Share via

Why does the principal ID of my Azure Function App (system-assigned identity) change every time I update the Docker image using Terraform?

KriShna PrakaSh 0 Reputation points
2025-01-06T14:14:55.73+00:00

Hi everyone,

I have an Azure Function App with a system-assigned managed identity that is created using a Docker image from Azure Container Registry (ACR). I have also set up a role assignment in Terraform where the principal_id of the function app is referenced as:

hcl
Copy code
principal_id = data.azurerm_linux_function_app.function_app.identity.0.principal_id

This Terraform configuration was working fine initially, and everything was deployed successfully. However, after a few weeks, I decided to update the Docker image used by the function app, but I did not change any other part of the Terraform script (including the identity or resource group).

When I ran terraform apply after modifying the Docker image, I noticed the following:

  1. The function app was updated (e.g., app settings were added), but no changes were made to the name, resource group, or identity.
  2. The role assignments were recreated, and the principal ID was changed even though the function app itself was not recreated or modified (besides the app settings).

I have verified that:

  • The state file is up to date.
  • No one else made changes to the Azure portal.Hi everyone, I have an Azure Function App with a system-assigned managed identity that is created using a Docker image from Azure Container Registry (ACR). I have also set up a role assignment in Terraform where the principal_id of the function app is referenced as: 
      principal_id = data.azurerm_linux_function_app.function_app.identity.0.principal_id
    This Terraform configuration was working fine initially, and everything was deployed successfully. However, after a few weeks, I decided to update the Docker image used by the function app, but I did not change any other part of the Terraform script (including the identity or resource group). When I ran terraform apply after modifying the Docker image, I noticed the following:
    1. The function app was updated (e.g., app settings were added), but no changes were made to the name, resource group, or identity.
    2. The role assignments were recreated, and the principal ID was changed even though the function app itself was not recreated or modified (besides the app settings).
    I have verified that:
    • The state file is up to date.
    • No one else made changes to the Azure portal.

Why is the principal ID of the function app being changed every time I update the Docker image (or make minimal changes) using Terraform? Is this a known behavior, or could this be an issue with how Terraform is managing the identity? Any insights on why this happens and how to prevent it would be appreciated.

Thanks in advance for your help!

Microsoft Identity Manager
Microsoft Identity Manager
A family of Microsoft products that manage a user's digital identity using identity synchronization, certificate management, and user provisioning.
736 questions
Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
5,315 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,981 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Khadeer Ali 1,875 Reputation points Microsoft Vendor
    2025-01-06T15:15:42.4666667+00:00

    @KriShna PrakaSh ,

    Welcome to Microsoft Q&A Platform!

    Thank you for reaching out with your query.

    The issue arises because system-assigned managed identities are tied to the Azure Function App's lifecycle. When you update the Docker image or make changes that affect the Function App's configuration, Azure may internally re-provision the identity, causing the principal_id to change. Terraform detects this change and re-creates the role assignments and might lead to the observed behavior.

    • Try to switch to use User-Assigned Managed Identity as these are persistent and not tied to the Function App's lifecycle, so the principal_id remains consistent across updates. This eliminates the issue of role assignments being re-created unnecessarily.
    • Try if this solution works using Terraform's ignore_changes as this approach tells Terraform to ignore changes to the principal_id, preventing it from treating the identity update as a trigger to modify role assignments. It's a quick and straightforward fix to avoid disruptions while keeping the system-assigned identity.

    I hope this helps! Let us know if you have further questions.

    If this resolves your query, please click Accept Answer and Yes to indicate it was helpful. Feel free to reach out with any additional questions.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.