Develop Reference

Certificate access error during Terraform plan

I think I'm in a bit of a chicken and egg situation, where I need to declare a certificate resource for our application gateway, but our app principal that runs Terraform in our pipeline doesn't have permissions until after applying is complete. Basically, the service principal cannot access certificates during planning, so planning never completes, and apply can't run because there is no plan file output.
Is there any way around this besides manually configuring permissions in the UI?
The access policy does include "Get" permissions for the certificate
Key Vault
resource "azurerm_key_vault" "web" {
name = lower(format("az-kv-web-%s-%s-%s", var.instance.environment, var.instance.az-region, var.instance.serial))
location = azurerm_resource_group.web.location
resource_group_name = azurerm_resource_group.web.name
sku_name = var.instance.key-vault.sku-name
# Azure AD tenant
tenant_id = var.instance.aad-tenant-id
dynamic "access_policy" {
for_each = var.instance.key-vault.access
content {
tenant_id = var.instance.aad-tenant-id
object_id = access_policy.value.object-id
certificate_permissions = access_policy.value.cert-permissions
key_permissions = access_policy.value.key-permissions
secret_permissions = access_policy.value.secret-permissions
storage_permissions = access_policy.value.storage-permissions
}
}
}
Certificate
data "azurerm_key_vault_certificate" "gateway" {
name = var.gateway.certificate-name
key_vault_id = var.key-vault.id
}
Error
╷
│ Error: reading Key Vault Certificate: keyvault.BaseClient#GetCertificate: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="The user, group or application 'appid=***;oid=***;numgroups=3;iss=https://sts.windows.net/***/' does not have certificates get permission on key vault 'az-kv-web-dev-eastus-001;location=eastus'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287" InnerError={"code":"ForbiddenByPolicy"}
│
│ with module.web["001"].module.app-gateway.data.azurerm_key_vault_certificate.gateway,
│ on modules\app-gateway\main.tf line 123, in data "azurerm_key_vault_certificate" "gateway":
│ 123: data "azurerm_key_vault_certificate" "gateway" {
│
╵

