Multiple Keyvault policies fail

[pixelicous]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform v0.11.8
AzureRM Provider v1.18

Affected Resource(s)

azurerm_key_vault_access_policy
"azurerm_key_vault

Terraform Configuration Files

resource "azurerm_key_vault" "keyvault" {
  name                = "${local.name_prefix_tenant}-kv"
  location            = "${var.location}"
  resource_group_name = "${azurerm_resource_group.tenant_resource_group.name}"

  tenant_id = "${data.azurerm_client_config.current.tenant_id}"

  sku {
    name = "standard"
  }

  enabled_for_deployment          = true
  enabled_for_template_deployment = true

  tags = "${var.tags}"
}

#Policy

resource "azurerm_key_vault_access_policy" "keyvault_policy_one" {
  vault_name          = "${local.name_prefix_tenant}-kv"           
  resource_group_name = "${azurerm_resource_group.rg.name}"

  tenant_id = "${data.azurerm_client_config.current.tenant_id}"
  object_id = "${var.my_group_id}"

  key_permissions = [
    "backup",
    "create",
    "decrypt",
    "delete",
    "encrypt"
  ]

  secret_permissions = [
    "backup",
    "delete"
  ]

  certificate_permissions = [
    "get"
  ]
}

resource "azurerm_key_vault_access_policy" "keyvault_policy_two" {
  vault_name          = "${local.name_prefix_tenant}-kv"                       
  resource_group_name = "${azurerm_resource_group.rg.name}"

  tenant_id = "${data.azurerm_client_config.current.tenant_id}"
  object_id = "${data.azurerm_client_config.current.service_principal_object_id}"

  key_permissions = [
    "backup"
  ]

  secret_permissions = [
    "backup"
  ]

  certificate_permissions = [
    "create"
  ]
}

Debug Output

• module.TenantOnBoard.azurerm_key_vault_access_policy.keyvault_policy_sf: 1 error(s) occurred:

• azurerm_key_vault_access_policy.keyvault_policy_sf: Error updating Access Policy (Object ID "aadcx5ef-7f9f-40ca-xxxx-19e706a94587" / Application ID "") for Key Vault "azneu-sig-tnnt9a2e5-kv" (Resource Group "xxxx-sig-tnntxxxxx-rg"): keyvault.VaultsClient#UpdateAccessPolicy: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="ParentResourceNotFound" Message="Can not perform requested operation on nested resource. Parent resource 'xxxx-xxxx-xxxx-kv' not found."

• module.TenantOnBoard.azurerm_key_vault_access_policy.keyvault_policy_devops: 1 error(s) occurred:

• azurerm_key_vault_access_policy.keyvault_policy_devops: Error updating Access Policy (Object ID "142ce332-xxxx-4243-xxxx-da43cf0aa231" / Application ID "") for Key Vault "xxx-xxx-xxxx-kv" (Resource Group "xxxxx-sig-tnntxxxxx-rg"): keyvault.VaultsClient#UpdateAccessPolicy: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="ParentResourceNotFound" Message="Can not perform requested operation on nested resource. Parent resource 'xxxx-xxxx-tnntxxxxx-kv' not found."

• module.TenantOnBoard.azurerm_key_vault_access_policy.keyvault_policy_tfs: 1 error(s) occurred:

Expected Behavior

Keyvault created with 3 different polices

Actual Behavior

Received an error, i have 3 different polices, it sometimes creates 1, sometimes creates 2, and those 2 are not always the same

Steps to Reproduce

terraform init
terraform apply

Important Factoids

This is related in my opinion to an old issue where secrets failed to create when keyvault wasn't propagated correctly across azure

References

#655
#1147
#1423

• #0000

[tombuildsstuff]

hey @pixelicous

Thanks for opening this issue :)

Taking a quick look into this it appears this is happening because there's no dependencies between the resources - so Terraform doesn't have a preference for which should be created first - and so will attempt to create them in parallel (since it believes there's no dependencies between the resources).

There's two ways of specifying dependencies in Terraform - either Implicitly (using the Interpolation Syntax) or Explicitly (via depends_on) - but we'd recommend using the Interpolation Syntax where possible. This'd make the code look like below:

# dependencies
locals {
  name_prefix_tenant = ""
}
variable "my_group_id" {}
data "azurerm_client_config" "current" {}
resource "azurerm_resource_group" "tenant_resource_group" {
  # ...
}

resource "azurerm_key_vault" "keyvault" {
  name                = "${local.name_prefix_tenant}-kv"
  location            = "${var.location}" # NOTE: this can also come from "${azurerm_resource_group.tenant_resource_group.location}" rather than specifying it as a variable :)
  resource_group_name = "${azurerm_resource_group.tenant_resource_group.name}"
  tenant_id = "${data.azurerm_client_config.current.tenant_id}"

  sku {
    name = "standard"
  }

  enabled_for_deployment          = true
  enabled_for_template_deployment = true

  tags = "${var.tags}"
}

#Policy

resource "azurerm_key_vault_access_policy" "keyvault_policy_one" {
  vault_name          = "${azurerm_key_vault.keyvault.name}"
  resource_group_name = "${azurerm_key_vault.keyvault.resource_group_name}"

  tenant_id = "${data.azurerm_client_config.current.tenant_id}"
  object_id = "${var.my_group_id}"

  key_permissions = [
    "backup",
    "create",
    "decrypt",
    "delete",
    "encrypt",
  ]

  secret_permissions = [
    "backup",
    "delete",
  ]

  certificate_permissions = [
    "get",
  ]
}

resource "azurerm_key_vault_access_policy" "keyvault_policy_two" {
  vault_name          = "${azurerm_key_vault.keyvault.name}"
  resource_group_name = "${azurerm_key_vault.keyvault.resource_group_name}"

  tenant_id = "${data.azurerm_client_config.current.tenant_id}"
  object_id = "${data.azurerm_client_config.current.service_principal_object_id}"

  key_permissions = [
    "backup",
  ]

  secret_permissions = [
    "backup",
  ]

  certificate_permissions = [
    "create",
  ]
}

I've also updated the resource group name on each of the Access Policies - since it needs to match the name of the Resource Group used for the Key Vault. Would you be able to take a look and see if this works for you? Since this is a question about Terraform Configuration rather than a bug in Terraform I'm going to close this issue for the moment (but we'll continue responding 😄)

Thanks!

[pixelicous]

@tombuildsstuff I think the answer is that the implict dependency didn't kick in only becuase i didn't reference the keyvault name dynamically using HCL, but just string concat.. is that what you meant?

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!