Develop Reference

Error Key Vault object_id is an invalid UUID - Terraform/Azure

I'm deploying an Azure Application Gateway in Terraform and I want to store my SSL private certificate for the https between Internet and my App-gtw in an Azure Key Vault.
The code, omitting useless information in the application gateway module, is:
module "agw_user_assigned_identity" {
source = "../modules/resources-blocks/user_assigned_identity"
user_assigned_identity_name = "agw-user-signed-id"
resource_group_name = module.resource_group.name
resource_group_location = module.resource_group.location
}
module "key_vault" {
source = "../modules/resources/key_vault"
key_vault_name = local.key_vault_name
resource_group_location = module.resource_group.location
resource_group_name = module.resource_group.name
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = module.agw_user_assigned_identity.id
soft_delete_retention_days = 90
log_analytics_workspace_id = module.log_analytics_workspace.id
enable_diagnostic_setting = true
}
module "key_vault_private_certificate" {
source = "../modules/resources-blocks/key_vault_certificate"
key_vault_id = module.key_vault.id
certificate_name = local.agw_certificate_name
certificate_path = "./certificates/xxxxx.pfx"
certificate_password = var.SSL_CERTIFICATE_PASSWORD
}
resource "null_resource" "previous" {}
module "agw_time_sleep" {
source = "../modules/resources-blocks/time_sleep"
select_module = module.key_vault
seconds = "200s"
}
module "application_gateway" {
source = "../modules/resources-hub/application_gateway"
resource_group_name = module.resource_group.name
resource_group_location = module.resource_group.location
application_gateway_name = local.agw_name
key_vault_private_certificate_id = module.key_vault_private_certificate.certificate_id
key_vault_private_certificate_id = azurerm_key_vault_certificate.kv_certificate.secret_id
ssl_certificate_name = local.agw_certificate_name
agw_time_sleep = module.agw_time_sleep.id
frontend_ports = [
{
name = "myFrontendPort"
port = 443
}
]
http_listeners = [
{
name = "devListener"
frontend_ip_configuration = local.frontend_ip_configuration_name
frontend_port_name = "myFrontendPort"
protocol = "Https"
hostname = "xxxxxxxxxxxxx.be"
ssl_certificate_name = local.agw_certificate_name
}
]
}
The key_vault resource is:
resource "azurerm_key_vault" "kv" {
name = var.key_vault_name
location = var.resource_group_location
resource_group_name = var.resource_group_name
enabled_for_disk_encryption = true
tenant_id = var.tenant_id
soft_delete_retention_days = var.soft_delete_retention_days
purge_protection_enabled = false
sku_name = "standard"
access_policy {
tenant_id = var.tenant_id
object_id = var.object_id
key_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Recover", ]
secret_permissions = ["Get", "List", "Set", "Delete", "Recover", "Backup", "Restore", "Purge"]
storage_permissions = ["Get", "Set", "Delete", "Recover", "Backup", "Restore"]
certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Recover", "Backup", "Restore", "Purge"]
}
lifecycle {
ignore_changes = [access_policy]
}
}
The key_vault_certificate resource is:
resource "azurerm_key_vault_certificate" "kv_certificate" {
name = var.certificate_name
key_vault_id = var.key_vault_id
certificate {
contents = filebase64(var.certificate_path)
password = var.certificate_password
}
certificate_policy {
issuer_parameters {
name = "Self"
}
key_properties {
exportable = true
key_size = 2048
key_type = "RSA"
reuse_key = false
}
secret_properties {
content_type = "application/x-pkcs12"
}
}
}
The application gateway resource is (omitting useless information):
resource "azurerm_application_gateway" "app_gw" {
name = var.application_gateway_name
resource_group_name = var.resource_group_name
location = var.resource_group_location
identity {
type = "UserAssigned"
identity_ids = [var.user_assigned_identity_id]
}
ssl_certificate {
name = var.ssl_certificate_name
key_vault_secret_id = var.key_vault_private_certificate_id
}
dynamic "http_listener" {
for_each = var.http_listeners
content {
name = http_listener.value.name
frontend_ip_configuration_name = http_listener.value.frontend_ip_configuration
frontend_port_name = http_listener.value.frontend_port_name
protocol = http_listener.value.protocol
host_name = http_listener.value.hostname
firewall_policy_id = var.firewall_policy_id
ssl_certificate_name = http_listener.value.ssl_certificate_name
}
}
depends_on = [var.agw_time_sleep]
}
The error that I get when I use the command terraform plan -var-file="variables.tfvars" is:
Error: expected "access_policy.0.object_id" to be a valid UUID, got /subscriptions/xxxxxxxx/resourceGroups/xxxxxxxxx/providers/Microsoft.ManagedIdentity/userAssignedIdentities/agw-user-signed-id
│
│ with azurerm_key_vault.kv,
│ on main.tf line 344, in resource "azurerm_key_vault" "kv":
│ 344: object_id = module.agw_user_assigned_identity.id
Apparently seems that the problem is related to the object_id that I specify in the key_vault, but I don't know how to solve it.