To create certificate and access it , I used below code:
gave terraform plan and terraform apply
code:
data "azurerm_subscription" "current" {}
resource "azuread_application" "example" {
display_name = "newexample"
// identifier_uris = ["https://kavyaexample.com"]
owners = [data.azuread_client_config.current.object_id]
sign_in_audience = "AzureADMultipleOrgs"
api {
mapped_claims_enabled = true
requested_access_token_version = 2
oauth2_permission_scope {
admin_consent_description = "Allow the application to access example on behalf of the signed-in user."
admin_consent_display_name = "Access example"
enabled = true
id = "96183846-204b-4b43-82e1-5d2222eb4b9b"
type = "User"
user_consent_description = "Allow the application to access example on your behalf."
user_consent_display_name = "Access example"
value = "user_impersonation"
}
oauth2_permission_scope {
admin_consent_description = "Administer the example application"
admin_consent_display_name = "Administer"
enabled = true
id = "be98fa3e-ab5b-4b11-83d9-04ba2b7946bc"
type = "Admin"
value = "administer"
}
}
app_role {
allowed_member_types = ["User", "Application"]
description = "Admins can manage roles and perform all task actions"
display_name = "Admin"
enabled = true
id = "1b19509b-32b1-4e9f-b71d-4992aa991967"
value = "admin"
}
app_role {
allowed_member_types = ["User"]
description = "ReadOnly roles have limited query access"
display_name = "ReadOnly"
enabled = true
id = "497406e4-012a-4267-bf18-45a1cb148a01"
value = "User"
}
feature_tags {
enterprise = true
gallery = true
}
optional_claims {
access_token {
name = "myclaim"
}
access_token {
name = "otherclaim"
}
id_token {
name = "userclaim"
source = "user"
essential = true
additional_properties = ["emit_as_roles"]
}
saml2_token {
name = "samlexample"
}
}
required_resource_access {
resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph
resource_access {
id = "df021288-bdef-4463-88db-98f22de89214" # User.Read.All
type = "Role"
}
resource_access {
id = "b4e74841-8e56-480b-be8b-910348b18b4c" # User.ReadWrite
type = "Scope"
}
}
required_resource_access {
resource_app_id = "c5393580-f805-4401-95e8-94b7a6ef2fc2" # Office 365 Management
resource_access {
id = "594c1fb6-4f81-4475-ae41-0c394909246c" # ActivityFeed.Read
type = "Role"
}
}
web {
homepage_url = "https://app.example.net"
logout_url = "https://app.example.net/logout"
redirect_uris = ["https://app.example.net/account"]
implicit_grant {
access_token_issuance_enabled = true
id_token_issuance_enabled = true
}
}
}
resource "azuread_service_principal" "example" {
application_id = azuread_application.example.application_id
app_role_assignment_required = false
owners = [data.azuread_client_config.current.object_id]
}
/*
resource "azurerm_role_assignment" "example" {
scope = "/subscriptions/f10a5570-53f3-473f-9c2f-bd0ee87ca71c/resourceGroups/v-sakavya-Mindtree"
role_definition_id = "b24988ac-6180-42a0-ab88-20f7382dd24c"
principal_id = azuread_service_principal.example.object_id
}
*/
resource "azurerm_key_vault" "example" {
name = "kavyaexmplkeyvault"
location = data.azurerm_resource_group.example.location
resource_group_name = data.azurerm_resource_group.example.name
enabled_for_disk_encryption = true
tenant_id = data.azurerm_client_config.current.tenant_id
soft_delete_retention_days = 7
purge_protection_enabled = false
sku_name = "standard"
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
//object_id= azuread_service_principal.example.object_id
certificate_permissions = [
"Create",
"Delete",
"DeleteIssuers",
"Get",
"GetIssuers",
"Import",
"List",
"ListIssuers",
"ManageContacts",
"ManageIssuers",
"Purge",
"SetIssuers",
"Update",
]
key_permissions = [
"Backup",
"Create",
"Decrypt",
"Delete",
"Encrypt",
"Get",
"Import",
"List",
"Purge",
"Recover",
"Restore",
"Sign",
"UnwrapKey",
"Update",
"Verify",
"WrapKey",
]
secret_permissions = [
"Backup",
"Delete",
"Get",
"List",
"Purge",
"Recover",
"Restore",
"Set",
]
storage_permissions = [
"Get","Set"
]
}
}
resource "tls_private_key" "example" {
algorithm = "RSA"
rsa_bits = 4096
}
resource "azurerm_key_vault_certificate" "example" {
name = "kavya-cert"
key_vault_id = azurerm_key_vault.example.id
certificate_policy {
issuer_parameters {
name = "Self"
}
key_properties {
exportable = true
key_size = 2048
key_type = "RSA"
reuse_key = true
}
lifetime_action {
action {
action_type = "AutoRenew"
}
trigger {
days_before_expiry = 30
}
}
secret_properties {
content_type = "application/x-pkcs12"
}
x509_certificate_properties {
# Server Authentication = 1.3.6.1.5.5.7.3.1
# Client Authentication = 1.3.6.1.5.5.7.3.2
extended_key_usage = ["1.3.6.1.5.5.7.3.1"]
key_usage = [
"cRLSign",
"dataEncipherment",
"digitalSignature",
"keyAgreement",
"keyCertSign",
"keyEncipherment",
]
subject_alternative_names {
dns_names = ["internal.contoso.com", "domain.hello.world"]
}
subject = "CN=hello-world"
validity_in_months = 12
}
}
}
resource "azuread_application_certificate" "example" {
application_object_id = azuread_application.example.id
type = "AsymmetricX509Cert"
encoding = "hex"
value = azurerm_key_vault_certificate.example.certificate_data
//end_date = azurerm_key_vault_certificate.example.certificate_attribute[0].expires
//start_date = azurerm_key_vault_certificate.example.certificate_attribute[0].not_before
}
As the service principal got the certificate get, list , create and delete access privileges.
But when I tried removing this access policy to the service principal , I got similar error
resource "azurerm_key_vault" "example" {
name = "kavyaexmplkeyvault"
location = data.azurerm_resource_group.example.location
resource_group_name = data.azurerm_resource_group.example.name
enabled_for_disk_encryption = true
tenant_id = data.azurerm_client_config.current.tenant_id
soft_delete_retention_days = 7
purge_protection_enabled = false
sku_name = "standard"
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
// object_id = data.azurerm_client_config.current.object_id
object_id= azuread_service_principal.example.object_id
certificate_permissions = [
"Create",
"Delete",
"DeleteIssuers",
"Get",
"GetIssuers",
"Import",
"List",
"ListIssuers",
"ManageContacts",
"ManageIssuers",
"Purge",
"SetIssuers",
"Update",
]
key_permissions = [
"Backup",
"Create",
"Decrypt",
"Delete",
"Encrypt",
"Get",
"Import",
"List",
"Purge",
"Recover",
"Restore",
"Sign",
"UnwrapKey",
"Update",
"Verify",
"WrapKey",
]
secret_permissions = [
"Backup",
"Delete",
"Get",
"List",
"Purge",
"Recover",
"Restore",
"Set",
]
storage_permissions = [
"Get","Set"
]
}
}
Error:
Status=403 Code="Forbidden" Message="The user, group or application 'appid=***;oid=***;numgroups=3;iss=https://sts.windows.net/***/' does not have certificates get permission on key vault
Then I tried to create it again with the servicepricipal giving access policies .
But still faced same error .
Then I destroyed the files but no change as it is stored in the backend and the certificate privileges cant be changes unless we have access.
Instead I have changed the keyvault name and certificate name in terraform.
Deleted the existing certificate in azure ad app.
And then created and run terraform plan and terraform apply .
Direct terraform apply also worked with the above starting code.
And it created the service principal access policies.
Certificate retrieved in azure ad application.

