Azure - AppService + KeyVault gives circular dependency

Terraform Providers Azure
1

I’m trying to use the Azure provider to provision the infrastructure. I’ve got the same process working via the AzureCLI, but want to move to Terraform.

Unfortunately, I’ve hit a circular dependency that I can’t seem to resolve. I’ve got the following items.

  1. Cognitive service with a generated API key
  2. AppService with a SystemAssigned identity;
  3. Keyvault, with the identity assigned in (2) given read access;
  4. Keyvault secret with the API key generated in (1).
  5. AppService in (2) needs to be updated with the secret Id generated in (5). - Problem.

Now: I need to set the configuration of the AppService to reference the secret Id that I generate when adding to the vault, but I can’t.

Is there a way to edit these values so the configuration can be set up in parts? ie provision x then modify?

2

I think I have a similar problem.

I use a disk encryption set for disk encryption and I had to create separate policies outside of the vault resource using “azurerm_key_vault_access_policy” to to create a policy that allows the encryption set access.
On that you cannot mix the two methods, it seems to break things.

I can now no longer destroy the vault though using terraform as it kills off the policies 1st, and then doesn’t have access to the vault to destroy it.

Perhaps that helps. Any help on the vault destruction would be appreciated.