Error Explanation
Error: expected "access_policy.0.object_id" to be a valid UUID .......
with azurerm_key_vault.kv,
│ on main.tf line 344, in resource "azurerm_key_vault" "kv":
│ 344: object_id = module.agw_user_assigned_identity.id
This means that in your resource azurerm_key_vault in the access_policy block the object_id attribute is getting the incorrect value more simply the incorrect value that azure API accepts for it.
It expects the principal_id output from the azurerm_user_assigned_identity resource in spite of id.
in azure id would be the URI of the resource itself in azure namespaces /subscriptions/<sub-id>/resourceGroups/<resource-group-name>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<resource-name>
So you need principal_id output in your module module.agw_user_assigned_identity and then use it in your key_vault module as follows
Terraform code
## inside module.agw_user_assigned_identity add an output , ignore if already exists
output "principal_id" {
value = azurerm_user_assigned_identity.base.principal_id
description = "Set accordingly or from terraform documentation"
}
## then use the above the output in key_vault module
module "key_vault" {
source = "../modules/resources/key_vault"
key_vault_name = local.key_vault_name
resource_group_location = module.resource_group.location
resource_group_name = module.resource_group.name
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = module.agw_user_assigned_identity.principal_id
soft_delete_retention_days = 90
log_analytics_workspace_id = module.log_analytics_workspace.id
enable_diagnostic_setting = true
}
That will solve the above error message.

Azure synapse linked service for Azure Function in Terraform

I'm writing a terraform script to create a azure synapse workspace.
I've created a linked service for Azure Function but I'm unable to use it in pipeline, where it gives me an error of missing function key.
This is what i'm using now. I'm sure the problem is in the type_properties_json parameter.
resource "azurerm_synapse_linked_service" "FunctionName" {
name = "FunctionName"
synapse_workspace_id = azurerm_synapse_workspace.synapse.id
type = "AzureFunction"
type_properties_json = <<JSON
{
"functionAppUrl": "https://${data.azurerm_function_app.FunctionName.default_hostname}",
"authentication": "Anonymous",
"functionKey": "${data.azurerm_function_app_host_keys.FunctionName.default_function_key}"
}
JSON
depends_on = [
azurerm_synapse_firewall_rule.allowAll,
data.azurerm_function_app.FunctionName,
data.azurerm_function_app_host_keys.FunctionName
]
}
And this does create a linked service but when i use it in a pipeline, the run fails with the error
Azure function activity missing function key.
It appears to me after checking the output for azurerm_function_app there is no export for connectionString.

I tried to reproduce the scenario in my environment.
Tried below code:
resource "azurerm_synapse_linked_service" "example" {
name = "kavya-fnapplinked"
synapse_workspace_id = azurerm_synapse_workspace.example.id
type = "AzureFunction"
type_properties_json = <<JSON
{
"functionAppUrl": "https://${data.azurerm_function_app.example.default_hostname}",
"authentication": "Anonymous",
"functionKey": "${data.azurerm_function_app_host_keys.example.default_function_key}"
}
JSON
depends_on = [
azurerm_synapse_firewall_rule.allowAll,
data.azurerm_function_app.example,
data.azurerm_function_app_host_keys.example
]
}
Got errors due to the json property and function key not being generated as expected as they are not in correct format.
For this ,note two important points:
Function key is only generated after the function app is created first and is a sensitive value.
Json format for sensitive values must be in below format
"secret":
{
"type": "SecureString",
"value": “{value}"
}
I have first stored the function key in keyvalut , so that it takes time to generate and get stored in secret.
Code:
resource "azurerm_role_assignment" "role_assignment" {
scope = azurerm_storage_account.stfn.id
role_definition_name = "Storage Blob Data Owner"
principal_id = data.azurerm_client_config.current.object_id
}
# used Sleep to wait for role assignment to take its time to propagate
resource "time_sleep" "role_assignment_sleep" {
create_duration = "60s"
triggers = {
role_assignment = azurerm_role_assignment.role_assignment.id
}
}
resource "azurerm_storage_data_lake_gen2_filesystem" "example" {
name = "kavdatalakexample123"
storage_account_id = azurerm_storage_account.stfn.id
depends_on = [time_sleep.role_assignment_sleep]
}
resource "azurerm_synapse_workspace" "example" {
name = "exmple-workspace"
resource_group_name = data.azurerm_resource_group.example.name
location = data.azurerm_storage_account.example.location
storage_data_lake_gen2_filesystem_id = azurerm_storage_data_lake_gen2_filesystem.example.id
sql_administrator_login = "sqladminuser"
sql_administrator_login_password = "H#Sh1CoR3!"
managed_virtual_network_enabled = true
identity {
type = "SystemAssigned"
}
}
resource "azurerm_synapse_firewall_rule" "allowAll" {
name = "allowAll"
synapse_workspace_id = azurerm_synapse_workspace.example.id
start_ip_address = "0.0.0.0"
end_ip_address = "255.255.255.255"
}
resource "azurerm_storage_account" "stfn" {
name = "kaexpleaccforfunct"
resource_group_name = data.azurerm_resource_group.example.name
location = data.azurerm_storage_account.example.location
account_tier = "Standard"
account_replication_type = "LRS"
}
resource "azurerm_app_service_plan" "example" {
name = "exm-kavya-app-service-plan"
resource_group_name = data.azurerm_resource_group.example.name
location =data.azurerm_storage_account.example.location
kind = "FunctionApp"
sku {
tier = "Dynamic"
size = "Y1"
}
}
resource "azurerm_function_app" "example" {
name = "exm-kavya-function-app"
resource_group_name = data.azurerm_resource_group.example.name
location = data.azurerm_resource_group.example.location
// storage_connection_string = azurerm_storage_account.stfn.primary_connection_string
storage_account_name = azurerm_storage_account.stfn.name
storage_account_access_key = azurerm_storage_account.stfn.primary_access_key
app_service_plan_id = azurerm_app_service_plan.example.id
}
data "azurerm_function_app_host_keys" "example" {
resource_group_name = data.azurerm_resource_group.example.name
name= azurerm_function_app.example.name
}
output "function_key" {
value = data.azurerm_function_app_host_keys.example.default_function_key
sensitive = true
}
output "function_appurl" {
value = "https://${azurerm_function_app.example.default_hostname}"
}
resource "azurerm_key_vault" "example" {
name = "kavyaexamplekeyvault"
location = data.azurerm_resource_group.example.location
resource_group_name = data.azurerm_resource_group.example.name
enabled_for_disk_encryption = true
tenant_id = data.azurerm_client_config.current.tenant_id
soft_delete_retention_days = 7
purge_protection_enabled = false
sku_name = "standard"
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"Create",
"Get",
]
secret_permissions = [
"Set",
"Get",
"Delete",
"Purge",
"Recover",
"List"
]
storage_permissions = [
"Get","Set"
]
}
}
resource "azurerm_key_vault_secret" "example" {
name = "functionkey"
value = data.azurerm_function_app_host_keys.example.default_function_key
key_vault_id = azurerm_key_vault.example.id
}
resource "azurerm_synapse_linked_service" "example" {
name = "kav-fnapplinked"
synapse_workspace_id = azurerm_synapse_workspace.example.id
type = "AzureFunction"
type_properties_json = <<JSON
{
"functionAppUrl": "https://${azurerm_function_app.example.default_hostname}",
"authentication": "Anonymous",
"functionKey":
{
"type": "SecureString",
"value": "${azurerm_key_vault_secret.example.value}"
}
"authentication": "Anonymous",
"functionKey":
{
"type": "SecureString",
"value": "${azurerm_key_vault_secret.example.value}"
}
}
JSON
depends_on = [
azurerm_synapse_firewall_rule.allowAll,
azurerm_function_app.example,
data.azurerm_function_app_host_keys.example
]
}
With abovecode I could successfully, create linked service.
Linked service for azure synapse workspace:
Reference: azure - Terraform issue creating the resource "azurerm_synapse_linked_service" specifically with the "type_properties_json" field - Stack Overflow

