update per comments

Author: ziyeqf

internal/services/logic/logic_app_standard_resource.go

@@ -331,6 +331,34 @@ func (r LogicAppResource) ResourceType() string {
 	return "azurerm_logic_app_standard"
 }
 
+func (r LogicAppResource) CustomizeDiff() sdk.ResourceFunc {
+	return sdk.ResourceFunc{
+		Timeout: 5 * time.Minute,
+		Func: func(ctx context.Context, metadata sdk.ResourceMetaData) error {
+			// Since `key_vault_reference_identity_id` is O+C, if it's removed from the config, the value get below is still the old value.
+			if metadata.ResourceDiff.GetRawConfig().GetAttr("key_vault_reference_identity_id").IsNull() {
+				return nil
+			}
+
+			keyVaultReferenceIdentityId := metadata.ResourceDiff.Get("key_vault_reference_identity_id").(string)
+			if keyVaultReferenceIdentityId == "" || strings.EqualFold(keyVaultReferenceIdentityId, "SystemAssigned") {
+				return nil
+			}
+
+			identityIdsRaw := metadata.ResourceDiff.Get("identity.0.identity_ids").(*pluginsdk.Set)
+			identityIds := identityIdsRaw.List()
+
+			for _, id := range identityIds {
+				if strings.EqualFold(id.(string), keyVaultReferenceIdentityId) {
+					return nil
+				}
+			}
+
+			return fmt.Errorf("`key_vault_reference_identity_id` must be an identity assigned to this resource in the `identity` block, got `%s`", keyVaultReferenceIdentityId)
+		},
+	}
+}
+
 func (r LogicAppResource) Create() sdk.ResourceFunc {
 	return sdk.ResourceFunc{
 		Timeout: 30 * time.Minute,
@@ -911,7 +939,8 @@ func (r LogicAppResource) Update() sdk.ResourceFunc {
 	}
 }
 
-var _ sdk.ResourceWithUpdate = &LogicAppResource{}
+var _ sdk.ResourceWithUpdate = LogicAppResource{}
+var _ sdk.ResourceWithCustomizeDiff = LogicAppResource{}
 
 func getBasicLogicAppSettings(d LogicAppResourceModel, endpointSuffix string) ([]webapps.NameValuePair, error) {
 	appKindPropName := "APP_KIND"

internal/services/logic/logic_app_standard_resource_test.go

@@ -6,6 +6,7 @@ package logic_test
 import (
 	"context"
 	"fmt"
+	"regexp"
 	"strings"
 	"testing"
 
@@ -1111,6 +1112,18 @@ func TestAccLogicAppStandard_vnetContentShareEnabled(t *testing.T) {
 	})
 }
 
+func TestAccLogicAppStandard_keyVaultReferenceIdentityInvalid(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_logic_app_standard", "test")
+	r := LogicAppStandardResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config:      r.keyVaultReferenceIdentityInvalid(data),
+			ExpectError: regexp.MustCompile("`key_vault_reference_identity_id` must be an identity assigned to this resource in the `identity` block"),
+		},
+	})
+}
+
 func TestAccLogicAppStandard_keyVaultReferenceIdentity(t *testing.T) {
 	data := acceptance.BuildTestData(t, "azurerm_logic_app_standard", "test")
 	r := LogicAppStandardResource{}
@@ -1142,6 +1155,14 @@ func TestAccLogicAppStandard_keyVaultReferenceIdentity(t *testing.T) {
 			),
 		},
 		data.ImportStep(),
+		{
+			Config: r.keyVaultReferenceSysmtemAssignedIdentity(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+				check.That(data.ResourceName).Key("key_vault_reference_identity_id").HasValue("SystemAssigned"),
+			),
+		},
+		data.ImportStep(),
 	})
 }
 
@@ -2688,6 +2709,40 @@ resource "azurerm_logic_app_standard" "test" {
 `, r.template(data), data.RandomInteger, enabled)
 }
 
+func (r LogicAppStandardResource) keyVaultReferenceIdentityInvalid(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+%[1]s
+
+resource "azurerm_user_assigned_identity" "test" {
+  name                = "acctest-%[2]d"
+  resource_group_name = azurerm_resource_group.test.name
+  location            = azurerm_resource_group.test.location
+}
+
+resource "azurerm_user_assigned_identity" "other" {
+  name                = "acctest-other-%[2]d"
+  resource_group_name = azurerm_resource_group.test.name
+  location            = azurerm_resource_group.test.location
+}
+
+resource "azurerm_logic_app_standard" "test" {
+  name                       = "acctest-%[2]d-func"
+  location                   = azurerm_resource_group.test.location
+  resource_group_name        = azurerm_resource_group.test.name
+  app_service_plan_id        = azurerm_app_service_plan.test.id
+  storage_account_name       = azurerm_storage_account.test.name
+  storage_account_access_key = azurerm_storage_account.test.primary_access_key
+
+  identity {
+    type         = "UserAssigned"
+    identity_ids = [azurerm_user_assigned_identity.test.id]
+  }
+
+  key_vault_reference_identity_id = azurerm_user_assigned_identity.other.id
+}
+`, r.template(data), data.RandomInteger)
+}
+
 func (r LogicAppStandardResource) keyVaultReferenceIdentity(data acceptance.TestData) string {
 	return fmt.Sprintf(`
 %[1]s
@@ -2715,3 +2770,25 @@ resource "azurerm_logic_app_standard" "test" {
 }
 `, r.template(data), data.RandomInteger)
 }
+
+func (r LogicAppStandardResource) keyVaultReferenceSysmtemAssignedIdentity(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+%s
+
+resource "azurerm_logic_app_standard" "test" {
+  name                       = "acctest-%d-func"
+  location                   = azurerm_resource_group.test.location
+  resource_group_name        = azurerm_resource_group.test.name
+  app_service_plan_id        = azurerm_app_service_plan.test.id
+  storage_account_name       = azurerm_storage_account.test.name
+  storage_account_access_key = azurerm_storage_account.test.primary_access_key
+
+  identity {
+    type = "SystemAssigned"
+  }
+
+    key_vault_reference_identity_id = "systemAssigned"
+
+}
+`, r.template(data), data.RandomInteger)
+}