I have a simple Terraform config to create secret in Azure keyvault.
provider "azurerm" {
features {}
}
data "azurerm_key_vault" "SomeApp-DEV" {
name = "SomeApp-DEV"
resource_group_name = "SomeApp"
}
resource "azurerm_key_vault_secret" "test-secret" {
name = "some-key"
value = "test value"
key_vault_id = data.azurerm_key_vault.SomeApp-DEV
}
After terraform plan I'm getting the following error:
Error: Incorrect attribute value type
on secret.tf line 13, in resource "azurerm_key_vault_secret" "test-secret":
13: key_vault_id = data.azurerm_key_vault.SomeApp-DEV
├────────────────
│ data.azurerm_key_vault.SomeApp-DEV is object with 17 attributes
Inappropriate value for attribute "key_vault_id": string required.
How to make it work? I don't know what this object with 17 attributes message even means?
When you access the exported attribute with the namespace data.<type>.<name>, then you are accessing the entire Map of exported attributes from that data (this is also true of exported attributes for resources). In this situation, you only want the String for the id, whose value is assigned to the key id in the Map of exported attributes:
resource "azurerm_key_vault_secret" "test-secret" {
name = "some-key"
value = "test value"
key_vault_id = data.azurerm_key_vault.SomeApp-DEV.id
}
and this will fix your issue.
Related
I'm trying to create an Azure App Configuration service and keys through Terraform, but when I run my Terraform through my pipeline I get an error running terraform plan. This is my tf script for creating the service and keys:
resource "azurerm_app_configuration" "appconf" {
name = var.name
location = var.location
resource_group_name = var.resource_group_name
tags = var.tags
sku = "standard"
}
resource "azurerm_app_configuration_key" "MainAPI" {
configuration_store_id = azurerm_app_configuration.appconf.id
key = "MainAPI"
value = var.picking_api_url
type = "kv"
label = var.environment_name
}
# other keys omitted
This is the error I see:
Error: while parsing resource ID: while parsing resource ID: the number of path segments is not divisible by 2 in "subscriptions/[SubscriptionId]/resourceGroups/[rgName]/providers/Microsoft.AppConfiguration/configurationStores/[AppConfigServiceName]/AppConfigurationKey/MainAPI/Label"
I get this error regardless of whether I explicitly include a label argument for the key in my TF script. I've bumped up my version of the Terraform ARM provider to 2.90 in case it was a bug in the provider, but still get the error.
resource "azurerm_app_configuration_key" depends on azurerm_role_assignment. You need to define a resource for that as well for assigning role to app_configuration.
The following code from the Hashicorp Terraform documentation for azurerm_app_configuration_key demonstrates how to do this:
resource "azurerm_role_assignment" "appconf_dataowner" {
scope = azurerm_app_configuration.appconf.id
role_definition_name = "App Configuration Data Owner"
principal_id = data.azurerm_client_config.current.object_id
}
resource "azurerm_app_configuration_key" "test" {
configuration_store_id = azurerm_app_configuration.appconf.id
key = "appConfKey1"
label = "somelabel"
value = "a test"
depends_on = [
azurerm_role_assignment.appconf_dataowner
]
}
I'm created a secret manager AWS resource and want to access it's ARN in the same main.tf file.
This is my terraform main.tf
variable "ENV" {}
variable "TAGS" {}
// SECRET MANAGER
resource "aws_secretsmanager_secret" "service_name_sm" {
name = "service-name-sm-test"
tags = var.TAGS
}
// POLICY
resource "aws_iam_policy" "service_name_policy" {
name = "${var.service_name_policy_name}-${var.ENV}"
path = "/"
policy = templatefile(
"${path.module}/templates/${var.service_name_policy_name}.tmpl", {
secrets_manager_arn = resource.aws_secretsmanager_secret.service_name_sm.arn
})
}
In the policy I create, I want to use the ARN of the aws_secretsmanager_secret resource I create.
When I run, terraform validate I get an error:
A managed resource "resource" "aws_secretsmanager_secret" has not been
declared in service_name.
How can I do that ?
You dont need to prefix the things with resource.. You have to reference it like this aws_secretsmanager_secret.service_name_sm.
policy = templatefile(
"${path.module}/templates/${var.service_name_policy_name}.tmpl", {
secrets_manager_arn = aws_secretsmanager_secret.service_name_sm.arn
})
I have recently created a cosmos database in Terraform and I am trying to pass its database connection string as a secret in keyvault, but when doing this I get the following error:
Error: Incorrect attribute value type │ │ on keyvault.tf line 282, in resource "azurerm_key_vault_secret" "Authentication_Server_Cosmos_DB_ConnectionString": │ 282: value = azurerm_cosmosdb_account.nsauthsrvcosmosdb.connection_strings │ ├──────────────── │ │ azurerm_cosmosdb_account.nsauthsrvcosmosdb.connection_strings has a sensitive value │ │ Inappropriate value for attribute "value": string required.
I have also tried to use the sensitive argument but key vault does not like that argument also I cant find any documentation on how to do this. On the Terraform website it just has it listed as an attribute you can call on.
My Terraform Secret code is bellow, I wont put all my code in here as Stack overflow doesn't like the amount of code that I have.