Terraform Azure Application Gateway does not have secrets get permission on key vault

I am trying to terraform the provision of azure application gateway with trusted_root_certificates certificates in a key vault. But I am getting the following error:
"message":"The user, group or application 'name=Microsoft.Network/applicationGateways;appid=some-id;iss=https://sts.windows.net/xxx-xxx/' does not have secrets get permission on key vault 'jana-kv-ssi-test;location=australiaeast'.
And here's my terrafom code:
module "cert-kv" {
source = "./modules/kv"
resource_group_name = var.resource_group_name
project = var.project
location = var.location
environment = var.environment
default_tags = var.default_tags
kv_sku = var.kv_sku
kv_name = var.kv_name
kv_key_permissions = var.kv_key_permissions
kv_secret_permissions = var.kv_secret_permissions
kv_storage_permissions = var.kv_storage_permissions
certificate_permissions = var.certificate_permissions
cert_name = var.cert_name
local_cert_path = var.local_cert_path
local_cert_password = var.local_cert_password
root_cert_name = var.root_cert_name
root_cert_local_cert_path = var.root_cert_local_cert_path
root_cert_local_cert_password = var.root_cert_local_cert_password
}
module "app-gateway" {
source = "./modules/app_gateway"
resource_group_name = var.resource_group_name
environment = var.environment
default_tags = var.default_tags
project = var.project
location = var.location
gw_sku_name = var.gw_sku_name
gw_tier = var.gw_tier
frontend_port_settings = var.frontend_port_settings
autoscale_configuration_max_capacity = var.autoscale_configuration_max_capacity
appgw_zones = var.appgw_zones
appgw_private_ip = var.appgw_private_ip
appgw_subnet_id = module.application-subnets.app_subnet_id
cipher_suites = var.cipher_suites
tls_version = var.tls_version
appgw_backend_pools = var.appgw_backend_pools
appgw_backend_http_settings = var.appgw_backend_http_settings
appgw_http_listeners = var.appgw_http_listeners
ssl_certificates_configs = var.ssl_certificates_configs
appgw_routings = var.appgw_routings
appgw_redirect_configuration = var.appgw_redirect_configuration
gw_key_vault_id = module.cert-kv.keyvault_id # var.gw_key_vault_id
health_probe_config = var.health_probe_config
kv_secret_id_for_root_cert = module.cert-kv.root_secret_id
kv_secret_name_for_root_cert = var.root_cert_name
depends_on = [module.application-subnets, module.cert-kv]
}
And here are the resource files for above modules.
# key-vault
data "azurerm_client_config" "current" {}
resource "azurerm_key_vault" "cert_kv" {
name = join("-", [var.project, var.environment, var.kv_name])
location = var.location
resource_group_name = var.resource_group_name
enabled_for_disk_encryption = true
tenant_id = data.azurerm_client_config.current.tenant_id
soft_delete_retention_days = 7
purge_protection_enabled = false
sku_name = var.kv_sku
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = var.kv_key_permissions
secret_permissions = var.kv_secret_permissions
storage_permissions = var.kv_storage_permissions
certificate_permissions = var.certificate_permissions
}
tags = var.default_tags
}
resource "azurerm_key_vault_certificate" "certs" {
name = var.cert_name
key_vault_id = azurerm_key_vault.cert_kv.id
certificate {
contents = filebase64(var.local_cert_path)
password = var.local_cert_password
}
}
resource "azurerm_key_vault_certificate" "root_cert" {
name = var.root_cert_name
key_vault_id = azurerm_key_vault.cert_kv.id
certificate {
contents = filebase64(var.root_cert_local_cert_path)
password = var.root_cert_local_cert_password
}
}
resource "azurerm_user_assigned_identity" "key_vault_read" {
resource_group_name = var.resource_group_name
location = var.location
name = join("-", [var.project, var.environment, "key_vault_read_permission"])
}
data "azurerm_client_config" "current" {}
resource "azurerm_key_vault_access_policy" "key_vault_role_policy" {
key_vault_id = var.gw_key_vault_id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = azurerm_user_assigned_identity.key_vault_read.principal_id
key_permissions = [
"Get","List",
]
secret_permissions = [
"Get","List",
]
}
# app-gw
resource "azurerm_application_gateway" "application-gateway" {
name = join("-", [var.project, var.environment, "app-gateway"])
location = var.location
resource_group_name = var.resource_group_name
tags = var.default_tags
sku {
name = var.gw_sku_name
tier = var.gw_tier
}
. . .
trusted_root_certificate {
name = var.kv_secret_name_for_root_cert
key_vault_secret_id = var.kv_secret_id_for_root_cert
}
. . .
identity {
type = "UserAssigned"
identity_ids = [azurerm_user_assigned_identity.key_vault_read.id]
}
lifecycle {
ignore_changes = [
url_path_map,
request_routing_rule
]
}
}
Can someone please help me?

