Azure apim named_value: One or more fields contain incorrect values

djangofan · March 20, 2024, 9:00pm

I am trying to create a azure APIM named value, mapped to a KeyVault secret, using Terraform so that my Azure Defender Cloud scan no longer flags it insecure. I’m using Terraform CLI version 1.2.6, not the latest version 1.7.5+.

I simplified down what I am trying to do into this example BUT I am getting an error when I configure it this way, using the documentation at : Terraform Registry

resource "azurerm_api_management_named_value" "named_value_kvtest2" {
  name                = "kvtest2"
  api_management_name = azurerm_api_management.apim.name
  resource_group_name = azurerm_resource_group.rg.name
  display_name        = "kvtest2"
  value_from_key_vault {
    secret_id = "https://{...}.vault.azure.net/secrets/{...}/{...}."
  }
}

And here is the error:

│ Error: creating or updating Named Value (Subscription: "{...}"
│ Resource Group Name: "{...}"
│ Service Name: "{...}"
│ Named Value: "kvtest2"): performing CreateOrUpdate: unexpected 
        status 400 with error: ValidationError: One or more fields 
        contain incorrect values:
│ 
│   with azurerm_api_management_named_value.named_value_kvtest2,
│   on {...}.tf line 106, in resource 
     "azurerm_api_management_named_value" "named_value_kvtest2":
│  106: resource "azurerm_api_management_named_value" 
    "named_value_kvtest2" {

It just simply is not possible that one of the fields, as documented, is missing or set wrong. I made sure of that with the example above.

djangofan · March 22, 2024, 4:09pm

Ok, I finally solved it.

There was an issue with “variable expansion”, that was hard to believe, but this was my workaround, by doing the expansion outside the block within a “locals” block.

locals {
  named_value_key_name = "${local.myfunc_name}-${var.environment}-key"
  vault_key_name        = "MYFUNC-DEV-KEY"
}

resource "azurerm_api_management_named_value" "named_value_myfunc" {
  depends_on          = [
    azurerm_key_vault_secret.vault_value_myfunc_api
  ]
  name                 = local.named_value_key_name
  resource_group_name = azurerm_api_management.apim.resource_group_name
  api_management_name = azurerm_api_management.apim.name
  display_name        = local.named_value_key_name
  secret              = true
  value_from_key_vault {
    secret_id = "${azurerm_key_vault.app_secrets.vault_uri}secrets/${local.vault_key_name}"
  }
}