azurerm_cdn_frontdoor_profile - missing identity settings

[AlmirKadric]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.3.6

AzureRM Provider Version

3.41.0

Affected Resource(s)/Data Source(s)

azurerm_cdn_frontdoor_profile

Terraform Configuration Files

resource "azurerm_cdn_frontdoor_profile" "shared" {
  name = "fd-${local.app_name}"
  sku_name = "Premium_AzureFrontDoor"
  response_timeout_seconds = 30

  resource_group_name = azurerm_resource_group.shared.name

  identity {
    type = "SystemAssigned"
  }
}

Debug Output/Panic Output

$ terraform apply
╷
│ Error: Unsupported block type
│
│   on shared_frontdoor.tf line 11, in resource "azurerm_cdn_frontdoor_profile" "shared":
│   11:   identity {
│
│ Blocks of type "identity" are not expected here.
╵

Expected Behaviour

I should be allowed to set the identity on a azurerm_cdn_frontdoor_profile resource

Actual Behaviour

I get an error and this seems to not be supported yet

Steps to Reproduce

1. terraform apply
2. Error

Important Factoids

No response

References

No response

[WodansSon]

@AlmirKadric, thanks for opening this issue. When I first implemented this resource I had originally added these settings, however I was told by the service team to remove them as the feature was not 100% complete as of GA of the REST API's. I will check back with the service team and ask them if this is currently supported. Thanks again for the issue. 🚀

UPDATE (February 6, 2023):

I have confirmed with the service team that this functionality is currently in public preview and will be GA'ed in the next few months or so. Once this has GA'ed I will implement this functionality in the azurerm_cdn_frontdoor_profile resource.

[Poil]

Hi,
It looks like to be GA ?

[Daniel-Spindler-Mandalay]

Hi, It looks like to be GA ?

The (Preview) suffix next to Identity has disappeared from the Azure Portal GUI, however there is no official announcement that I can find.
Would expect to see it soon on https://azure.microsoft.com/en-us/updates/?status=nowavailable&query=Front%20Door

[Daniel-Spindler-Mandalay]

@WodansSon Please be advised of the below.
General availability of Azure Front Door integration with managed identities
Published date: June 13, 2023
https://azure.microsoft.com/en-us/updates/general-availability-of-azure-front-door-integration-with-managed-identities/

[Daniel-Spindler-Mandalay]

@manicminer could you please assist to remove the upstream/microsoft tag as it is no longer the case.
Thank you.

[Poil]

Hi,

Do you have any news ?

[artisticcheese]

@WodansSon It's been 3 month since API is in GA. We need to decide to go to AzAPI provider or wait for AzureRM provider to be updated. Please provide some timeframes so we can make intelligent decisions.

[nicolasdesentryfy]

We have the same issue, identity as a feature is there but not present in the terraform module. It's still missing.

[geremy42]

Need this feature too ..

[Daniel-Spindler-Mandalay]

I think maybe we need to log a new issue to get some attention? This one is still marked as upstream/microsoft. I don't think anyone is going to look at it when it has this tag. The tag has been incorrect for 4+ months.

[WodansSon]

I am working on getting the new API implemented in the SDK so I can implement the identity settings.

Update:

The swagger has an issue and cannot be imported into the SDK. I am now working with the service team to get their swagger fixed so we can implement the new version in the SDK and then expose the identity field in the profile resource.

Additional:

I am still negotiating with the service team to get an ETA on getting a fix for the swagger issue merged into main.

[tombuildsstuff]

Re-adding the upstream/microsoft label to this issue since there's still an issue with the Swagger blocking this (as @WodansSon has mentioned above).

[chunjin0530]

Any updates on this issue?

[WodansSon]

Any updates on this issue?

The service team is still working with the Azure Breaking Change Review Board on a path forward. I will update this issue when more information is available.

[kohlik]

Has anyone tried adding a user assigned identity to front door using az api? I can't seem to get that working too.

resource "azapi_update_resource" "umi_update_on_afd" {
  depends_on = [azurerm_cdn_frontdoor_profile.front_door]
  type       = "Microsoft.Cdn/profiles@2022-11-01-preview"
  resource_id = azurerm_cdn_frontdoor_profile.front_door.id
  body = jsonencode({
    properties = {
      identity = {
        type                   = "UserAssigned"
        userAssignedIdentities = [var.user_assigned_identity_id]
      }
    }
  })
}

What am I doing wrong here? The resource provisions without an error but can't see a UMI added to the service.

[naimadswdn]

@kohlik

The identity is not under the properties block.
Please try the below, it does work for me:

resource "azapi_update_resource" "this" {
  type       = "Microsoft.Cdn/profiles@2024-02-01"
  resource_id = azurerm_cdn_frontdoor_profile.this.id
  body = jsonencode({
    identity = {
      type                   = "UserAssigned"
      userAssignedIdentities = {
        "${azurerm_user_assigned_identity.this.id}" = {}
      }
    }
  })

  depends_on = [
    azurerm_user_assigned_identity.this,
    azurerm_cdn_frontdoor_profile.this
  ]
}

API docs: https://learn.microsoft.com/en-us/rest/api/cdn/profiles/get?view=rest-cdn-2023-05-01&tabs=HTTP#managedserviceidentity

Anyway, I am looking forward to have this natively in the azurerm provider.

