azurerm_app_service - identity and KeyVaultReferenceIdentity is not set sequentially

[petr-stupka]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v1.0.10
on linux_arm64

• provider registry.terraform.io/hashicorp/azuread v2.9.0
• provider registry.terraform.io/hashicorp/azurerm v2.85.0

Affected Resource(s)

• azurerm_app_service
• azurerm_function_app

Terraform Configuration Files

resource "azurerm_app_service" "webapp" {
 ...

  identity {
    type = "UserAssigned"
    identity_ids = [
      azurerm_user_assigned_identity.webapp.id,
      azurerm_user_assigned_identity.keyvault.id,
    ]
  }

  key_vault_reference_identity_id = azurerm_user_assigned_identity.keyvault.id

}

Debug Output

│ Error: web.AppsClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="BadRequest" Message="The parameter 'KeyVaultReferenceIdentity' has an invalid value. Details: KeyVaultReferenceIdentity must either be null, 'SystemAssigned', or a UserAssigned Identity Resource Id assigned to this site." Details=[{"Message":"The parameter 'KeyVaultReferenceIdentity' has an invalid value. Details: KeyVaultReferenceIdentity must either be null, 'SystemAssigned', or a UserAssigned Identity Resource Id assigned to this site."},{"Code":"BadRequest"},{"ErrorEntity":{"Code":"BadRequest","ExtendedCode":"01033","Message":"The parameter 'KeyVaultReferenceIdentity' has an invalid value. Details: KeyVaultReferenceIdentity must either be null, 'SystemAssigned', or a UserAssigned Identity Resource Id assigned to this site.","MessageTemplate":"The parameter '{0}' has an invalid value. Details: {1}.","Parameters":["KeyVaultReferenceIdentity","KeyVaultReferenceIdentity must either be null, 'SystemAssigned', or a UserAssigned Identity Resource Id assigned to this site"]}}]

Expected Behaviour

Identity should be added into User Assigned identity list in Azure WebApp as defined in identity block

  identity {
    type = "UserAssigned"
    identity_ids = [
      azurerm_user_assigned_identity.webapp.id,
      azurerm_user_assigned_identity.keyvault.id,
    ]
  }

App should be configured to use following identity for Key Vault reference operations by setting the key_vault_reference_identity_id property to the resource ID of the user-assigned identity.

key_vault_reference_identity_id = azurerm_user_assigned_identity.keyvault.id

Actual Behaviour

It doesn't work

when both identity and key_vault_reference_identity_id references the identity in the same apply

It works when

1. First add the identity into identity block and apply
2. Second add the key_vault_reference_identity_id with the identity added previously and apply

Steps to Reproduce

Add identity and key_vault_reference_identity_id and apply

Important Factoids

in referenced function_app in Affected Resource(s) however i didn't tested it. Assume it will be the same issue as this option has been added recently to both resources

References

• Support for configuration of keyVaultReferenceIdentity in azurerm_app_service #13388
• Support for configuration of keyVaultReferenceIdentity in azurerm_function_app #13960

[jackofallops]

Hi 👋

Since this resource is now deprecated, and the underlying problem has been addressed in the replacement resources, I'm going to close this issue out.

Thanks!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.