Azure Front Door System Identity using Terraform

Azure Front Door System Identity using Terraform

Identity in Azure Front Door is still in preview and you cannot use the AzureRM provider to configure it. This blocks users from being able to link services such as Key Vault using IaC.

Although AzureRM cannot do this, we can utilise the AzAPI provider to configure the System Identity. AzAPI utilises JSON to configure settings in a resource. We can select the API version, giving us control to use an API version in preview that has Identity available.

Configure the Provider

First, add the AzAPI provider to your Terraform config:

terraform {
  backend "azurerm" {}
  required_version = "***"
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "***"
    azapi = {
      source  = "Azure/azapi"
      version = "~> 1.0"

provider "azurerm" {
  features {}

provider "azapi" {}

Add the Identity Resource

We will be utilising the azapi_update_resource to update an existing Azure Front Door instance to enable System Identity. The resource block will look like this:

resource "azapi_update_resource" "frontdoor_system_identity" {
  type        = "Microsoft.Cdn/profiles@2023-02-01-preview"
  resource_id =
  body = jsonencode({
    "identity" : {
      "type" : "SystemAssigned"

Replace the following:

resource_id - point this to the Azure Front Door profile you want to set a System Identity

Add an Output for System Identity

There are resources, such as Key Vault, where you need the ID of the created System Identity to configure access policies. For this, we need to add the following output to the bottom of the resource block:

  response_export_values = ["identity.principalId", "identity.tenantId"]

To call the outputs, you just need to use the following:



Once you are ready, run Terraform Init, and Terraform Plan to see what will happen before deployment.

Did you find this article valuable?

Support James Cook by becoming a sponsor. Any amount is appreciated!