terraform-provider-azurerm icon indicating copy to clipboard operation
terraform-provider-azurerm copied to clipboard
verified publisher icon hashicorp

azurerm_linux_function_app user identity validation failures

Open bgmonroe opened this issue 3 years ago • 2 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

Community Note

  • Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.2.4

AzureRM Provider Version

3.13.0

Affected Resource(s)/Data Source(s)

azurerm_linux_function_app

Terraform Configuration Files

provider "azurerm" {
  features {}
}

data "azurerm_resource_group" "test_rg" {
  name = "test_group"
}

resource "azurerm_storage_account" "test_function_sa" {
  name                     = "blahblahblah"
  resource_group_name      = data.azurerm_resource_group.test_rg.name
  location                 = data.azurerm_resource_group.test_rg.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
}

resource "azurerm_user_assigned_identity" "function_app_id" {
  resource_group_name = data.azurerm_resource_group.test_rg.name
  location            = data.azurerm_resource_group.test_rg.location
  name                = "test_user"
}

resource "azurerm_service_plan" "function_sp" {
  name                = "test_sp"
  resource_group_name = data.azurerm_resource_group.test_rg.name
  location            = data.azurerm_resource_group.test_rg.location
  os_type             = "Linux"
  sku_name            = "S1"
}

resource "azurerm_linux_function_app" "functon_app" {
  name                 = "test-function-name"
  resource_group_name  = data.azurerm_resource_group.test_rg.name
  location             = data.azurerm_resource_group.test_rg.location
  storage_account_name = azurerm_storage_account.test_function_sa.name
  service_plan_id      = azurerm_service_plan.function_sp.id
  site_config {}
  key_vault_reference_identity_id = azurerm_user_assigned_identity.function_app_id.principal_id
  identity {
    type         = "UserAssigned"
    identity_ids = [azurerm_user_assigned_identity.function_app_id.principal_id]
  }
}

Debug Output/Panic Output

N/A

Expected Behaviour

The Linux Function app gets built like with azurerm_function_app.

Actual Behaviour

The attributes key_vault_reference_identity_id and identity.identity_ids[*] fail to be parsed correctly once the azurerm_user_assigned_identity is known.

azurerm_user_assigned_identity.function_app_id: Creating...
azurerm_user_assigned_identity.function_app_id: Creation complete after 1s [id=/subscriptions/029835d0-8142-4429-871b-92b390974db5/resourceGroups/monroe1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/brett_test_user]

│ Error: parsing "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx": expected 8 segments within the Resource ID but got 1 for "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
│
│   with azurerm_linux_function_app.functon_app,
│   on main.tf line 40, in resource "azurerm_linux_function_app" "functon_app":
│   40:   key_vault_reference_identity_id = azurerm_user_assigned_identity.function_app_id.principal_id
│


│ Error: parsing "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx": expected 8 segments within the Resource ID but got 1 for "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
│
│   with azurerm_linux_function_app.functon_app,
│   on main.tf line 43, in resource "azurerm_linux_function_app" "functon_app":
│   43:     identity_ids = [azurerm_user_assigned_identity.function_app_id.principal_id]
│

Steps to Reproduce

  1. terraform init
  2. terraform plan
  3. terraform apply
  4. terraform plan *

* Once the principal_id is known after creation, the next plan will be run into this issue.

Important Factoids

No response

References

This looks identical to #16083 for the azurerm_linux_web_app_slot resource (fixed by PR #16149).

This makes me wonder where else msiValidate.UserAssignedIdentityID needs to be replaced with validation.IsUUID.

bgmonroe avatar Jul 12 '22 19:07 bgmonroe

Also, trying to destroy the resource will also run into this error. I have found, however, that adding a -refresh=false to the terraform destroy will destroy the infrastructure but it doesn't help with passing a plan or a regular apply.

bgmonroe avatar Jul 13 '22 15:07 bgmonroe

Hi @bgmonroe,

I faced the same issue today in "azurerm_linux_web_app" in my case solution was to replace "principal_id" with "id".

  key_vault_reference_identity_id = azurerm_user_assigned_identity.ipam.id

  identity {
    identity_ids = [azurerm_user_assigned_identity.ipam.id] 
    type         = "UserAssigned"
  }

stargriv avatar Sep 22 '22 17:09 stargriv

hey @bgmon

As mentioned in this comment we're expecting the ID of a Managed Identity rather than the UUID of of the Managed Identity - as such this can be fixed by specifying the id field rather than the UUID here (which we're missing validation for, and would make this clearer at plan-time).

Since this issue can be fixed by updating the Terraform Configuration being used and isn't a bug in the Azure Provider, I'm going to close this issue for the moment however should you have further usage questions I'd direct you towards the Community Discuss forum.

Thanks!

tombuildsstuff avatar Oct 07 '22 21:10 tombuildsstuff

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

github-actions[bot] avatar Nov 07 '22 02:11 github-actions[bot]