So please presume, I am using the latest Azurerm agent, and all the rest of my code is correct its just the secret part that's not working.
resource "azurerm_key_vault_secret" "Authentication_Server_Cosmos_DB_ConnectionString" { //Auth Server Cosmos Connection String Secret
name = "AuthenticationServerCosmosDBConnectionString"
value = azurerm_cosmosdb_account.nsauthsrvcosmosdb.connection_strings
key_vault_id = azurerm_key_vault.nscsecrets.id
depends_on = [
azurerm_key_vault_access_policy.client,
azurerm_key_vault_access_policy.service_principal,
azurerm_cosmosdb_account.nsauthsrvcosmosdb,
]
}
There are 4 connection Strings inside the value that you have given and also the values are of type secure_string . So you need to convert them to String Value and apply index for which value you want to store in the keyvault.
For Storing all the the 4 Connection Strings you can use below :
resource "azurerm_key_vault_secret" "example" {
count = length(azurerm_cosmosdb_account.nsauthsrvcosmosdb.connection_strings)
name = "AuthenticationServerCosmosDBConnectionString-${count.index}"
value = tostring("${azurerm_cosmosdb_account.nsauthsrvcosmosdb.connection_strings[count.index]}")
key_vault_id = azurerm_key_vault.example.id
}
Outputs:
If you want to store only one connection string then you can use index as per your requirement (for example : if you want to store the first connection_string then use '0' as index and like wise 1/2/3 .) in the below code:
resource "azurerm_key_vault_secret" "example1" {
name = "AuthenticationServerCosmosDBConnectionString"
value = tostring("${azurerm_cosmosdb_account.nsauthsrvcosmosdb.connection_strings[0]}")
key_vault_id = azurerm_key_vault.example.id
}
Outputs:
I want to update the details of an expired SP through terraform. I can regenerate the SP by changing the expiration date for the SP. but the SP details are been stored in the keyvault. So while updating the keyvault with the same id/secret it errors out. Is there a way to update/delete the key_vault secret through terraform ?
resource "azurerm_key_vault_secret" "sp_arm_client_id"
{
name = "ARM-CLIENT-ID"
value = az_sp.app_id key_vault_id = data.azurerm_key_vault.storable_kvs[each.key].id
}
I tested your scenario in my environment and I was successfully able to do the changes and it got stored in current version and the previous one was in older version using the below code:
provider "azuread" {}
provider "azurerm" {
features{}
}
data "azuread_client_config" "current" {}
data "azuread_application" "appreg" {
display_name="ansumanterraformtest"
}
resource "azuread_application_password" "apppass" {
application_object_id = data.azuread_application.appreg.object_id
end_date_relative = "3h"
}
data "azurerm_key_vault" "kv" {
name = "kvname"
resource_group_name = "ansumantest"
}
resource "azurerm_key_vault_secret" "demo_sp_client_id" {
name = "demo-sp-client-id"
value = data.azuread_application.appreg.application_id
key_vault_id = data.azurerm_key_vault.kv.id
}
resource "azurerm_key_vault_secret" "demo_sp_client_secret" {
name = "demo-sp-client-secret"
value =azuread_application_password.apppass.value
key_vault_id = data.azurerm_key_vault.kv.id
}
Output:
Note: You might be getting the error if that secret in keyvault was not created from terraform . If it was created from portal or any other source then you have to first import that secret to terraform state and then change it so that the terraform can manage it .
Import command:
terraform import azurerm_key_vault_secret.example "https://example-keyvault.vault.azure.net/secrets/example/fdf067c93bbb4b22bff4d8b7a9a56217"
Reference:
azurerm_key_vault_secret | Resources | hashicorp/azurerm | Terraform Registry
I've been trying to split my terraform code from one large file into separate modules. I keep running into an issue where the following error appears when running Terraform Plan.
Error: Incorrect attribute value type
on modules/nsg/main.tf line 11, in resource "azurerm_network_security_group" "InternalProdNSGPrivate":
11: resource_group_name = "${module.rg.main-rg-id}"
Inappropriate value for attribute "resource_group_name": string required.
I created an outputs.tf file which has the following:
output "main-rg-id" {
value = "${azurerm_resource_group.InternalProd}"
}
The main.tf for this module has the following:
module "global_variables" {
source = "../global_variables"
}
resource "azurerm_resource_group" "InternalProd" {
name = "Internal"
location = "${module.global_variables.location}"
}
In the main.tf file for the NSG i have the following configured:
module "rg" {
source = "../rg"
}
module "global_variables" {
source = "../global_variables"
}
resource "azurerm_network_security_group" "InternalProdNSGPrivate" {
name = "Internal-NSG"
location = "${module.global_variables.location}"
resource_group_name = "${module.rg.main-rg-id}"
....
}
Not sure where im going wrong here with the configuration. Tried looking at multiple different resources, blogs, etc. but no luck.
azurerm_resource_group.InternalProd is an object representing the whole of resource "azurerm_resource_group" "InternalProd".
To produce just the id of that object, you can access attribute id like this:
output "main-rg-id" {
value = azurerm_resource_group.InternalProd.id
}