Deploy Azure Key Vault + Windows VM using Terraform

I'm trying to deploy infrastructure using Terraform.
My intention is to deploy a VM with a WinRM listener and for this reason, I need to use a certificate.
I first deploy a Key vault in which I put the certificate and then I retrieve the certificate from the Vault to register it into the Virtual Machine.
###############################################################################################################
# PROVIDERS
###############################################################################################################
provider "azurerm" {
features {}
}
###############################################################################################################
# RESOURCES
###############################################################################################################
data "azurerm_client_config" "current" {}
resource "azurerm_resource_group" "rg" {
name = "runner"
location = "West Europe"
}
resource "azurerm_key_vault" "testrunnerkeyvault" {
name = "test-runner-keyvault"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard"
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
certificate_permissions = [
"create",
"delete",
"deleteissuers",
"get",
"getissuers",
"import",
"list",
"listissuers",
"managecontacts",
"manageissuers",
"purge",
"recover",
"setissuers",
"update",
]
key_permissions = [
"backup",
"create",
"decrypt",
"delete",
"encrypt",
"get",
"import",
"list",
"purge",
"recover",
"restore",
"sign",
"unwrapKey",
"update",
"verify",
"wrapKey",
]
secret_permissions = [
"backup",
"delete",
"get",
"list",
"purge",
"recover",
"restore",
"set",
]
storage_permissions = [
"Backup",
"Delete",
"DeleteSAS",
"Get",
"GetSAS",
"List",
"ListSAS",
"Purge",
"Recover",
"RegenerateKey",
"Restore",
"Set",
"SetSAS",
"Update"
]
}
}
resource "azurerm_key_vault_certificate" "testrunnercertificate" {
name = "test-winrm-cert"
key_vault_id = azurerm_key_vault.testrunnerkeyvault.id
certificate {
contents = filebase64("files/winrm_cert.pfx")
password = "*********"
}
}
resource "azurerm_virtual_network" "vn" {
name = "runner_vn"
address_space = ["10.0.0.0/8"]
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
}
resource "azurerm_subnet" "subnet" {
name = "runner_subnet"
resource_group_name = azurerm_resource_group.rg.name
virtual_network_name = azurerm_virtual_network.vn.name
address_prefixes = ["10.0.1.0/24"]
}
resource "azurerm_network_security_group" "nsg" {
name = "Runner-Security-Group"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
tags = {
environment = "Test"
}
}
resource "azurerm_network_security_rule" "ssh-rule" {
name = "SSH"
priority = 1001
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "22"
source_address_prefix = "*"
destination_address_prefix = "*"
resource_group_name = azurerm_resource_group.rg.name
network_security_group_name = azurerm_network_security_group.nsg.name
}
resource "azurerm_network_security_rule" "winrm-https-rule" {
name = "WinRM-Https"
priority = 300
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "5986"
source_address_prefix = "*"
destination_address_prefix = "*"
resource_group_name = azurerm_resource_group.rg.name
network_security_group_name = azurerm_network_security_group.nsg.name
}
resource "azurerm_network_security_rule" "winrm-http-rule" {
name = "WinRM-Http"
priority = 301
