Unable to deploy to function slots with user assigned identity: MissingIdentityIds

[marzuc-dell]

When deploying to a FunctionApp slot we get an error about MissingIdentityIds

The FunctionApp and slots:

• are provisioned via terraform
• have managed identities assigned to them via terraform
• are using the EP1 pricing tier

Plugin name and version

azure-functions-maven-plugin, version 1.36.0, (also tried 1.37.0, 1.37.1)

Plugin configuration in pom.xml

 <plugin>
                        <groupId>com.microsoft.azure</groupId>
                        <artifactId>azure-functions-maven-plugin</artifactId>
                        <version>1.36.0</version>
                        <configuration>
                            <appName>${functionAppName}</appName>
                            <deploymentSlot>${appSlot}</deploymentSlot>
                            <resourceGroup>${resourceGroupName}</resourceGroup>
                            <appServicePlanName>${appServicePlanName}</appServicePlanName>
                            <appServicePlanResourceGroup>${appServicePlanResourceGroup}</appServicePlanResourceGroup>
                            <region>${appRegion}</region>
                            <allowTelemetry>false</allowTelemetry>
                            <pricingTier>${pricingTier}</pricingTier>
                            <runtime>
                                <os>linux</os>
                                <javaVersion>17</javaVersion>
                            </runtime>
                            <deploymentSlotSetting>
                                <name>${appSlot}</name>
                            </deploymentSlotSetting>
                            <appSettings>
                                <property>
                                    <name>FUNCTIONS_EXTENSION_VERSION</name>
                                    <value>~4</value>
                                </property>
                            </appSettings>
                        </configuration>
</plugin>

Expected behavior

We would expect that the function app would get built and deployed to the existing slot az-access-cicd-scus-dev-staging while maintaining all persistent configurations of the slot (e.g. user assigned identity) while updating the WEBSITE_RUN_FROM_PACKAGE setting to point to the newly deployed package.

Actual behavior

Deployment of the artifact succeeds to the storage account's storage container. However, updating the FunctionApp slot fails with this error:

[ERROR] Failed to execute goal com.microsoft.azure:azure-functions-maven-plugin:1.36.0:deploy (default-cli) on project cirrus-azure-functions: deploy to Function App with resource creation or updating: AzureToolkitRuntimeException: Status code 400, "{"error":{"code":"MissingIdentityIds","message":"The identity ids must not be null or empty for 'UserAssigned' identity type."}}" -> [Help 1]

When running maven in debug -X we see a 400 Bad Request in the response.

If we remove the managed identity from the slot via the Azure portal, the artifact gets deployed, and the functionapp gets updated correctly without an error.

Additional behavior

When the artifact is deployed, we notice that the path in the storage account blob container only says 'staging' and not '${funcname}-staging' We see that also reflected in the console output. Maybe nothing, but could be sus.

Steps to reproduce the problem

mvn clean package azure-functions:deploy \
    -Dmaven.test.skip='true' \
    -DresourceGroupName="az-access-cicd-scus-dev-func-rg" \
    -DfunctionAppName="az-access-cicd-scus-dev" \
    -DappRegion='southcentralus' \
    -DpricingTier='EP1' \
    -DappServicePlanName="az-access-dev-function-asp" \
    -DappServicePlanResourceGroup="az-access-dev-infra-rg" \
    -DappSlot="staging"