slot deploys)
• If you want System assigned identities, enable the identities manually and then do the terraform apply or apply in 2 iterations first enabling the system assigned identity and then using it in dependant resources

[thatdotnetguy]

Cheers @pregress yes you're right in regards to the "apply in 2 iterations first enabling the system assigned identity and then using it in dependant resource"

Call me needy.... but that should just work without me doing two applies?!