azurerm_subscription_policy_assignment identity.principal_id Attributes Reference for UserAssigned Type Not Working

[Eslam10]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.1.2

AzureRM Provider Version

3.28.0

Affected Resource(s)/Data Source(s)

azurerm_subscription_policy_assignment

Terraform Configuration Files

data "azurerm_subscription" "current" {}

resource "azurerm_subscription_policy_assignment" "main" {
  name                 = "test-policy-assignment"
  policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c"
  subscription_id      = data.azurerm_subscription.current.id
  identity {
    type         = "UserAssigned"
    identity_ids = var.identity_ids 
  }
  location = "west europe"
}

Debug Output/Panic Output

{
  "description" = ""
  "display_name" = ""
  "enforce" = true
  "id" = "/subscriptions/xxxx/providers/Microsoft.Authorization/policyAssignments/test-policy-assignment"
  "identity" = tolist([
    {
      "identity_ids" = toset([
        "/subscriptions/xxxx/resourceGroups/rg1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/test-user-assigned-managed-identity",
      ])
      "principal_id" = ""
      "tenant_id" = ""
      "type" = "UserAssigned"
    },
  ])
  "location" = "westeurope"
  "metadata" = "{\"createdBy\":\"2d37c867-a06d-4c4b-81cf-79769b277504\",\"createdOn\":\"2022-10-27T09:27:31.5311322Z\",\"updatedBy\":null,\"updatedOn\":null}"
  "name" = "test-policy-assignment"
  "non_compliance_message" = tolist([])
  "not_scopes" = tolist(null) /* of string */
  "parameters" = ""
  "policy_definition_id" = "/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c"
  "subscription_id" = "/subscriptions/xxxx"
  "timeouts" = null /* object */
}

Expected Behaviour

Attribute reference identity.principal_id should have the value of the user assigned managed identity principal_id.

This is working properly for the SystemAssigned managed identity type but not for the UserAssigned.

This principal_id attribute reference will be used in the same code for assigning the required role of the policy assignment using azurerm_role_assignment TF resource.

Actual Behaviour

Attribute reference identity.principal_id is empty.

Steps to Reproduce

1. Assign a policy definition that uses a managed identity using azurerm_subscription_policy_assignment resource.
2. Use UserAssigned managed identity type.
3. Output resource.identity.principal_id value or use it on another resource.
4. The value is empty.

Important Factoids

No response

References

No response

[wuxu92]

@Eslam10 Thanks for your feedback. but for UserAssigned Identity. it is a by-design that does not set the principal property. because we can pass more than one UserAssigned id and each of them has its own principal, so we cannot set only one of identity.principal_id

[Eslam10]

@wuxu92 , thanks for the reply. I am not sure how can we assign more than one user managed identity to the same policy assignment, this gives me the below error. Message="The policy assignment 'test-policy-assignment' request is invalid. One and only one identity can be specified. You cannot specify both user assigned and system assigned identities, nor can you specify more than one user assigned identity.

I believe this identity_ids argument should be a string not a list ? I will open a separate issue for this error.