How do I prevent Terraform from destroying the virtual machine after changing keyvault or change of vm credentials?

I'm trying to change the keyvault used by my virtual machine in terraform. When I trying to apply the changes, Terraform then tried to replace the virtual machine with the new key vault. How do I just change the keyvault used by the vm or change the creds in terraform without destroying the virtual machine ?
I tried to use lifecyle (prevent_destroy = true) but it then fails showing this message
`> Error: Instance cannot be destroyed
on .terraform\modules\avd_vm\Modules\AVD_VM\main.tf line 388:
388: resource "azurerm_windows_virtual_machine" "acumen_vm_kv" {
Resource module.avd_vm.azurerm_windows_virtual_machine.acumen_vm_kv has
lifecycle.prevent_destroy set, but the plan calls for this resource to be
destroyed. To avoid this error and continue with the plan, either disable
lifecycle.prevent_destroy or reduce the scope of the plan using the -target
flag.`

I tried to reproduce the same from my end.
Received same error:
Resource vmpassword has lifecycle.prevent_destroy set, but the plan calls for this resource to be destroyed. To avoid this error and continue
│ with the plan, either disable lifecycle.prevent_destroy or reduce the scope of the plan using the -target flag
Note: If you are trying to have two different Key Vaults for VM,
it would be better to use another resource block for new keyvault.
resource "azurerm_key_vault_secret" "vmpassword" {
name = "vmpassword"
value = random_password.vmpassword.result
key_vault_id = azurerm_key_vault.kv1.id
depends_on = [ azurerm_key_vault.kv1 ]
lifecycle {
prevent_destroy = true
}
}
resource "azurerm_key_vault" "kv2" {
name = "kavy-newkv2"
resource_group_name = data.azurerm_resource_group.example.name
location = data.azurerm_resource_group.example.location
enabled_for_disk_encryption = true
tenant_id = data.azurerm_client_config.current.tenant_id
soft_delete_retention_days = 7
purge_protection_enabled = false
sku_name = "standard"
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"Get","Create", "Decrypt", "Delete", "Encrypt", "Update"
]
secret_permissions = [
"Get", "Backup", "Delete", "List", "Purge", "Recover", "Restore", "Set",
]
storage_permissions = [
"Get", "Restore","Set"
]
}
}
resource "azurerm_key_vault_secret" "vmpassword" {
name = "vmpassword"
value = random_password.vmpassword.result
key_vault_id = azurerm_key_vault.kv1.id
depends_on = [ azurerm_key_vault.kv1 ]
}
import each resource manually to show in your state file. Terraform tracks each resource individually.
You can ignore changes in vm ,if required
lifecycle {
ignore_changes = [
tags,
]
}
Reference:
terraform-lifecycle-prevent-destroy | StackOverflow
https://developer.hashicorp.com/terraform/language/meta-arguments/lifecycle#prevent_destroy

