Destroying Azure Key Vault with policies and/or secrets

Hello,

for some reason I’m not able to destroy my terraform workspace. I always get an error for that I’m not authorised to delete a secret. BUT in my terraform file I’m declaring this permission.

So what I think is happening is: terraform destroys policies before it destroys the secret. Since the policies are already gone I do not have authorisation to delete secrets.

I’ve tried adding dependencies but without luck…

Is there a way to set the order of creation/deletion? Or is there something else wrong with my tf file?

  resource "azurerm_key_vault_access_policy" "policy1" {
  key_vault_id        = azurerm_key_vault.example.id
  tenant_id           = data.azurerm_client_config.current.tenant_id
  object_id           = data.azurerm_client_config.current.object_id
  key_permissions     = ["Get"]
  secret_permissions  = ["Delete", "get", "list", "set"]
  lifecycle {
    create_before_destroy = true
  }

}

resource "azurerm_key_vault_access_policy" "pol2" {
  key_vault_id        = azurerm_key_vault.example.id
  tenant_id           = data.azurerm_client_config.current.tenant_id
  object_id           = "REDACTED"
  key_permissions     = ["Get"]
  secret_permissions  = ["Delete", "get", "list", "set"]
  lifecycle {
    create_before_destroy = true
  }

}

resource "azurerm_key_vault_secret" "secret1" {
  depends_on = [ azurerm_key_vault_access_policy.policy1, azurerm_key_vault_access_policy.pol2 ]
  name                = "db-connectionstring"
  value               = "Server=tcp:${azurerm_sql_server.sqlserver.fully_qualified_domain_name},1433;Initial Catalog=${azurerm_sql_database.database.name};Persist Security Info=False;User ID=${azurerm_sql_server.sqlserver.administrator_login};Password=${azurerm_sql_server.sqlserver.administrator_login_password};MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;"
  key_vault_id        = azurerm_key_vault.example.id
}

resource "azurerm_key_vault_secret" "secret2" {
  depends_on = [ azurerm_key_vault_access_policy.policy1, azurerm_key_vault_access_policy.pol2 ]
  name         = "sql-administrator-login-password"
  value        = random_password.password.result
  key_vault_id = azurerm_key_vault.example.id
}

1 Like

Apparantly updating a an access policy causes problems as well… When I update my objectID terraform does not succeed in destroying the old policy. Can anybody help?

are you using azurerm 2.48.0? i encountered similar. upon downgrading back to 2.47.0, the KVAP removal issue is gone. regression in provider?

i wonder if this is/was the culprit: