Getting Azure client/application id of system-assigned managed identity through Terraform

Question

I'm trying to use the mssql_user resource of the Microsoft SQL Server Provider for Terraform to create a user in my Azure SQL database for my web app's managed identity. I don't have the Directory Readers role from Azure Active Directory, so I need to supply the client id (or application id) of my managed identity instead of just its name.

resource "mssql_user" "example" {
  server {
    host = "example-sql-server.database.windows.net"
    azure_login { }
  }
  database  = "my-database"
  username  = azurerm_user_assigned_identity.example.name
  object_id = azurerm_user_assigned_identity.example.client_id
  roles     = ["db_datareader"]
}

This works fine for user-assigned managed identities, whose azurerm_user_assigned_identity resource exposes a client_id attribute. However, for system-assigned managed identities, the identity block only exposes a principal_id, not a client_id. Using this with the mssql_user resource causes the Azure SQL database user to get created, but it then fails to log in to the database.

Is there a way of getting the client id (i.e. application id) for a system-assigned managed identity in Terraform, so that I can supply it to the mssql_user resource?

Answer 1

You can use azuread_service_principal data source. Just set object_id to principal_id and it will return application_id which is client_id.

data "azuread_service_principal" "sp" {
  object_id = some_resource.identity[0].principal_id
}