azurerm_function_app doesn't handle 'identity' property as modify/destroy-create when principal ID outputted

[brandonh-msft]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v0.12.20

• provider.azurerm v1.43.0

Affected Resource(s)

Utilize this git repo for reproduction

• azurerm_function_app

Terraform Configuration Files

#Set the terraform required version
terraform {
  required_version = ">= 0.12.6"
}

# Configure the Azure Provider
provider "azurerm" {
  # It is recommended to pin to a given version of the Provider
  version = "~> 1"
}

variable "prefix" {
  type = string
}

variable "sampleName" {
  type    = string
  default = "terraform-functions-msi-bug"
}

variable "location" {
  type    = string
  default = "West US 2"
}

resource "azurerm_resource_group" "rg" {
  name     = "${var.prefix}-rg"
  location = var.location
  tags = {
    sample = var.sampleName
  }
}

resource "azurerm_storage_account" "fxnstor" {
  name                     = "${var.prefix}fxnssa"
  resource_group_name      = azurerm_resource_group.rg.name
  location                 = var.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
  account_kind             = "StorageV2"
  tags = {
    sample = var.sampleName
  }
}

resource "azurerm_app_service_plan" "fxnapp" {
  name                = "${var.prefix}-fxn-asp"
  location            = var.location
  resource_group_name = azurerm_resource_group.rg.name
  kind                = "functionapp"
  sku {
    tier = "Dynamic"
    size = "Y1"
  }
  tags = {
    sample = var.sampleName
  }
}

resource "azurerm_function_app" "fxn" {
  name                      = "${var.prefix}-fxn"
  location                  = var.location
  resource_group_name       = azurerm_resource_group.rg.name
  app_service_plan_id       = azurerm_app_service_plan.fxnapp.id
  storage_connection_string = azurerm_storage_account.fxnstor.primary_connection_string
  version                   = "~3"
  tags = {
    sample = var.sampleName
  }
  # identity {
  #   type = "SystemAssigned"
  # }

  lifecycle {
    ignore_changes = [
      app_settings
    ]
  }
}

# output "functionPrincipal" {
#   value = azurerm_function_app.identity[0].principal_id
# }

Debug Output

Panic Output

Expected Behavior

The expected behavior is a SystemAssigned Identity should be given to the Function app, then output as part of tf apply.
This could happen either by a "modify" or a "destroy, create" path - doesn't matter (modify preferable, though).

Actual Behavior

Error: Reference to undeclared resource

  on main.tf line 82, in output "functionPrincipal":
  82:   value = azurerm_function_app.identity[0].principal_id

A managed resource "azurerm_function_app" "identity" has not been declared in
the root module.

Steps to Reproduce

1. Run terraform apply on the HCL above. You should get

Apply complete! Resources: 4 added, 0 changed, 0 destroyed.

2. Uncomment the identity and output blocks
3. Run terraform apply again

Note: Give the same value for the prefix variable both times & try to make it unique as you're creating globally-available resources

[tombuildsstuff]

hey @brandonh-msft

Thanks for opening this issue.

Taking a look into this I believe this has been fixed via #5676 which will ship as a part of v1.44 of the Azure Provider - as such I'm going to tag this with that Milestone so that @hashibot will comment when that's released - however since I believe this issue's been resolved by #5676 I'm going to close this issue for the moment.

Thanks!

[ghost]

This has been released in version 1.44.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 1.44.0"
}
# ... other configuration ...

[brandonh-msft]

Nope, still exists. Please reopen @tombuildsstuff

Updated HCL

#Set the terraform required version
terraform {
  required_version = ">= 0.12.6"
}

# Configure the Azure Provider
provider "azurerm" {
  # It is recommended to pin to a given version of the Provider
  version = "=1.44"
}

variable "prefix" {
  type = string
}

variable "sampleName" {
  type    = string
  default = "terraform-functions-msi-bug"
}

variable "location" {
  type    = string
  default = "West US 2"
}

resource "azurerm_resource_group" "rg" {
  name     = "${var.prefix}-rg"
  location = var.location
  tags = {
    sample = var.sampleName
  }
}

resource "azurerm_storage_account" "fxnstor" {
  name                     = "${var.prefix}fxnssa"
  resource_group_name      = azurerm_resource_group.rg.name
  location                 = var.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
  account_kind             = "StorageV2"
  tags = {
    sample = var.sampleName
  }
}

resource "azurerm_app_service_plan" "fxnapp" {
  name                = "${var.prefix}-fxn-asp"
  location            = var.location
  resource_group_name = azurerm_resource_group.rg.name
  kind                = "functionapp"
  sku {
    tier = "Dynamic"
    size = "Y1"
  }
  tags = {
    sample = var.sampleName
  }
}

resource "azurerm_function_app" "fxn" {
  name                      = "${var.prefix}-fxn"
  location                  = var.location
  resource_group_name       = azurerm_resource_group.rg.name
  app_service_plan_id       = azurerm_app_service_plan.fxnapp.id
  storage_connection_string = azurerm_storage_account.fxnstor.primary_connection_string
  version                   = "~2"
  tags = {
    sample = var.sampleName
  }
  # identity {
  #   type = "SystemAssigned"
  # }

  lifecycle {
    ignore_changes = [
      app_settings
    ]
  }
}

# output "functionPrincipal" {
#   value = azurerm_function_app.identity[0].principal_id
# }

Run initial tf init and tf apply:

C:\Users\brand\Projects\Microsoft\GitHub\terraform-functions-msi-bug\terraform [master ≡]> tf init

Initializing the backend...