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "5985"
source_address_prefix = "*"
destination_address_prefix = "*"
resource_group_name = azurerm_resource_group.rg.name
network_security_group_name = azurerm_network_security_group.nsg.name
}
resource "azurerm_network_security_rule" "rdp-rule" {
name = "RDP"
priority = 302
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "3389"
source_address_prefix = "*"
destination_address_prefix = "*"
resource_group_name = azurerm_resource_group.rg.name
network_security_group_name = azurerm_network_security_group.nsg.name
}
resource "azurerm_subnet_network_security_group_association" "secgroup-assoc" {
subnet_id = azurerm_subnet.subnet.id
network_security_group_id = azurerm_network_security_group.nsg.id
}
resource "azurerm_public_ip" "runner_public_ip" {
name = "runner-ip"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
allocation_method = "Dynamic"
sku = "Basic"
}
resource "azurerm_network_interface" "network_interface" {
name = "runner-network-interface"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
internal_dns_name_label = "runnertest"
ip_configuration {
name = "internal"
subnet_id = azurerm_subnet.subnet.id
private_ip_address_allocation = "static"
private_ip_address = "10.0.1.5"
public_ip_address_id = azurerm_public_ip.runner_public_ip.id
}
}
resource "azurerm_network_interface_security_group_association" "nisecuritygroup" {
network_interface_id = azurerm_network_interface.network_interface.id
network_security_group_id = azurerm_network_security_group.nsg.id
}
resource "azurerm_windows_virtual_machine" "runner" {
name = "runner"
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
size = "Standard_B2s"
admin_username = "******"
admin_password = "******"
network_interface_ids = [azurerm_network_interface.network_interface.id]
secret {
certificate {
store = "/CurrentUser/My"
url = azurerm_key_vault_certificate.testrunnercertificate.secret_id
}
key_vault_id = azurerm_key_vault.testrunnerkeyvault.id
}
winrm_listener {
protocol = "Https"
certificate_url = azurerm_key_vault_certificate.testrunnercertificate.secret_id
}
os_disk {
caching = "ReadWrite"
storage_account_type = "Standard_LRS"
disk_size_gb = 64
}
source_image_reference {
publisher = "MicrosoftWindowsServer"
offer = "WindowsServer"
sku = "2022-datacenter-azure-edition-smalldisk"
version = "latest"
}
}
data "azurerm_public_ip" "runner-ip" {
name = azurerm_public_ip.runner_public_ip.name
resource_group_name = azurerm_windows_virtual_machine.runner.resource_group_name
depends_on = [azurerm_windows_virtual_machine.runner]
}
output "public_ip_address" {
value = data.azurerm_public_ip.runner-ip.ip_address
}
During the deployment of the virtual machine I receive the following error:
Error: waiting for creation of Windows Virtual Machine "runner" (Resource Group "runner"):
Code="KeyVaultAccessForbidden" Message="Key Vault
https://test-runner-keyvault.vault.azure.net/secrets/test-winrm-cert/23e7d5ab76914841b2c6e58d1e68b9b1 either has not been enabled for deployment or the vault id provided, /subscriptions/<subscriptionid>/resourceGroups/runner/providers/Microsoft.KeyVault/vaults/test-runner-keyvault, does not match the Key Vault's true resource id."
│
│ with azurerm_windows_virtual_machine.runner,
│ on main.tf line 224, in resource "azurerm_windows_virtual_machine" "runner":
│ 224: resource "azurerm_windows_virtual_machine" "runner" {

