Hello,
for some reason I’m not able to destroy my terraform workspace. I always get an error for that I’m not authorised to delete a secret. BUT in my terraform file I’m declaring this permission.
So what I think is happening is: terraform destroys policies before it destroys the secret. Since the policies are already gone I do not have authorisation to delete secrets.
I’ve tried adding dependencies but without luck…
Is there a way to set the order of creation/deletion? Or is there something else wrong with my tf file?
resource "azurerm_key_vault_access_policy" "policy1" {
key_vault_id = azurerm_key_vault.example.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = ["Get"]
secret_permissions = ["Delete", "get", "list", "set"]
lifecycle {
create_before_destroy = true
}
}
resource "azurerm_key_vault_access_policy" "pol2" {
key_vault_id = azurerm_key_vault.example.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = "REDACTED"
key_permissions = ["Get"]
secret_permissions = ["Delete", "get", "list", "set"]
lifecycle {
create_before_destroy = true
}
}
resource "azurerm_key_vault_secret" "secret1" {
depends_on = [ azurerm_key_vault_access_policy.policy1, azurerm_key_vault_access_policy.pol2 ]
name = "db-connectionstring"
value = "Server=tcp:${azurerm_sql_server.sqlserver.fully_qualified_domain_name},1433;Initial Catalog=${azurerm_sql_database.database.name};Persist Security Info=False;User ID=${azurerm_sql_server.sqlserver.administrator_login};Password=${azurerm_sql_server.sqlserver.administrator_login_password};MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;"
key_vault_id = azurerm_key_vault.example.id
}
resource "azurerm_key_vault_secret" "secret2" {
depends_on = [ azurerm_key_vault_access_policy.policy1, azurerm_key_vault_access_policy.pol2 ]
name = "sql-administrator-login-password"
value = random_password.password.result
key_vault_id = azurerm_key_vault.example.id
}