Initializing provider plugins...
- Checking for available provider plugins...
- Downloading plugin for provider "azurerm" (hashicorp/azurerm) 1.44.0...

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
C:\Users\brand\Projects\Microsoft\GitHub\terraform-functions-msi-bug\terraform [master ≡]> tf apply -var prefix=gh5663 --auto-approve
azurerm_resource_group.rg: Creating...
azurerm_resource_group.rg: Creation complete after 1s [id=/subscriptions/.../resourceGroups/gh5663-rg]
azurerm_app_service_plan.fxnapp: Creating...
azurerm_storage_account.fxnstor: Creating...
azurerm_app_service_plan.fxnapp: Creation complete after 5s [id=/subscriptions/.../resourceGroups/gh5663-rg/providers/Microsoft.Web/serverfarms/gh5663-fxn-asp]
azurerm_storage_account.fxnstor: Still creating... [10s elapsed]
azurerm_storage_account.fxnstor: Still creating... [20s elapsed]
azurerm_storage_account.fxnstor: Creation complete after 20s [id=/subscriptions/.../resourceGroups/gh5663-rg/providers/Microsoft.Storage/storageAccounts/gh5663fxnssa]
azurerm_function_app.fxn: Creating...
azurerm_function_app.fxn: Still creating... [10s elapsed]
azurerm_function_app.fxn: Still creating... [20s elapsed]
azurerm_function_app.fxn: Still creating... [30s elapsed]
azurerm_function_app.fxn: Still creating... [40s elapsed]
azurerm_function_app.fxn: Still creating... [50s elapsed]
azurerm_function_app.fxn: Creation complete after 55s [id=/subscriptions/.../resourceGroups/gh5663-rg/providers/Microsoft.Web/sites/gh5663-fxn]

Then update the HCL to use the `identity` pieces ...

#Set the terraform required version
terraform {
  required_version = ">= 0.12.6"
}

# Configure the Azure Provider
provider "azurerm" {
  # It is recommended to pin to a given version of the Provider
  version = "=1.44"
}

variable "prefix" {
  type = string
}

variable "sampleName" {
  type    = string
  default = "terraform-functions-msi-bug"
}

variable "location" {
  type    = string
  default = "West US 2"
}

resource "azurerm_resource_group" "rg" {
  name     = "${var.prefix}-rg"
  location = var.location
  tags = {
    sample = var.sampleName
  }
}

resource "azurerm_storage_account" "fxnstor" {
  name                     = "${var.prefix}fxnssa"
  resource_group_name      = azurerm_resource_group.rg.name
  location                 = var.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
  account_kind             = "StorageV2"
  tags = {
    sample = var.sampleName
  }
}

resource "azurerm_app_service_plan" "fxnapp" {
  name                = "${var.prefix}-fxn-asp"
  location            = var.location
  resource_group_name = azurerm_resource_group.rg.name
  kind                = "functionapp"
  sku {
    tier = "Dynamic"
    size = "Y1"
  }
  tags = {
    sample = var.sampleName
  }
}

resource "azurerm_function_app" "fxn" {
  name                      = "${var.prefix}-fxn"
  location                  = var.location
  resource_group_name       = azurerm_resource_group.rg.name
  app_service_plan_id       = azurerm_app_service_plan.fxnapp.id
  storage_connection_string = azurerm_storage_account.fxnstor.primary_connection_string
  version                   = "~2"
  tags = {
    sample = var.sampleName
  }
  identity {
    type = "SystemAssigned"
  }

  lifecycle {
    ignore_changes = [
      app_settings
    ]
  }
}

output "functionPrincipal" {
  value = azurerm_function_app.identity[0].principal_id
}

And now re-run terraform apply:

Apply complete! Resources: 4 added, 0 changed, 0 destroyed.
C:\Users\brand\Projects\Microsoft\GitHub\terraform-functions-msi-bug\terraform [master ≡]> tf apply -var prefix=gh5663 --auto-approve

Error: Reference to undeclared resource

  on main.tf line 82, in output "functionPrincipal":
  82:   value = azurerm_function_app.identity[0].principal_id

A managed resource "azurerm_function_app" "identity" has not been declared in
the root module.

[brandonh-msft]

ping @tombuildsstuff

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!