Question 187747 in Redis Question posted in
The official documentation can be found here.

Redis – Terraform/Azure – Deploying Resource and Assing KeyVault Access

I am running into a cycle error when assigning keyvault access policy to the resource’s managed identity I am trying to create. Currently we have modules for App_Config, Windows Function, Redis, etc.. All of them are created with either system or user managed identiy. They all need access to keyvaults.

Currently I use the generate the keyvault’s access_policies by looping thru the resources and grabbing the manage_identity for each resource.

What is the best way to break this cycle error and apply keyvault access to resources???

Tags:

2

Answers


  1. 0

    Cycle error occurs, when the azurerm_key_vault depends on the azurerm_managed_identity resource, when assigning access policy to the managed identity. Whereas azurerm_managed_identity resource also depends on the azurerm_key_vault resource, when using Key Vault’s ID .

    resource "azurerm_key_vault" "nscsecrets" {
  name                       = "kkkvault0123456"
  resource_group_name        = data.azurerm_resource_group.example.name
  location                   = data.azurerm_resource_group.example.location
  sku_name                   = "standard"
  tenant_id                  = data.azurerm_client_config.current.tenant_id
  soft_delete_retention_days = 7
  purge_protection_enabled   = true  

}

    To resolve this cycle error, separating managed identity creation and the assignment of the Key Vault access policy into two separate Terraform configurations or modules is the way.

    Indirect dependency between the resources can be avoided and cycle error can be resolved.

    code:

    resource "azurerm_key_vault_access_policy" "app_config_policy" {
  key_vault_id = azurerm_key_vault.key_vault.id

  tenant_id = var.tenant_id
  tenant_id          = azurerm_app_service.website_app.identity[0].tenant_id
  object_id = azurerm_managed_identity.app_config_identity.principal_id

  # Define the permissions for the access policy
  secret_permissions  = ["Backup", "Delete", "Get", "List", "Purge"]
  key_permissions     = ["Backup", "Create","List", "Purge", "Recover", "Restore", "Sign", "UnwrapKey", "Update", "Verify", "WrapKey", ]
  storage_permissions = ["Backup", "Delete", "Recover", "RegenerateKey", "Restore", "Set", "SetSAS", "Update", ]
}

resource "azurerm_key_vault_access_policy" "function_policy" {
  key_vault_id = azurerm_key_vault.key_vault.id

  tenant_id = var.tenant_id
  object_id =  data.azurerm_client_config.current.tenant_id

  # Define the permissions for the access policy
  secret_permissions  = ["Backup", "Delete", "Get", "List” ]
  key_permissions     = ["Backup", "Create", "Decrypt", "Delete", "Encrypt", "Get", "Import", "List", "Purge", "Recover", "Restore", "Sign", "UnwrapKey", "Update", "Verify", "WrapKey", ]
  storage_permissions = ["Backup", "Delete", "Update", ]
}

    enter image description here

    Reference: Importing multiple Azure KeyVault Access Policies | StackOverflow

    Login or Signup to reply.
  2. 0

    If you were to use user-assigned managed identities created by the azurerm_user_assigned_identity resource then you could:

    1. Create the user-assigned managed identities using azurerm_user_assigned_identity.
    2. Create the Key Vault.
    3. Call the consuming modules (App_Config, Windows Function, Redis).
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search