Hi,
I’m trying to create an api connection (for use with a managed identity) in terraform for the keyvault managed API.
When looking at the ARM template it requires a parameterValueSet as follows:
{
"kind": "V1",
"properties": {
"displayName": "<myKeyvault>",
"parameterValueSet": {
"name": "oauthMI",
"values": {
"vaultName": {
"value": "<myVaulName>"
}
}
},
"api": {
"name": "keyvault",
"displayName": "Azure Key Vault",
"description": "Azure Key Vault is a service to securely store and access secrets.",
"iconUri": "https://connectoricons-prod.azureedge.net/releases/v1.0.1656/1.0.1656.3432/keyvault/icon.png",
"brandColor": "#0079d6",
"category": "Standard",
"id": "/subscriptions/<subscriptionId>/providers/Microsoft.Web/locations/<location>/managedApis/keyvault",
"type": "Microsoft.Web/locations/managedApis"
},
"testLinks": [],
"testRequests": []
},
"id": "/subscriptions/<subscriptionId>/resourceGroups/rg-ido-dev-timetracking/providers/Microsoft.Web/connections/keyvault",
"name": "keyvault",
"type": "Microsoft.Web/connections",
"location": "<location>"
}
Per documentation terraform offers no way to parse parameterValueSets, it is only possible to parse parameterValues in the azurerm_api_connection resource.
Is there any way to do this or am I forced to create it via ARM template?
2 Likes
Came here to ask the same question. Did you ever solve this or did you use a null resource or ARM template? Funny thing is I did make it work previously but I can’t for the life of me remember how. Setting the values that are required in parameterValueSet in parameter_settings does not work as it is the incorrect place for “name”.
For example:
parameter_values = {
name: "oauthMI"
vaultName: "keyvaultname"
}
results in the error:
Connection Name: “keyvault”): unexpected status 400 with error: BadRequest: {“Code”:“BadRequest”,“Message”:“Input parameters are invalid. See details for more information. Details:errorCode: ParameterNotDefined. Message: Parameter ‘name’ is not allowed on the connection since it was not defined as a connection parameter when the API was registered.”,“Target”:null,“Details”:[{“Message”:"Input parameters are invalid
checking the JSON from a keyvault that IS configured to use MI, and we can see it more clearly.
"kind": "V1",
"properties": {
"displayName": "keyvault-1",
"authenticatedUser": {},
"overallStatus": "Ready",
"statuses": [
{
"status": "Ready"
}
],
"connectionState": "Enabled",
"parameterValueSet": {
"name": "oauthMI",
"values": {
"vaultName": {
"value": "devKeyVaultName"
}
}
}
I’ve tried this with the latest provider (at this time 4.9.0) and receive the same error, anyone have this working or has a workaround?
For those that are interested, I did not managed to solve this with the azurerm_api_connection resource. I worked around it by deploying an azurerm_resource_group_template_deployment resource and was able to pass values in the template that allowed use with a managed identity. This was not my first choice and I can’t imagine why parameterValueSet is not supported in the api_connection resource type but now that it has been updated in the APIs, the provider needs an update to reflect the changes made to allow managed identities, in my case specifically for AKV.
Here’s the snippit in the ARM template that worked (its an older syntax than the oAuthmi shown above but still seems to work.
"properties": {
"displayName": "[concat(parameters('connections_keyvault_name'), '-1')]",
"parameterValueType": "Alternative",
"alternativeParameterValues": {
"vaultName": "AKV-NAME"
},
"statuses": [
{
"status": "Ready"
}
],
I believe this could’ve also been accomplished with th az_api provider and I plan to look into that as it is likely a better solution than what i’ve done with the template deploy.