Subscription ID is replaced when working with multiple subscriptions

In the end i need to copy a secret from subscription A to subscription B.
But what happens is that terraform replaces the subscription ID with the one of subscription A when trying to get data from the keyvault in subscription B. That ends up in an error:

Error: making Read request on KeyVault “keyvault-sub-b”: keyvault.VaultsClient#Get: Failure responding to request: StatusCode=403 – Original Error: autorest/azure: Service returned an error. Status=403 Code=“AuthorizationFailed” Message=“The client ‘someone@somedomain.com’ with object id ‘xxxxxxx’ does not have authorization to perform action ‘Microsoft.KeyVault/vaults/read’ over scope ‘/subscriptions/subscription a id but should be subscription b id/resourceGroups/rg-sub-b/providers/Microsoft.KeyVault/vaults/keyvault-sub-b’ or the scope is invalid. If access was recently granted, please refresh your credentials.”

It is no permission issue because they are in place and working. It is going wrong because terraform is somehow replacing the subscription ID of subscription B with that of subscription A when trying to get data from keyvault-sub-b.
This happens even when i hard code the subscription id’s.

terraform {
required_version = “>= 0.14.1”
required_providers {
azurerm = {
source = “hashicorp/azurerm”
version = “>=2.80.0”
}
}
}

provider “azurerm” {
features {}
skip_provider_registration = true
}

data “azurerm_key_vault” “subscription-a” {
name = “keyvault-sub-a”
resource_group_name = “rg-sub-a”
}

data “azurerm_key_vault” “subscription-b” {
name = “keyvault-sub-b”
resource_group_name = “rg-sub-b”
}

data “azurerm_key_vault_secret” “subscription-a” {
name = “test-key-sub-a”
key_vault_id = data.azurerm_key_vault.subscription-a.id
}

data “azurerm_key_vault_secret” “subscription-b” {
name = “test-key-sub-b”
key_vault_id = data.azurerm_key_vault.subscription-b.id
}

Seeing exactly the same issue. Even on a Terraform plan, which in theory should mostly (entirely even I’d have though) be static non-mutated infrastructure and state files, sometimes it looks in subscription A for the keyvault and sometimes in subscription B. This issue was raised here I see but was closed off as a configuration issue: Subscription ID is replaced when working with multiple subscriptions

I don’t see how this can be a configuration issue and I think this bug was closed prematurely, but if I’m wrong and this is a configuration issue can someone suggest how to fix it? It’s causing chaos on the project I’m working on at the moment. We have CI runs that deploy through a few environments and then it’ll fail on the last one randomly taking up a whole lots of time for what seems to be an azurerm bug to me. I’m happy to be pointed to how I can fix my configuration and get this working.

1 Like

As per my understanding multiple azurerm providers have to be defined and use within the given datasource.

provider "azurerm" {
features {}
skip_provider_registration = true
}

provider "azurerm" {
  alias           = "subb"
  subscription_id = "xxxx-xxxx-xxxx"
}


data "azurerm_key_vault" "subscription-a" {
  name = "keyvault-sub-a"
  resource_group_name = "rg-sub-a"
}

  data "azurerm_key_vault" "subscription-b" {
  provider = "azurerm.subb"
  name = "keyvault-sub-b"
resource_group_name ="rg-sub-b"
}

This works fine for this case, the use case here is not data entries for existing secrets in existing keyvaults, the use case here is for creating keyvaults with the azurerm_key_vault resource. If you don’t explicitly point it to a provider (in which case I understand it should take the default provider, everything else does at least and consistently) it always seems to create it in the default provider, but then when it tries to read it on future runs it can be either the default subscription or the other one that should need an alias.

I have found a workaround where we’ve created a whole new provider alias that points to the same place as the default provider and explicitly point it towards that. Even if we explicitly pointed it to the default provider it still would sometimes point to the other alias.

NB: Apologies if my terminology about default providers/aliases/etc is wrong. I’m not 100% sure I know the right terminology here. If I need to clarify something please let me know and I’ll happily do so.