You need to switch to true the following optional params (in your key-vault resource) :
enabled_for_deployment - (Optional) Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault. Defaults to false.
found here : https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault#argument-reference

terraform on azure - create keyvault with private connection

Would like to get some pointers on setting up a key vault with a private connection. Looking at the examples on the TF site and other sites I put this together but it crashes.
In short, it creates the KV, assigns some policies, and then creates the private link which is in turn associated with the service endpoint. Any help would be greatly appreciated.
locals {
prefix = "kv01am"
}
data "azurerm_client_config" "current" {}
resource "azurerm_key_vault" "sandbox" {
name = "${local.prefix}-KV"
location = "eastus2"
resource_group_name = "rg-hsc-uscodappname01-137941ad"
enabled_for_disk_encryption = true
tenant_id = data.azurerm_client_config.current.tenant_id
# soft_delete_enabled = true
# purge_protection_enabled = false
sku_name = "standard"
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"get",
]
secret_permissions = [
"get",
]
storage_permissions = [
"get",
]
}
network_acls {
default_action = "Deny"
bypass = "AzureServices"
}
}
resource "azurerm_private_link_service" "example" {
name = "kv-privatelink"
location = "eastus2"
resource_group_name = "rg-hsc-uscodappname01-137941ad"
nat_ip_configuration {
name = azurerm_public_ip.example.name
primary = true
subnet_id = "zzzzzzzzzzzzzzzzzzzzzzzz"
}
}
resource "azurerm_private_endpoint" "sandbox_kv" {
name = azurerm_key_vault.sandbox.name
location = "eastus2"
resource_group_name = "rg-hsc-uscodappname01-137941ad"
#subnet_id = azurerm_subnet.sandbox["PrivateLink"].id
subnet_id = "zzzzzzzzzzzzzzzz"
private_service_connection {
name = azurerm_key_vault.sandbox.name
private_connection_resource_id = azurerm_key_vault.sandbox.id
is_manual_connection = false
subresource_names = ["Vault"]
}
}

Instead of creating dns record "manually" you could have a private_dns_zone_group declared.
# ============PrivateLink==========================
resource "azurerm_private_endpoint" "pe_kv" {
name = format("pe-2%s", var.name)
location = data.azurerm_resource_group.main.location
resource_group_name = data.azurerm_resource_group.main.name
subnet_id = data.azurerm_subnet.main.id
private_dns_zone_group {
name = "privatednszonegroup"
private_dns_zone_ids = [azurerm_private_dns_zone.main.id]
}
private_service_connection {
name = format("pse-2%s", var.name)
private_connection_resource_id = azurerm_key_vault.main.id
is_manual_connection = false
subresource_names = ["Vault"]
}
}
resource "azurerm_private_dns_zone" "main" {
name = "privatelink.vaultcore.azure.net"
resource_group_name = data.azurerm_resource_group.main.name
}

