Identity in Azure Front Door is still in preview and you cannot use the AzureRM provider to configure it. This blocks users from being able to link services such as Key Vault using IaC.
Although AzureRM cannot do this, we can utilise the AzAPI provider to configure the System Identity. AzAPI utilises JSON to configure settings in a resource. We can select the API version, giving us control to use an API version in preview that has Identity available.
Configure the Provider
First, add the AzAPI provider to your Terraform config:
terraform {
backend "azurerm" {}
required_version = "***"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "***"
}
azapi = {
source = "Azure/azapi"
version = "~> 1.0"
}
}
}
provider "azurerm" {
features {}
}
provider "azapi" {}
Add the Identity Resource
We will be utilising the azapi_update_resource to update an existing Azure Front Door instance to enable System Identity. The resource block will look like this:
resource "azapi_update_resource" "frontdoor_system_identity" {
type = "Microsoft.Cdn/profiles@2023-02-01-preview"
resource_id = azurerm_cdn_frontdoor_profile.main.id
body = jsonencode({
"identity" : {
"type" : "SystemAssigned"
}
})
}
Replace the following:
resource_id - point this to the Azure Front Door profile you want to set a System Identity
Add an Output for System Identity
There are resources, such as Key Vault, where you need the ID of the created System Identity to configure access policies. For this, we need to add the following output to the bottom of the resource block:
response_export_values = ["identity.principalId", "identity.tenantId"]
To call the outputs, you just need to use the following:
jsondecode(azapi_update_resource.frontdoor_system_identity.output).identity.tenantId
jsondecode(azapi_update_resource.frontdoor_system_identity.output).identity.principalId
Once you are ready, run Terraform Init, and Terraform Plan to see what will happen before deployment.