Cannot create already existing resource – when creating a ContainerApp in 2 steps (bootstrap + final) with system-assigned managed identity

[laurent-laporte-pro]

Context

I'm using Pulumi (Python) with pulumi-azure-native and pulumi-azuread to deploy an Azure Container App with a system-assigned managed identity, where that identity must be a member of an existing Entra ID group (which already has AcrPull on an ACR and Key Vault Secrets User on a Key Vault).

Because the managed identity's principal_id only exists after the Container App is created, and because the ACR registry config requires the identity to already have AcrPull before the app can pull the private image, I'm trying a three-step approach:

1. Create the Container App with a system-assigned identity and a public bootstrap image (no ACR config).

2. Add the identity's service principal to the existing Entra group.

3. Update the Container App with the private image and registries[].identity = "system".

I modelled steps 1 and 3 as two separate ContainerApp Pulumi resources targeting the same Azure resource name, with parent=bootstrap and depends_on=[membership] on the final resource.

Problem

pulumi up fails on the second ContainerApp resource with:

error: cannot create already existing resource
  '/subscriptions/xxx/resourceGroups/rg-demo/providers/Microsoft.App/containerApps/orchestrator-demo'

This makes sense: Pulumi tries to create orchestrator-final as a new resource, but the Azure resource already exists (created by orchestrator-bootstrap). The orchestrator-final resource never makes it into the state.

Code

# __main__.py
import pulumi
import pulumi_azure_native as azure_native
import pulumi_azuread as azuread
from pulumi_azure_native.app import (
    ConfigurationArgs,
    ContainerApp,
    ContainerArgs,
    ContainerResourcesArgs,
    ManagedServiceIdentityArgs,
    ManagedServiceIdentityType,
    RegistryCredentialsArgs,
    ScaleArgs,
    TemplateArgs,
)

# Minimal repro goal:
# - Existing Container App Environment and ACR
# - New Container App with system-assigned managed identity
# - Add that identity's service principal to an existing Entra group
# - Use group-based AcrPull instead of a direct role assignment on the identity

config = pulumi.Config()

resource_group_name = config.require("resourceGroupName")
location = config.require("location")
container_app_env_name = config.require("containerAppEnvironmentName")
container_app_name = config.get("containerAppName")
entra_group_display_name = config.require("entraGroupDisplayName")
acr_name = config.require("acrName")
acr_resource_group_name = config.require("acrResourceGroupName")
private_image = config.require("privateImage")

bootstrap_image = (
    config.get("bootstrapImage")
    or "mcr.microsoft.com/azuredocs/containerapps-helloworld:latest"
)

managed_environment = azure_native.app.get_managed_environment_output(
    environment_name=container_app_env_name,
    resource_group_name=resource_group_name,
)

acr = azure_native.containerregistry.get_registry_output(
    registry_name=acr_name,
    resource_group_name=acr_resource_group_name,
)

entra_group = azuread.get_group_output(display_name=entra_group_display_name)

bootstrap = ContainerApp(
    "orchestrator-bootstrap",
    container_app_name=container_app_name,
    resource_group_name=resource_group_name,
    location=location,
    managed_environment_id=managed_environment.id,
    identity=ManagedServiceIdentityArgs(type=ManagedServiceIdentityType.SYSTEM_ASSIGNED),
    configuration=ConfigurationArgs(
        ingress=None,
        active_revisions_mode="Single",
    ),
    template=TemplateArgs(
        containers=[
            ContainerArgs(
                name=container_app_name,
                image=bootstrap_image,
                resources=ContainerResourcesArgs(cpu=0.25, memory="0.5Gi"),
            )
        ],
        scale=ScaleArgs(min_replicas=0, max_replicas=1),
    ),
    opts=pulumi.ResourceOptions(
        # The update resource below manages template/configuration.
        ignore_changes=["configuration", "template"],
    ),
)

membership = azuread.GroupMember(
    "orchestrator-group-membership",
    group_object_id=entra_group.object_id,
    member_object_id=bootstrap.identity.principal_id,
    opts=pulumi.ResourceOptions(
        depends_on=[bootstrap],
        # First run can fail if identity propagation in Entra is not complete.
        custom_timeouts=pulumi.CustomTimeouts(create="10m"),
    ),
)

app = ContainerApp(
    "orchestrator-final",
    container_app_name=container_app_name,
    resource_group_name=resource_group_name,
    location=location,
    managed_environment_id=managed_environment.id,
    identity=ManagedServiceIdentityArgs(type=ManagedServiceIdentityType.SYSTEM_ASSIGNED),
    configuration=ConfigurationArgs(
        ingress=None,
        active_revisions_mode="Single",
        registries=[
            RegistryCredentialsArgs(
                server=acr.login_server,
                identity="system",
            )
        ],
    ),
    template=TemplateArgs(
        containers=[
            ContainerArgs(
                name=container_app_name,
                image=private_image,
                resources=ContainerResourcesArgs(cpu=0.25, memory="0.5Gi"),
            )
        ],
        scale=ScaleArgs(min_replicas=1, max_replicas=1),
    ),
    opts=pulumi.ResourceOptions(
        parent=bootstrap,
        depends_on=[membership],
    ),
)

pulumi.export("managedIdentityPrincipalId", app.identity.principal_id)
pulumi.export("groupObjectId", entra_group.object_id)
pulumi.export("acrLoginServer", acr.login_server)

Error messages

The pulumi up command failed with the following message:

pulumi up

View in Browser (Ctrl+O): https://app.pulumi.com/xxx/so-containerapp-mi-group/example/updates/2

