Terraform wants to remove Key Vault access policies created by Terraform?

toorightvegemite · October 29, 2021, 11:41pm

I’m using Terraform Cloud. My script creates several Azure key vaults and also creates access policies to those key vaults for my App Services. For example:

In module key-vault

resource "azurerm_key_vault" "kv" {
  name                        = var.kv_name
  resource_group_name         = var.rg_name
  location                    = var.location
  enabled_for_disk_encryption = var.enabled_for_disk_encryption
  purge_protection_enabled    = var.purge_protection
  sku_name                    = var.sku_name
  soft_delete_retention_days  = var.soft_delete_retention_days
  tenant_id                   = data.azurerm_client_config.current.tenant_id

  access_policy {
    # Grant access to Terraform
    object_id               = data.azurerm_client_config.current.object_id
    tenant_id               = data.azurerm_client_config.current.tenant_id
    certificate_permissions = [
      "Delete",
      "Get",
      "Import",
      "List",
      "Purge",
      "Update"
    ]
    key_permissions         = [
      "Get",
      "List",
      "Purge"
    ]
    secret_permissions      = [
      "Delete",
      "Get",
      "List",
      "Purge",
      "Recover",
      "Set"
    ]
    storage_permissions     = [
      "Get",
      "List"
    ]
  }
 
  tags = var.tags
}

output "kv_id" {
  description = "Key vault ID"
  value       = azurerm_key_vault.kv.id
}

In main.tf

module "kv" {
  source   = "./modules/key-vault"
  kv_name  = "my-kv"
  location = azurerm_resource_group.rg.location
  rg_name  = azurerm_resource_group.rg.name
  tags     = azurerm_resource_group.rg.tags
}

resource "azurerm_key_vault_access_policy" "app_service" {
  key_vault_id       = module.kv.kv_id
  object_id          = azurerm_app_service.my_app.identity[0].principal_id
  tenant_id          = data.azurerm_client_config.current.tenant_id

  key_permissions = [
    "Get",
    "List"
  ]
  secret_permissions = [
    "Get",
    "List",
    "Set"
  ]
  storage_permissions = [
    "Get",
    "List"
  ]
}

The first time I run the entire script, everything is created correctly. If I run Terraform plan again, Terraform says it wants to remove the key vault access policies and does not recreate them. I thought I was misreading it so I applied it, and yes, Terraform removed the access policies.

Why is Terraform doing this?

librasonali · June 30, 2022, 7:54am

Hi , I am facing same issue. Did you find any solution ??
I have also posted same question there

tomas-blanarik · May 30, 2023, 7:37am

Check out the official documentation. Basically you should not combine creating policies inside of key_vault block and then using standalone resources, but only doing it 1 way - directly within key_vault block or then completely separate in own resources.