Permissions errors trying to use /Azure/terraform/quickstart/301-service-fabric-apim

i255d · December 16, 2019, 8:43pm

Here is the code from Keyvault.tf:

resource “azurerm_key_vault” “cluster” {

name = “{var.dns_prefix}-{substr(var.name, 0, 12)}-${var.environment_short}-kv”

location = azurerm_resource_group.default.location

resource_group_name = azurerm_resource_group.default.name

tenant_id = data.azurerm_client_config.current.tenant_id

enabled_for_deployment = true

enabled_for_disk_encryption = true

enabled_for_template_deployment = true

sku_name = “standard”

access_policy {

tenant_id = data.azurerm_subscription.current.tenant_id

object_id = var.client_object_id

certificate_permissions = [

  "create",

  "delete",

  "deleteissuers",

  "get",

  "getissuers",

  "import",

  "list",

  "listissuers",

  "managecontacts",

  "manageissuers",

  "setissuers",

  "update",

]

key_permissions = [

  "backup",

  "create",

  "decrypt",

  "delete",

  "encrypt",

  "get",

  "import",

  "list",

  "purge",

  "recover",

  "restore",

  "sign",

  "unwrapKey",

  "update",

  "verify",

  "wrapKey",

]

secret_permissions = [

  "backup",

  "delete",

  "get",

  "list",

  "purge",

  "recover",

  "restore",

  "set",

]

}

resource “azurerm_key_vault_certificate” “cluster” {

name = “service-fabric-cluster”

key_vault_id = azurerm_key_vault.cluster.id

certificate_policy {

issuer_parameters {

  name = "Self"

}

key_properties {

  exportable = true

  key_size   = 2048

  key_type   = "RSA"

  reuse_key  = true

}

lifetime_action {

  action {

    action_type = "AutoRenew"

  }

  trigger {

    days_before_expiry = 30

  }

}

secret_properties {

  content_type = "application/x-pkcs12"

}

x509_certificate_properties {

  # Server Authentication = 1.3.6.1.5.5.7.3.1

  # Client Authentication = 1.3.6.1.5.5.7.3.2

  #extended_key_usage = ["1.3.6.1.5.5.7.3.1"]

  extended_key_usage = [

    "1.3.6.1.5.5.7.3.1", # Server Authentication

    "1.3.6.1.5.5.7.3.2", # Client Authentication

  ]

  key_usage = [

    "cRLSign",

    "dataEncipherment",

    "digitalSignature",

    "keyAgreement",

    "keyCertSign",

    "keyEncipherment",

  ]

  subject_alternative_names {

    dns_names = ["sfdemosandbox.denvermtc.net"]

  }

  subject            = "CN=mtcdenver"

  validity_in_months = 12

}

}

resource “azurerm_key_vault_certificate” “client” {

name = “service-fabric-client”

key_vault_id = azurerm_key_vault.cluster.id

certificate_policy {

issuer_parameters {

  name = "Self"

}

key_properties {

  exportable = true

  key_size   = 2048

  key_type   = "RSA"

  reuse_key  = true

}

lifetime_action {

  action {

    action_type = "AutoRenew"

  }

  trigger {

    days_before_expiry = 30

  }

}

secret_properties {

  content_type = "application/x-pkcs12"

}

x509_certificate_properties {

  # Server Authentication = 1.3.6.1.5.5.7.3.1

  # Client Authentication = 1.3.6.1.5.5.7.3.2

  #extended_key_usage = ["1.3.6.1.5.5.7.3.1"]

  extended_key_usage = [

    "1.3.6.1.5.5.7.3.1", # Server Authentication

    "1.3.6.1.5.5.7.3.2", # Client Authentication

  ]

  key_usage = [

    "cRLSign",

    "dataEncipherment",

    "digitalSignature",

    "keyAgreement",

    "keyCertSign",

    "keyEncipherment",

  ]

  subject_alternative_names {

    dns_names = ["sfdemosandbox.denvermtc.net"]

  }

  subject            = "CN=mtcdenver"

  validity_in_months = 12

}

}

Topic		Replies	Views
Adding a Keyvault Secret after Keyvault Creation fails with 403 Forbidden Access Error Terraform azure	0	2492	May 31, 2022
AZURERM - Error with KEYVAULT Creation while creating ML Workspace Azure	0	1005	September 8, 2023
Terraform provider registration failure (Azure) Azure	3	8722	June 15, 2023
Azurerm_key_vault_secret --> InnerError={"code":"ForbiddenByRbac"} Azure vault , azure	1	1356	July 16, 2023
Create a management group Terraform	4	1738	December 4, 2020

Permissions errors trying to use /Azure/terraform/quickstart/301-service-fabric-apim

Related topics