This is what I ended up doing. Could not find a good way to derive the ip address for the private link endpoint so I just hard coded it, if someone has a better way to handle this that would be great, not too much literature on that subject. Also, added a section to register the A record in private DNS but beware this creates a DNS Private zone in the same subnet as the kv.
data "azurerm_resource_group" "main" {
name = var.resource_group_name
}
data "azurerm_subnet" "main" {
name = var.virtual_network_subnet_name
virtual_network_name = var.virtual_network_name
resource_group_name = var.vnet_resource_group_name
}
data "azurerm_client_config" "main" {}
resource "azurerm_key_vault" "main" {
name = var.name
location = data.azurerm_resource_group.main.location
resource_group_name = data.azurerm_resource_group.main.name
tenant_id = data.azurerm_client_config.main.tenant_id
enabled_for_deployment = var.enabled_for_deployment
enabled_for_disk_encryption = var.enabled_for_disk_encryption
enabled_for_template_deployment = var.enabled_for_template_deployment
# soft_delete_enabled = false
# purge_protection_enabled = false
sku_name = var.sku
network_acls {
default_action = "Deny"
bypass = "AzureServices"
# ip_rules = var.ip_rules
}
# ============PrivateLink==========================
resource "azurerm_private_endpoint" "pe_kv" {
name = format("pe-2%s", var.name)
location = data.azurerm_resource_group.main.location
resource_group_name = data.azurerm_resource_group.main.name
subnet_id = data.azurerm_subnet.main.id
private_service_connection {
name = format("pse-2%s", var.name)
private_connection_resource_id = azurerm_key_vault.main.id
is_manual_connection = false
subresource_names = ["Vault"]
}
}
resource "azurerm_private_dns_zone" "main" {
name = "privatelink.vaultcore.azure.net"
resource_group_name = data.azurerm_resource_group.main.name
}
resource "azurerm_private_dns_a_record" "pe_kv" {
name = var.name
zone_name = azurerm_private_dns_zone.main.name
resource_group_name = data.azurerm_resource_group.main.name
ttl = 300
records = ["1.2.3.4"]
}
output kv_private_ip {
value = ["1.2.3.4"]
}

This is how I get fqdn and private IP:
resource "azurerm_private_endpoint" "private_endpoint" {
count = var.private_link_subnet != null ? 1 : 0
name = "${var.private_link_subnet.virtual_network_name}-${var.name}"
location = var.location
resource_group_name = var.resource_group
subnet_id = var.private_link_subnet.id
private_service_connection {
is_manual_connection = false
name = "${var.private_link_subnet.virtual_network_name}-${var.name}"
private_connection_resource_id = azurerm_key_vault.vault.id
subresource_names = ["vault"]
}
lifecycle { ignore_changes = [tags] }
}
resource "null_resource" "dns_update" {
triggers = {
priv_fqdn = "${azurerm_private_endpoint.private_endpoint[0].custom_dns_configs[0].fqdn}"
priv_ip = "${azurerm_private_endpoint.private_endpoint[0].custom_dns_configs[0].ip_addresses[0]}"
}
provisioner "local-exec" {
when = destroy
command = <<EOF
echo ${self.triggers.priv_fqdn}
bash ${path.module}/dns_update.sh destroy ${self.triggers.priv_fqdn}
EOF
}
provisioner "local-exec" {
command = <<EOF
echo ${self.triggers.priv_fqdn}
echo ${self.triggers.priv_ip}
bash ${path.module}/dns_update.sh apply ${self.triggers.priv_fqdn} ${self.triggers.priv_ip}
bash ${path.module}/dns_update.sh get ${self.triggers.priv_fqdn}
EOF
}
}
then I have:
self.triggers.priv_fqdn >> szp.vaultcore.azure.net
self.triggers.priv_ip >> 10.10.8.205