How to grant Azure API Management access to a key vault in a single TF run?


I have a PowerShell script that creates an Azure API Management service with a custom HTTPS domain using an SSL certificate stored in an Azure key vault. I’m converting it to Terraform but running into a problem.

TF creates the APIM with a ‘System Assigned’ identity, and the ID needs to be granted permissions in the key vault to access the SSL cert so APIM can be created with the custom domain. However, TF can’t grant the ID access to key vault until APIM has been created, but APIM can’t be created until the ID has been granted access to key vault.

In PowerShell, this is handled in one script:

  1. Create APIM with its ‘System Assigned’ identity
  2. Grant the ID permissions in key vault so APIM can access the SSL cert
  3. Modify APIM to add the custom HTTPS domain

As far as I understand, TF doesn’t have the ability to perform these three steps - TF wants to create the resource as a whole rather than create + modify later.

I found this TF GitHub issue ( and the only suggestion is to perform multiple TF runs. But can TF do something similar to the PowerShell script, maybe using modules and in one run?

If multiple TF runs is the only option, what’s the ‘proper’ way to structure and trigger subsequent runs using TF Cloud? The only way that would work, as far as I can tell, is if I had two TF Cloud workspaces with a shared state, but this seems clunky and cumbersome. I hope there’s a more elegant solution.