Passing the `id` attribute of a service principal in `azapi_resource`'s `identity` block returns `Error: parsing Azure ID`

[smedegaard]

I have a azurerm_logic_app_workflow block that uses a system assigned service principal.

resource "azurerm_logic_app_workflow" "logic_app" {
  name                = "${var.name_prefix}-file-upload-logic-app"
  resource_group_name = azurerm_resource_group.rg.name
  location            = azurerm_resource_group.rg.location
  identity {
    type = "SystemAssigned"
  }
}

and an api connection to SharePoint

resource "azapi_resource" "connection" {
  type      = "Microsoft.Web/connections@2016-06-01"
  name      = "${var.name_prefix}-sharepointonline-connection"
  location  = azurerm_resource_group.rg.location
  parent_id = azurerm_resource_group.rg.id
  tags = {
    created_by = "terraform"
  }

  # use the system assigned identity from the logic app
  identity {
    type = "SystemAssigned"
    identity_ids = [azurerm_logic_app_workflow.logic_app.identity.0.principal_id]
  }

  body = jsonencode(
    {...}
  )

}

When running terraform plan I get

╷
│ Error: parsing Azure ID: parse "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx": invalid URI for request
│
│   with azapi_resource.connection,
│   on main.tf line 136, in resource "azapi_resource" "connection":
│  136:     identity_ids = [azurerm_logic_app_workflow.logic_app.identity.0.principal_id]
│

The id is passed correctly from the first block to the connection block. After searching the web for way too long, I saw a mention about the format needs to be something like "/subscriptions/${data.azurerm_subscription.current.subscription_id}/resourceGroups/${azurerm_resource_group.rg.name}/providers/microsoft.managedidentity/UserAssignedIdentities/${name_of_managed_identity}". I've had no luck with that either.

It would be a lot more intuitive if we were able to pass the principal id in identity_ids