I'm experimenting with using Terraform to set up a scenario in Azure where Terraform creates:
- an Azure function app with Managed Service Identity
- an Azure Key Vault
- a Key Vault access policy that allows the function app to access secrets in the key vault
My problem is around using the object id (principle id) of the MSI set up for the function app in the definition of the key vault access policy, I suspect I doing something wrong (and/or stupid)...
The error I get from a Terraform apply is:
azurerm_key_vault_access_policy.msi-test-to-keyvault-test: "object_id" is an invalid UUUID: uuid: UUID string too short: 1
I suspect the issue may be with the way I'm trying to reference the object id of the service principle created created off the msi identity in the access policy definition:
object_id = "${azurerm_function_app.rg-func-app__funcapp.identity.principal_id}"
(the doco for azurerm function app attribute section says that identity exports principle_id, however I have no idea what the correct syntax is to reference this attribute :( )
The Terraform template is:
resource "azurerm_function_app" "rg-func-app__funcapp" {
name = "${local.deployed-func-app-name}"
location = "${azurerm_resource_group.rg-func-app.location}"
resource_group_name = "${azurerm_resource_group.rg-func-app.name}"
app_service_plan_id = "${azurerm_app_service_plan.rg-func-app__appsvcpln.id}"
storage_connection_string = "${azurerm_storage_account.rg-func-app__sa.primary_connection_string}"
version = "~1"
app_settings {
"TEST_KEYVAULT_URL" = "${azurerm_key_vault.test.vault_uri}"
}
identity {
type = "SystemAssigned"
}
}
resource "azurerm_key_vault" "test" {
name = "msi-test-vault"
location = "${azurerm_resource_group.rg-func-app.location}"
resource_group_name = "${azurerm_resource_group.rg-func-app.name}"
sku {
name = "standard"
}
tenant_id = "${data.azurerm_client_config.current.tenant_id}"
}
resource "azurerm_key_vault_secret" "test" {
name = "secret-sauce"
value = "szechuan"
vault_uri = "${azurerm_key_vault.test.vault_uri}"
}
resource "azurerm_key_vault_access_policy" "msi-test-to-keyvault-test" {
vault_name = "${azurerm_key_vault.test.name}"
resource_group_name = "${azurerm_key_vault.test.resource_group_name}"
tenant_id = "${azurerm_key_vault.test.tenant_id}"
object_id = "${azurerm_function_app.rg-func-app__funcapp.identity.principal_id}"
key_permissions = [
"get",
]
secret_permissions = [
"get",
]
}
Any pointers gratefully received.
Cheers, Andy
To grant an application access to use keys in a key vault, you grant data plane access by using Azure RBAC or a Key Vault access policy. To grant a user read access to Key Vault properties and tags, but not access to data (keys, secrets, or certificates), you grant management plane access with Azure RBAC.
Granting your app access to Key Vault In order to read secrets from Key Vault, you need to have a vault created and give your app permission to access it. Create a key vault by following the Key Vault quickstart. Create a managed identity for your application.
After a bit more poking around, a solution appears to be changing the incantation to retrieve the principle_id to:
object_id = "${lookup(azurerm_function_app.rg-func-app__funcapp.identity[0],"principal_id")}"
This results in the access policy being created as expected.
Check out the terraform.tfstate
file that has all the available options in it. Or terraform show
command. This will reveal that the GUID property you are looking for can be found at
object_id = "${azurerm_function_app.rg-func-app__funcapp.identity.0.principal_id}"
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With