Skip to main content
HashnodeJames Cook - Cloud and DevOpsJames Cook - Cloud and DevOps

Command Palette

Search for a command to run...

Azure Front Door System Identity using Terraform

Updated
2 min read
Azure Front Door System Identity using Terraform
J
James Cook

Executive technology leader responsible for platform reliability, cloud operations, security posture, and enterprise technology risk within an investor-backed fintech environment. I lead technology operations at the intersection of engineering execution, governance, and business outcomes — ensuring platforms are scalable, resilient, and trusted by investors, regulators, and clients.

Currently VP of DevOps at InvestorFlow, where I focus on building board-ready technology operations, strengthening risk and resilience, and shaping long-term platform strategy to support growth and regulatory confidence.

Identity in Azure Front Door is still in preview and you cannot use the AzureRM provider to configure it. This blocks users from being able to link services such as Key Vault using IaC.

Although AzureRM cannot do this, we can utilise the AzAPI provider to configure the System Identity. AzAPI utilises JSON to configure settings in a resource. We can select the API version, giving us control to use an API version in preview that has Identity available.

Configure the Provider

First, add the AzAPI provider to your Terraform config:

terraform {
  backend "azurerm" {}
  required_version = "***"
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "***"
    }
    azapi = {
      source  = "Azure/azapi"
      version = "~> 1.0"
    }
  }
}

provider "azurerm" {
  features {}
}

provider "azapi" {}

Add the Identity Resource

We will be utilising the azapi_update_resource to update an existing Azure Front Door instance to enable System Identity. The resource block will look like this:

resource "azapi_update_resource" "frontdoor_system_identity" {
  type        = "Microsoft.Cdn/profiles@2023-02-01-preview"
  resource_id = azurerm_cdn_frontdoor_profile.main.id
  body = jsonencode({
    "identity" : {
      "type" : "SystemAssigned"
    }
  })
}

Replace the following:

resource_id - point this to the Azure Front Door profile you want to set a System Identity

Add an Output for System Identity

There are resources, such as Key Vault, where you need the ID of the created System Identity to configure access policies. For this, we need to add the following output to the bottom of the resource block:

  response_export_values = ["identity.principalId", "identity.tenantId"]

To call the outputs, you just need to use the following:

jsondecode(azapi_update_resource.frontdoor_system_identity.output).identity.tenantId

jsondecode(azapi_update_resource.frontdoor_system_identity.output).identity.principalId

Once you are ready, run Terraform Init, and Terraform Plan to see what will happen before deployment.

#terraform#azure#microsoft#security#devops

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

J

James Cook - Cloud and DevOps

71 posts

James is a Microsoft MVP with more than a decade of career experience in the tech space. James's blog focuses on all areas of Cloud and DevOps.