[berryvanesch]

Any update on this issue?

[stevef51]

Any update on this? My current work around is to manually turn on Identity after the FD resource is created and give it access to my Keyvault for get secrets, then re-apply my terraform script - not ideal, but workable

[naimadswdn]

@stevef51 why doing anything manually, when you can use the azapi workaround from the above?
I know it is not ideal and I am also looking for the native support from azurerm provider, but doing anything manually is kind of violation of the IaC principles.

[ethanjenkins1]

@kohlik

The identity is not under the properties block. Please try the below, it does work for me:

resource "azapi_update_resource" "this" {
  type       = "Microsoft.Cdn/profiles@2024-02-01"
  resource_id = azurerm_cdn_frontdoor_profile.this.id
  body = jsonencode({
    identity = {
      type                   = "UserAssigned"
      userAssignedIdentities = {
        "${azurerm_user_assigned_identity.this.id}" = {}
      }
    }
  })

  depends_on = [
    azurerm_user_assigned_identity.this,
    azurerm_cdn_frontdoor_profile.this
  ]
}

API docs: https://learn.microsoft.com/en-us/rest/api/cdn/profiles/get?view=rest-cdn-2023-05-01&tabs=HTTP#managedserviceidentity

Anyway, I am looking forward to have this natively in the azurerm provider.

How are you using azure_role_assignments after the managed identity creation? Can you give a code example?

[naimadswdn]

It's pretty easy, please see:

resource "azurerm_user_assigned_identity" "this" {
  name                = var.front_door.identity_name
  resource_group_name = var.resource_group_name
  location            = var.region

  lifecycle {
    ignore_changes = [tags]
  }
}

resource "azurerm_role_assignment" "this" {
  scope                = var.front_door.key_vault_id
  role_definition_name = "Key Vault Secrets Officer"
  principal_id         = azurerm_user_assigned_identity.this.principal_id
}

resource "azurerm_cdn_frontdoor_profile" "this" {
  name                = var.front_door.name
  resource_group_name = var.resource_group_name
  sku_name            = "Standard_AzureFrontDoor"

  lifecycle {
    ignore_changes = [tags]
  }
}

resource "azapi_update_resource" "this" {
  type        = "Microsoft.Cdn/profiles@2024-02-01"
  resource_id = azurerm_cdn_frontdoor_profile.this.id
  body = jsonencode({
    identity = {
      type = "UserAssigned"
      userAssignedIdentities = {
        "${azurerm_user_assigned_identity.this.id}" = {}
      }
    }
  })
}

resource "azurerm_cdn_frontdoor_secret" "this" {
  name                     = var.front_door.secret_name
  cdn_frontdoor_profile_id = azurerm_cdn_frontdoor_profile.this.id

  secret {
    customer_certificate {
      key_vault_certificate_id = var.front_door.ssl_certificate_id
    }
  }

  depends_on = [
    azurerm_role_assignment.this,
    azapi_update_resource.this
  ]
}

I hope it helps.

[skytime-sh]

Hi @WodansSon

its been a while, was the fix on swagger now merged into main, so you could proceed?
Its working fine with azapi for us, but in the end would be nice to get rid of this workaround.

[lcorsini]

It's pretty easy, please see:

resource "azurerm_user_assigned_identity" "this" {
  name                = var.front_door.identity_name
  resource_group_name = var.resource_group_name
  location            = var.region

  lifecycle {
    ignore_changes = [tags]
  }
}

resource "azurerm_role_assignment" "this" {
  scope                = var.front_door.key_vault_id
  role_definition_name = "Key Vault Secrets Officer"
  principal_id         = azurerm_user_assigned_identity.this.principal_id
}

resource "azurerm_cdn_frontdoor_profile" "this" {
  name                = var.front_door.name
  resource_group_name = var.resource_group_name
  sku_name            = "Standard_AzureFrontDoor"

  lifecycle {
    ignore_changes = [tags]
  }
}

resource "azapi_update_resource" "this" {
  type        = "Microsoft.Cdn/profiles@2024-02-01"
  resource_id = azurerm_cdn_frontdoor_profile.this.id
  body = jsonencode({
    identity = {
      type = "UserAssigned"
      userAssignedIdentities = {
        "${azurerm_user_assigned_identity.this.id}" = {}
      }
    }
  })
}

resource "azurerm_cdn_frontdoor_secret" "this" {
  name                     = var.front_door.secret_name
  cdn_frontdoor_profile_id = azurerm_cdn_frontdoor_profile.this.id

  secret {
    customer_certificate {
      key_vault_certificate_id = var.front_door.ssl_certificate_id
    }
  }

  depends_on = [
    azurerm_role_assignment.this,
    azapi_update_resource.this
  ]
}

