Unable to get SystemAssigned identity attributes in terraform azure provider

2
votes

With the following app service definition

data "azurerm_resource_group" "rg" {
  name = var.resource_group_name
}

# Creates our new App Service
resource "azurerm_app_service" "app" {
  name                    = var.app_name
  app_service_plan_id     = var.app_service_plan_id
  location                = data.azurerm_resource_group.rg.location
  resource_group_name     = data.azurerm_resource_group.rg.name
  client_affinity_enabled = false
  enabled                 = true
  https_only              = true

  app_settings = var.app_settings

  site_config {
    always_on                 = true
    http2_enabled             = true
    use_32_bit_worker_process = false
    scm_type                  = "LocalGit"
    default_documents         = var.default_documents

    cors {
      allowed_origins     = var.cors_allowed_origins
      support_credentials = var.cors_enabled
    }
  }

  identity {
    type = "SystemAssigned"
  }

I am setting the keyvault access policy like so

resource "azurerm_key_vault_access_policy" "app" {
  key_vault_id       = var.key_vault_id
  tenant_id          = azurerm_app_service.app.identity[0].tenant_id
  object_id          = azurerm_app_service.app.identity[0].principal_id
  secret_permissions = ["get", "list"]
}

However azure provider for terraform gives this errors

Error: "object_id": required field is not set

  on ..\modules\app-service\main.tf line 68, in resource "azurerm_key_vault_access_policy" "app":
  68: resource "azurerm_key_vault_access_policy" "app" {



Error: "tenant_id": required field is not set

  on ..\modules\app-service\main.tf line 68, in resource "azurerm_key_vault_access_policy" "app":
  68: resource "azurerm_key_vault_access_policy" "app" {

as if the identity block does not provide the tenant_id and principal_id attribute

Any ideas?

2
azureazure-devopsterraformterraform-provider-azure
I didn't see any error in the key vault access policy, are you sure what you provide is the same in your code?Charles Xu

2 Answers

2
votes

The issue turned out that the app service in azure had the 'SystemAssigned' turned off and this was causing the plan and apply to fail. Fixing the azure service fixed our problem. Our problem probably could also have been fixed by tainting the app-service and by destroying and recreating the infrastructure.

1
votes

should be this:

${azurerm_app_service.app.identity.0.tenant_id}
${azurerm_app_service.app.identity.0.principal_id}

https://www.terraform.io/docs/providers/azurerm/r/app_service.html#attributes-reference