Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

key_vault_reference_identity_id not expected in azurerm_function_app_flex_consumption #28928

Open
1 task done
AndreuCodina opened this issue Mar 3, 2025 · 10 comments
Open
1 task done

key_vault_reference_identity_id not expected in azurerm_function_app_flex_consumption #28928

AndreuCodina opened this issue Mar 3, 2025 · 10 comments
Labels
service/app-service service/authorization service/key-vault Key Vault service/storage v/4.x

Comments

@AndreuCodina
Copy link

AndreuCodina commented Mar 3, 2025
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.10.5

AzureRM Provider Version

4.21.1

Affected Resource(s)/Data Source(s)

azurerm_function_app_flex_consumption

Terraform Configuration Files

resource "azurerm_resource_group" "test" {
  name     = "swedencentral"
  location = "swedencentral"
}

resource "azurerm_service_plan" "test" {
  name                = "asp-test"
  location            = "swedencentral"
  resource_group_name = azurerm_resource_group.test.name
  os_type             = "Linux"
  sku_name            = "FC1"
}

resource "azurerm_storage_account" "test" {
  name                          = "sttest"
  location                      = "swedencentral"
  resource_group_name           = azurerm_resource_group.test.name
  access_tier                   = "Hot"
  account_kind                  = "StorageV2"
  account_replication_type      = "LRS"
  account_tier                  = "Standard"
  public_network_access_enabled = true
}

resource "azurerm_storage_container" "test" {
  name                  = "test"
  storage_account_id    = azurerm_storage_account.test.id
  container_access_type = "private"
}

data "azurerm_client_config" "current" {}

resource "azurerm_key_vault" "test" {
  name                          = "kv-test"
  location                      = "swedencentral"
  resource_group_name           = azurerm_resource_group.test.name
  tenant_id                     = data.azurerm_client_config.current.tenant_id
  sku_name                      = "standard"
  public_network_access_enabled = true
  purge_protection_enabled      = false
  soft_delete_retention_days    = 90
  enable_rbac_authorization     = true
}

resource "azurerm_user_assigned_identity" "test" {
  name                = "mi-test"
  location            = "swedencentral"
  resource_group_name = azurerm_resource_group.test.name
}

resource "azurerm_role_assignment" "mi_test_with_key_vault_secrets_user_in_kv_test" {
  principal_id         = azurerm_user_assigned_identity.test.principal_id
  role_definition_name = "Key Vault Secrets User"
  scope                = azurerm_key_vault.test.id
}

resource "azurerm_function_app_flex_consumption" "test" {
  name                                           = "func-test"
  location                                       = "swedencentral"
  resource_group_name                            = azurerm_resource_group.test.name
  service_plan_id                                = azurerm_service_plan.test.id
  storage_container_type                         = "blobContainer"
  storage_container_endpoint                     = "${azurerm_storage_account.test.primary_blob_endpoint}${azurerm_storage_container.test.name}"
  storage_authentication_type                    = "StorageAccountConnectionString"
  storage_access_key                             = azurerm_storage_account.test.primary_access_key
  runtime_name                                   = "python"
  runtime_version                                = "3.11"
  instance_memory_in_mb                          = 2048
  key_vault_reference_identity_id                = azurerm_user_assigned_identity.test.id
  public_network_access_enabled                  = true
  webdeploy_publish_basic_authentication_enabled = true

  site_config {
    worker_count = 1
  }

  identity {
    type = "UserAssigned"
    identity_ids = [
      azurerm_user_assigned_identity.test.id,
    ]
  }
}

Debug Output/Panic Output

Error

Expected Behaviour

The Function App uses the managed identity to access Key Vault, as documented in https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app_flex_consumption#key_vault_reference_identity_id-1

Actual Behaviour

│ Error: Unsupported argument

│ ... in resource "azurerm_function_app_flex_consumption" "test":
│ key_vault_reference_identity_id = azurerm_user_assigned_identity.test.id

│ An argument named "key_vault_reference_identity_id" is not expected here.

Steps to Reproduce

terraform apply

Important Factoids

No response

References

I used the new resource added in #28199
@mkuchniak
Copy link

Facing same issue

@YahyaLafdi
Copy link

Hello, I think it's just some documentation error, as i have checked the scheme for azurerm_function_app_flex_consumption
it does not have an attribute named key_vault_reference_identity_id

@stephybun for the confirmation.

@joshvito
Copy link
Contributor

joshvito commented Mar 3, 2025
edited
Loading

Looks like "https_only" is also throwing a unsupported argument error (the same as key_vault_reference_identity_id).

key_vault_reference_identity_id can be set on a flex consumption function via the azure cli.

@xiaxyi
Copy link
Contributor

xiaxyi commented Mar 3, 2025

@AndreuCodina I'm checking with the service team about it, once confirmed, I will add it to the PR. key_vault_reference_id is not added in the first PR as it only contains the basic app configures. I will update the thread

@xiaxyi
Copy link
Contributor

xiaxyi commented Mar 3, 2025

doc update is included in the PR, as for adding properties, there will be following PRs coming
#28939

@joshvito
Copy link
Contributor

joshvito commented Mar 4, 2025
edited
Loading

I also created a doc update, for accuracy in example code #28967

@ryaneastabrook
Copy link

ryaneastabrook commented Mar 4, 2025
edited
Loading

@joshvito I just ran into the same https_only issue, it appears as though it's not in the property list for the resource (unless I'm just not seeing it). Although, the docs do state https_only is an available option.

@xiaxyi Want to address this in this PR? Or should I create a new issue as it's unrelated to this one, and I don't want to assume you'll do the work. Thank you for your hard work on this, btw.

@joshvito
Copy link
Contributor

joshvito commented Mar 4, 2025

@ryaneastabrook
Not sure what you mean by "property list".
Https Only if definitely a feature in the Azure Portal.

@ryaneastabrook
Copy link

ryaneastabrook commented Mar 4, 2025
edited
Loading

@joshvito Sorry, I meant the allowed properties on the resource.

Image

It is, however, in the arguments reference docs

Image

@joshvito
Copy link
Contributor

joshvito commented Mar 4, 2025

Okay. I understand. Thank you for the clarification.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
service/app-service service/authorization service/key-vault Key Vault service/storage v/4.x
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@ryaneastabrook @joshvito @AndreuCodina @xiaxyi @mkuchniak @YahyaLafdi