Hi there,
i am trying to assign an logic apps system assigned managed identity to a role for starting/stopping a virtual machine. i use terraform to deploy the logic app template like this:
resource "azurerm_template_deployment" "myterraformscheduledvmdown" {
name = "scheduledvmdown"
resource_group_name = "j14t23resources"
template_body = <<DEPLOY
],
"outputs": {
"appid": {
"type": "string",
"value": "[reference(resourceId('Microsoft.Logic/workflows/', 'scheduledvmdown'), '2019-05-01', 'Full').Identity.tenantId]"
}
}
}
DEPLOY
parameters = {
}
deployment_mode = "Incremental"
}
output "appid" {
value = "${lookup(azurerm_template_deployment.myterraformscheduledvmdown.outputs, "appid")}"
}
resource "azurerm_role_assignment" "scheduletovmdown" {
scope = azurerm_linux_virtual_machine.myterraformvm.id
role_definition_name = "Virtual Machine Contributor"
principal_id = azurerm_template_deployment.myterraformscheduledvmdown.outputs["appid"]
}
i get the following error message while trying to deploy:
Error: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="PrincipalNotFound" Message="Principal xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx does not exist in the directory xxxxx-x-x-x-xxxx."
my assumption is, that i do not get the right id with the templates Output:
"[reference(resourceId('Microsoft.Logic/workflows/', 'scheduledvmdown'), '2019-05-01', 'Full').Identity.tenantId]"
do you have any idea what i did wrong? or a nicer approach to assign the apps generated identity to a vm?
thanks
tbz
