Open meilz381 opened 2 years ago
This also occurs with creating rbac access policies that use azurerm_app_service you have to crete the app service first and then the access policies on a second apply run
This also occurs with creating rbac access policies that use azurerm_app_service you have to crete the app service first and then the access policies on a second apply run
I can confirm this. When updating an existing azurerm_app_service resource to contain the following, it seems that change is ignored (leading to the same issue, introducing key vault after provisioning an app service is a pain atm).
identity {
type = "SystemAssigned"
}
I have the same issue with an azurerm_windows_virtual_machine
, I added an identity block and attempted to reference that identity block in an azurerm_key_vault_access_policy
and it refuses to run. If I apply the identity {}
changes and then plan again, it works as expected.
I had the same problem, but only if the resource existed before. I could fix it by adding the service identity manually in azure. Afterwards, it worked fine. Or you create all resources from scratch. That should also work.
Yes, I also recognized that. When the resource is created from scratch it works.
To summarize the other posts: Several resources are affected. When the resource exists and the managed identity should be added (the resource gets updated) it fails.
I am having the same problem. I added
identity { type = "SystemAssigned" }
To an existing app service and tried to use azurerm_app_service.my_app_service.identity[0].principal_id
in the keyvault access policy and I get
│ The argument "access_policy.1.object_id" is required, but no definition was found.
In my case, I'm trying to replace Service Principal with System Assigned managed Identity in AKS and map azurerm_kubernetes_cluster.aks.identity[0].principal_id
to the role assignments & I get:
The argument "principal_id" is required, but no definition was found.
This case is created about 4 months ago. Could this be somehow prioritised, please ?
hello, same issue with azurerm_function_app
when adding its identity to access keyvaul secrets.
workaround for me was to add system asigned identity manually via azure portal
Hi. Faced the same issue with azurerm_function_app
. As a workaround, I'm using azurerm_user_assigned_identity
In order not to create azurerm_user_assigned_identity
and not to destroy your environment, you may go to Azure Portal -> AppService/Function -> Identity -> System Assigned -> On
on each service you want to be added to the key vault. After your tf script will run as it should.
UPD:
in case you wanna keep the IaC spirit and write some code:
az webapp identity assign -g MyResourceGroup -n MyUniqueApp
- this should make the change instead of clicking the portal
Having to set things in the portal though kinda goes against the spirit of IAC and automation.
On Thu, 9 Jun 2022, 14:19 Danylo Dudok, @.***> wrote:
In order not to create azurerm_user_assigned_identity and not to destroy you environment you may go to Azure Portal -> AppService/Function -> Identity -> System Assigned -> On. After your tf script will run as it should.
— Reply to this email directly, view it on GitHub https://github.com/hashicorp/terraform-provider-azurerm/issues/13320#issuecomment-1151110081, or unsubscribe https://github.com/notifications/unsubscribe-auth/AH7GYF4M6WFIQADKBDRMFLDVOHVOTANCNFSM5D5GF7RA . You are receiving this because you commented.Message ID: @.***>
I just now faced this issue by simply following documentation on managing certificates in API Management.
Any ideas about a workaround which could be contained only in Terraform?
Any ideas about a workaround which could be contained only in Terraform?
As a workaround, you can use azurerm_user_assigned_identity
. Worked for me
Any ideas about a workaround which could be contained only in Terraform?
As a workaround, you can use
azurerm_user_assigned_identity
. Worked for me
You are right. Also within hidden comments, there was an exact workaround. Maybe such comments should not be hidden?
EDIT: actually, it was yours comment :D
Community Note
Terraform (and AzureRM Provider) Version
Terraform v1.0.4 azurerm version 2.76.0
Affected Resource(s)
Terraform Configuration Files
excerpt of a larger file used for configuration:
Debug Output
Expected Behaviour
The access policy gets created after the API management instance and the system-assigned identity is created. I assume my configuration is correct because when I first create the APIM and the system-assigned identity, and then, in a second step, add the access policy everything works.
Actual Behaviour
The creation fails since the principal id isn't defined before the creation of the API management and the registration of the APIM in the AAD.
Steps to Reproduce
terraform apply