Menu
Using Terraform, I am trying to add a keyvault access policy to an application (that is also created in Terraform), which requires an object_it (which is GUID) of that application. In ARM template it looks like this:
"objectId": "[reference(variables('myAppResourceId'), '2015-08-31-PREVIEW').principalId]"
so Terraform needs the principal id there to be assigned to the object_id. If I use the value "object_id = ${azurerm_app_service.myApp.id}" like this:
resource "azurerm_key_vault_access_policy" "pol1" {
vault_name = "${azurerm_key_vault.kv1.name}"
resource_group_name = "${azurerm_key_vault.kv1.resource_group_name}"
tenant_id = "${data.azurerm_subscription.current.subscription_id}"
object_id = "${azurerm_app_service.myApp.id}"
key_permissions = "${var.app_keys_permissions}"
secret_permissions = "${var.app_secrets_permissions}"
}
then when I run apply command, I get the following error:
azurerm_key_vault_access_policy.pol1: "object_id" is an invalid UUUID: encoding/hex: invalid byte: U+002F '/'
this is probably the id that looks like an url with a slash,so this does not work, since I need the GUID only.
I tried also a suggestion from Terraform grant azure function app with msi access to azure keyvault, by using object_id = "${lookup(azurerm_app_service.app1.identity[0],"principal_id")}" for an app service instead of the function and I get an error:
azurerm_key_vault_access_policy.appPolicy1: At column 43, line 1: list "azurerm_app_service.app1.identity" does not have any elements so cannot determine type. in:
${lookup(azurerm_app_service.app1.identity[0],"principal_id")}
could someone help me with this object_id please?
thanks
871
The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. Changing this forces a new resource to be created. tenant_id. This property is required.
Inside the keyvault folder, create the variables.tf file to store variables used by the module: Then, create the main.tf to create the Azure Key Vault and policies, inside the keyvault folder: Finally, we create the ouput.tf file in the same folder used to return the values of the Terraform module.
The secret name must be unique within a Key Vault. The name must be a 1-127 character string, starting with a letter and containing only 0-9, a-z, A-Z, and -. For more information on naming, see Key Vault objects, identifiers, and versioning. Value: Type a value for the secret.
When you read the description for azurerm_key_vault_access_policy property object_id, then you should know it could mean the web app principal Id.
And the azurerm_app_service.myApp.id that you put is not the principal Id, it's the app service resource Id. You should put the azurerm_app_service.myApp.identity.principal_id that associated with your web app. Take a look at the Attributes of the App Service Resource. Hope this will help you.
However, something not mentionned in the documentation is the need to specify an identity block in your app_service declaration.
identity { type = "SystemAssigned" }
If you don't specify it, you might get an empty list as identity attribute.
66
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