     Type                                 Name                              Status                  Info
     pulumi:pulumi:Stack                  so-containerapp-mi-group-example  **failed**              1 error
 +   ├─ azure-native:app:ContainerApp     orchestrator-bootstrap            created (17s)           
 +   │  └─ azure-native:app:ContainerApp  orchestrator-final                **creating failed**     1 error
 +   └─ azuread:index:GroupMember         orchestrator-group-membership     created (1s)            

Diagnostics:
  azure-native:app:ContainerApp (orchestrator-final):
    error: cannot create already existing resource '/subscriptions/xxx/resourceGroups/rg-demo/providers/Microsoft.App/containerApps/orchestrator-demo'

  pulumi:pulumi:Stack (so-containerapp-mi-group-example):
    error: update failed

Here is the detail of the stack after the error:

pulumi stack

Current stack is example:
    Owner: laurent-laporte-pro-org
    Last updated: 1 minute ago (2026-03-03 18:41:24.392413 +0100 CET)
    Pulumi version used: v3.224.0
Current stack resources (5):
    TYPE                                      NAME
    pulumi:pulumi:Stack                       so-containerapp-mi-group-example
    ├─ azure-native:app:ContainerApp          orchestrator-bootstrap
    ├─ azuread:index/groupMember:GroupMember  orchestrator-group-membership
    ├─ pulumi:providers:azure-native          default_3_13_0
    └─ pulumi:providers:azuread               default_6_8_1

Current stack outputs (0):
    No output values currently in this stack

What I've considered

• Using a single ContainerApp resource with depends_on on a GroupMember — but I can't add the identity to the group before the app is created, and I can't configure ACR access before the identity has the role.

• Using import / pulumi.ResourceOptions(import_=...) on the final resource — but this feels hacky and I'm not sure it's the right pattern.

Questions

1. Is the two-ContainerApp-resource pattern (bootstrap + final) the right approach, and if so, how do I tell Pulumi that orchestrator-final should update the existing resource rather than try to create it?

2. Alternatively, is there a cleaner Pulumi-native pattern to handle this kind of circular dependency (need the resource to exist to get its identity, need the identity to have a role before the resource can use it)?

Environment

• pulumi: v3.224.0
• pulumi-azure-native: 3.13.0
• pulumi-azuread: 6.8.1
• Python 3.12

[manimovassagh]

The two-ContainerApp-resource pattern is not going to work as you discovered -- Pulumi treats each resource declaration as a distinct resource, so the second one tries to create rather than update.

Here is how to solve this cleanly:

Use apply + a command resource to break the circular dependency

The standard Pulumi pattern is a single ContainerApp resource combined with a command to trigger a restart after the group membership is established:

import pulumi
import pulumi_azure_native as azure_native
import pulumi_azuread as azuread
from pulumi_azure_native.app import *
import pulumi_command as command

# Create the ContainerApp with system identity and min_replicas=0
# so no image pull is attempted until the identity has AcrPull.
app = ContainerApp(
    "orchestrator",
    container_app_name=container_app_name,
    resource_group_name=resource_group_name,
    location=location,
    managed_environment_id=managed_environment.id,
    identity=ManagedServiceIdentityArgs(
        type=ManagedServiceIdentityType.SYSTEM_ASSIGNED
    ),
    configuration=ConfigurationArgs(
        active_revisions_mode="Single",
        registries=[
            RegistryCredentialsArgs(
                server=acr.login_server,
                identity="system",
            )
        ],
    ),
    template=TemplateArgs(
        containers=[
            ContainerArgs(
                name=container_app_name,
                image=private_image,
                resources=ContainerResourcesArgs(cpu=0.25, memory="0.5Gi"),
            )
        ],
        scale=ScaleArgs(min_replicas=0, max_replicas=1),
    ),
)

# Add the system-assigned identity to the Entra group
membership = azuread.GroupMember(
    "orchestrator-group-membership",
    group_object_id=entra_group.object_id,
    member_object_id=app.identity.apply(lambda i: i.principal_id),
    opts=pulumi.ResourceOptions(
        custom_timeouts=pulumi.CustomTimeouts(create="10m"),
    ),
)

# After the group membership is created, scale up.
# Use the Azure CLI to update the min replicas.
scale_up = command.local.Command(
    "scale-up-orchestrator",
    create=pulumi.Output.format(
        "az containerapp update -n {0} -g {1} --min-replicas 1 --max-replicas 1",
        container_app_name,
        resource_group_name,
    ),
    opts=pulumi.ResourceOptions(depends_on=[membership]),
)

The idea: start with min_replicas=0 so the Container App is created (and the identity provisioned) without actually trying to pull the private image. Once the group membership grants AcrPull, use az containerapp update to scale to 1 replica, which triggers the first image pull.

Alternative: two-pass approach (no command provider)

If you do not want the pulumi-command dependency, use the same code but with min_replicas=0 on first run. After pulumi up succeeds and the group membership is in place, change min_replicas to 1 in the code and run pulumi up again. Pulumi will update the existing ContainerApp resource in place.

Why the two-resource pattern fails

Pulumi resources have a 1:1 mapping with cloud resources. Two ContainerApp declarations with the same Azure resource name are tracked as separate resources in Pulumi state, but Azure sees one. The second declaration triggers a create call, which fails because the resource already exists. Using import_ would technically work but is the wrong abstraction -- you would be importing a resource you just created in the same stack.

The single-resource approach with deferred scaling is the idiomatic way to handle this kind of chicken-and-egg dependency in Pulumi.