Hi. I have a problem with having both AppService and its slot the same object id of SystemAssigned identity. I've created these resources with Terraform. I'm using these IDs to assign these identities in KeyVault and this operation fails because you can't have duplicated identities in key vault's access policies. I also can't use "distinct" operation on identity id's because Terraform forbids run-time evaluation of "for_each" arguments which I should use to create n amount of access policies. This terraform code is used for both app and its slots creation: dynamic "identity" { for_each = var.identity content { type = identity.value["type"] } } This is keyvault assignment: locals { identities = distinct(concat([azurerm_app_service.app_service.identity[0]], [ for slot in azurerm_app_service_slot.web_app_slot: slot.identity[0]])) } resource "azurerm_key_vault_access_policy" "app_kv_access_policies" { for_each = { for identity in local.identities: identity.principal_id => identity } key_vault_id = var.devops_kv_id tenant_id = each.value.tenant_id object_id = each.value.principal_id secret_permissions = ["get"] key_permissions = [] }

@Alexander Shushanidze , System Assigned identity will be same for the 'production' slot and the root app service (both are eventually the same resource). So if you just cover only the slots excluding the app service itself while assigning identity in keyvault, you should be good and will not encounter this problem. locals { identities = [ for slot in azurerm_app_service_slot.web_app_slot: slot.identity[0]] } If your slots are all using same identity, then you can just use the identity from app service resource and not any slot. locals { identity = azurerm_app_service.app_service.identity[0] }

Same object id in SystemAssigned Identity of AppService and its slot

Accepted answer

Krish G 2,326 Reputation points

2020-10-29T15:53:01.08+00:00
@Alexander Shushanidze , System Assigned identity will be same for the 'production' slot and the root app service (both are eventually the same resource). So if you just cover only the slots excluding the app service itself while assigning identity in keyvault, you should be good and will not encounter this problem.

locals { identities = [ for slot in azurerm_app_service_slot.web_app_slot: slot.identity[0]] }

If your slots are all using same identity, then you can just use the identity from app service resource and not any slot.

locals { identity = azurerm_app_service.app_service.identity[0] }
Please sign in to rate this answer.

1 person found this answer helpful.
Alexander Shushanidze 41 Reputation points

2020-11-02T08:18:25.937+00:00

The production slot isn't included in this terraform resource. I have this situation in Azure when staging and production slot have the same identity:

I don't know how this could happen but it is what it is

Krish G 2,326 Reputation points

2020-11-02T08:24:09.957+00:00

If your slots are all using same identity, then you can just use the identity from app service resource and not any slot. (Updated the answer to include this)

locals { identity = azurerm_app_service.app_service.identity[0] }

Alexander Shushanidze 41 Reputation points

2020-11-02T11:12:37.747+00:00

The thing is that I don't know when my slots have the same identity and when they're not, and I can't decide this at runtime due to the terraform limitation, thus I can't "change" my strategy at runtime.

Krish G 2,326 Reputation points

2020-11-04T14:30:37.753+00:00

I believe by default if you assign like below

identity { type = "SystemAssigned" }

each slot will have different identity. Is not the case? Are you observing random behavior?

Alexander Shushanidze 41 Reputation points

2020-11-05T08:07:35.867+00:00

Yes, it happens randomly. Honestly, it seems like an azure bug. Should I contact the internal azure tech support?

Krish G 2,326 Reputation points

2020-11-05T08:34:02.153+00:00

Yes you can definitely reach Azure support. But I think it might be an issue at Terraform Azure provider side. I would like you to test with a later azurerm provider version first if you are not using already (2.34 as of today, azurerm registry). Also, since it is maintained by HashiCorp, and as per official documentation.

if an existing resource or field is working in an unexpected way, file a bug.
if you'd like the provider to support a new resource or field, file an enhancement/feature request.

HashiCorp support for Terraform Enterprise customers

Krish G 2,326 Reputation points

2020-11-05T10:25:31.807+00:00

Further to that I tested multiple times using ARM template as well as through Azure portal where each slot always gets different identity consistently. So as I mentioned in above comment, it looks like a terraform issue.

Tommi Laukkanen 105 Reputation points

2024-03-08T12:29:21.78+00:00

Update on this answer: it doesn't work after all in new environment. Works only for existing env where values are known.

We were still having this same issue but it seems that we might have been able to solve this with the mentioned distinct approach. We define the access policies in Terraform now like this where we provide list of identity object ids to this module and only create access policies to distinct object id values.

locals { object_ids = distinct([ var.app1-principal-id, var.app1-slot-principal-id, var.app2-principal-id, var.app2-slot-principal-id ]) } resource "azurerm_key_vault_access_policy" "my_apps" { for_each = toset(local.object_ids) # This only works in existing env key_vault_id = var.keyvault_id tenant_id = var.tenant_id object_id = each.value secret_permissions = [ "Get" ] }
Sign in to comment

Same object id in SystemAssigned Identity of AppService and its slot

0 additional answers