I hope it helps.

has something changed?
today i was updating some code for frontdoor and got this:

│ Error: Invalid Type
│ 
│   with azapi_update_resource.this,
│   on frontdoor.tf line 29, in resource "azapi_update_resource" "this":
│   29:   body = jsonencode({
│   30:     identity = {
│   31:       type = "UserAssigned"
│   32:       userAssignedIdentities = {
│   33:         "${azurerm_user_assigned_identity.this.id}" = {}
│   34:       }
│   35:     }
│   36:   })
│ 
│ The value must not be a string

[naimadswdn]

According to the API docs, nothing changed: https://learn.microsoft.com/en-us/rest/api/cdn/profiles/create?view=rest-cdn-2024-02-01&tabs=HTTP#managedserviceidentity

Almost the same code works for me all the time.
I only changed it a bit, because of some terraform lint validators:

resource "azapi_update_resource" "this" {
  type        = "Microsoft.Cdn/profiles@2024-02-01"
  resource_id = azurerm_cdn_frontdoor_profile.this.id
  body = jsonencode({
    identity = {
      type = "UserAssigned"
      userAssignedIdentities = {
        trim("${azurerm_user_assigned_identity.this.id} ", " ") = {}
        # the usage of the trim function is a workaround to not trigger the false-positive TF lint check
      }
    }
  })
}

[skytime-sh]

has something changed? today i was updating some code for frontdoor and got this:

│ Error: Invalid Type
│ 
│   with azapi_update_resource.this,
│   on frontdoor.tf line 29, in resource "azapi_update_resource" "this":
│   29:   body = jsonencode({
│   30:     identity = {
│   31:       type = "UserAssigned"
│   32:       userAssignedIdentities = {
│   33:         "${azurerm_user_assigned_identity.this.id}" = {}
│   34:       }
│   35:     }
│   36:   })
│ 
│ The value must not be a string

Yes, azapi provider v2 was released, with breaking changes.
https://github.com/Azure/terraform-provider-azapi/blob/main/CHANGELOG.md
Guess you do not controll which version is used, so the newest was taken having this effekt

[lcorsini]

I solved removing the jsonencode wrapping I'll have a look at azapi changes

…

On Sat, Nov 2, 2024, 13:39 Stephan ***@***.***> wrote: It's pretty easy, please see: resource "azurerm_user_assigned_identity" "this" { name = var.front_door.identity_name resource_group_name = var.resource_group_name location = var.region lifecycle { ignore_changes = [tags] } } resource "azurerm_role_assignment" "this" { scope = var.front_door.key_vault_id role_definition_name = "Key Vault Secrets Officer" principal_id = azurerm_user_assigned_identity.this.principal_id } resource "azurerm_cdn_frontdoor_profile" "this" { name = var.front_door.name resource_group_name = var.resource_group_name sku_name = "Standard_AzureFrontDoor" lifecycle { ignore_changes = [tags] } } resource "azapi_update_resource" "this" { type = ***@***.***" resource_id = azurerm_cdn_frontdoor_profile.this.id body = jsonencode({ identity = { type = "UserAssigned" userAssignedIdentities = { "${azurerm_user_assigned_identity.this.id}" = {} } } }) } resource "azurerm_cdn_frontdoor_secret" "this" { name = var.front_door.secret_name cdn_frontdoor_profile_id = azurerm_cdn_frontdoor_profile.this.id secret { customer_certificate { key_vault_certificate_id = var.front_door.ssl_certificate_id } } depends_on = [ azurerm_role_assignment.this, azapi_update_resource.this ] } I hope it helps. has something changed? today i was updating some code for frontdoor and got this: │ Error: Invalid Type │ │ with azapi_update_resource.this, │ on frontdoor.tf line 29, in resource "azapi_update_resource" "this": │ 29: body = jsonencode({ │ 30: identity = { │ 31: type = "UserAssigned" │ 32: userAssignedIdentities = { │ 33: "${azurerm_user_assigned_identity.this.id}" = {} │ 34: } │ 35: } │ 36: }) │ │ The value must not be a string Yes, azapi provider v2 was released, with breaking changes. https://github.com/Azure/terraform-provider-azapi/blob/main/CHANGELOG.md Guess you do not controll which version is used, so the newest was taken having this effekt — Reply to this email directly, view it on GitHub <#20289 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AALOV2XWMNYE6OIEZYSMMMLZ6TBYPAVCNFSM6AAAAAAUPYXNNCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINJSHE3TONZZGA> . You are receiving this because you commented.Message ID: ***@***.***>

[WodansSon]

@skytime-sh, I am currently looking at getting this implemented in the AzureRM provider.

[WodansSon]

NOTE: Getting the identity field exposed in the provider will be delayed a bit as there was a regression discovered in the go-azure-sdk, please see PR #28211 for more details.