I am trying to deploy AzureRM built-in roles: Microsoft Sentinel Reader and Storage Blob Data Contributor using Terraform.

Problem:
The built-in roles are not being associated with the object ID belonging to the Azure Function. Consequently, the Azure Function is not getting the Microsoft Sentinel Reader role on the Log Analytics Workspace nor the Storage Blob Data Contributor role on the Storage Account.

I have tried specifying the resource IDs of the Log Analytics Workspace and the Storage Account in plain text next to the scope argument, but the issue persists. Terraform plan and apply complete without errors, and the object ID of the system-assigned identity belonging to the Azure Function is correct.

I am using the following documentation: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment

Terraform Code with sensitive data removed:

# Role Assignment for the managed identity to access the storage account - Storage Blob Data Contributor
resource "azurerm_role_assignment" "storage_account_access" {
  scope                = data.azurerm_storage_account.example_sa.id
  role_definition_name = "Storage Blob Data Contributor" # Assign the appropriate role for accessing blob data
  principal_id         = data.azurerm_windows_function_app.example_function.identity[0].principal_id
}

# Role Assignment for the managed identity to access the log analytics workspace - Microsoft Sentinel Reader
resource "azurerm_role_assignment" "log_analytics_reader" {
  scope                = data.azurerm_log_analytics_workspace.example_la.id
  role_definition_name = "Microsoft Sentinel Reader" # Assign the appropriate role for accessing log analytics data
  principal_id         = data.azurerm_windows_function_app.example_function.identity[0].principal_id
}


# Data block for Windows Function App
data "azurerm_windows_function_app" "example_function" {
  name                = "example_function"
  resource_group_name = "example_rg"
}

# Log Analytics Workspace resource ID
data "azurerm_log_analytics_workspace" "example_la" {
  name                = "example_la"
  resource_group_name = "example_rg"
}

output "log_analytics_workspace_id" {
  value = data.azurerm_log_analytics_workspace.example_la.id
}

# Storage Account resource ID
data "azurerm_storage_account" "example_sa" {
  name                = "example_sa"
  resource_group_name = "example_rg"
}

output "storage_account_id" {
  value = data.azurerm_storage_account.example_sa.id
}