service principal does not have secrets get permission on key vault

I am trying to create a keyvault on Azure using Terraform which is performed by my service principal user:
data "azurerm_client_config" "current" {}
resource "azurerm_key_vault" "key_vault" {
name = "${var.project_name}-keyvault"
location = var.resource_group_location
resource_group_name = var.resource_group_name
enabled_for_disk_encryption = true
tenant_id = data.azurerm_client_config.current.tenant_id
soft_delete_retention_days = 7
purge_protection_enabled = false
sku_name = "standard"
}
resource "azurerm_key_vault_access_policy" "access_policy" {
key_vault_id = azurerm_key_vault.key_vault.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
secret_permissions = [
"Set", "Get", "Delete", "Purge", "List", ]
}
resource "azurerm_key_vault_secret" "client_id" {
name = "client-id"
value = var.client_id_value
key_vault_id = azurerm_key_vault.key_vault.id
}
resource "azurerm_key_vault_secret" "client_secret" {
name = "client-secret"
value = var.client_secret_value
key_vault_id = azurerm_key_vault.key_vault.id
}
resource "azurerm_key_vault_secret" "subscription_id" {
name = "subscription-id"
value = var.subscription_id_value
key_vault_id = azurerm_key_vault.key_vault.id
}
resource "azurerm_key_vault_secret" "tenant_id" {
name = "tenant-id"
value = var.tenant_id_value
key_vault_id = azurerm_key_vault.key_vault.id
}
But i get this error:
Error: checking for presence of existing Secret "client-id" (Key Vault "https://formulaeinsdef-keyvault.vault.azure.net/"): keyvault.BaseClient#GetSecret:
Failure responding to request: StatusCode=403 -- Original Error: autorest/azure:
Service returned an error. Status=403 Code="Forbidden" Message="The user, group or application 'appid=***;oid=32d24355-0d93-476d-a775-6882d5a22e0b;iss=https://sts.windows.net/***/' does not have secrets get permission on key vault 'formulaeinsdef-keyvault;location=westeurope'.
For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287" InnerError={"code":"AccessDenied"}
The above code creates the key-vault successfully, but it fails to add the secrets inside it.
My Service Principal user has Contributor role and i think, it should be enough to GET and SET key keys.
I tried to give my service principal the Reader or even Ownerpermission, but it was not helpful.
I also checked this question, but it is not helping me.
I checked the Access Policies tab and i have the permissions to Set, Get, Delete, Purge, List.

Each of the secrets needs an explicit dependency on the access policy. Otherwise, Terraform may attempt to create the secret before creating the access policy.
resource "azurerm_key_vault_secret" "client_id" {
name = "client-id"
value = var.client_id_value
key_vault_id = azurerm_key_vault.key_vault.id
### Explicit dependency
depends_on = [
azurerm_key_vault_access_policy.access_policy
]
}
Alternatively, moving the access policy definition into the key vault block would make the explicit dependencies unnecessary:
resource "azurerm_key_vault" "key_vault" {
# Content omitted for brevity
.
.
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
secret_permissions = [
"Set", "Get", "Delete", "Purge", "List", ]
}
}

Gain access to Azure Key Vault from several different principals/users using access policy

I have a terraform code that deploys an Azure key vault using the code:
data "azurerm_client_config" "current" {}
resource "azurerm_key_vault" "keyvault" {
name = "${local.environment}"
resource_group_name = azurerm_resource_group.rg.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard"
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
# List of key permissions...
]
# All permissions listed currently.
secret_permissions = [
# List of secret permissions...
]
storage_permissions = [
# List of storage permissions...
]
}
}
I have a certain code that runs under a different principle that is used when deploying this code. So data.azurerm_client_config.current.object_id (aka: The object ID of a user, service principal, or security group in the Azure Active Directory tenant for the vault.) would be different inside that code and the secrets are therefore inaccessible to the code.
How can I amend the access_policy so different users/service principals can access the same data vault simultaneously?

You need to use the azurerm_key_vault_access_policy resource. . So you'd change your code to:
resource "azurerm_key_vault" "keyvault" {....}
//add one of these for each user
resource "azurerm_key_vault_access_policy" "kvapta" {
key_vault_id = azurerm_key_vault.keyvault.id
tenant_id = var.identity.tenant_id
object_id = var.identity.principal_id
certificate_permissions = []
key_permissions = [
]
secret_permissions =[]
storage_permissions = [
]
}

Terraform Azure provider - VM encryption at rest

I'm getting an error while trying to set up a VM with a Key vault. This is part of the code I think is relevant.
resource "azurerm_key_vault_key" "example" {
name = "TF-key-example"
key_vault_id = "${azurerm_key_vault.example.id}"
key_type = "RSA"
key_size = 2048
key_opts = [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
]
}
resource "azurerm_disk_encryption_set" "example" {
name = "example-set"
resource_group_name = "${azurerm_resource_group.example.name}"
location = "${azurerm_resource_group.example.location}"
key_vault_key_id = "${azurerm_key_vault_key.example.id}"
identity {
type = "SystemAssigned"
}
}
resource "azurerm_key_vault_access_policy" "disk-encryption" {
key_vault_id = "${azurerm_key_vault.example.id}"
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"create",
"get",
"list",
"wrapkey",
"unwrapkey",
]
secret_permissions = [
"get",
"list",
]
}
resource "azurerm_role_assignment" "disk-encryption-read-keyvault" {
scope = "${azurerm_key_vault.example.id}"
role_definition_name = "Reader"
principal_id = "${azurerm_disk_encryption_set.example.identity.0.principal_id}"
}
This is the error I'm getting:
Error: Error creating Linux Virtual Machine "example-vm" (Resource
Group "Encrypt-resources"):
compute.VirtualMachinesClient#CreateOrUpdate: Failure sending request:
StatusCode=400 -- Original Error: Code="KeyVaultAccessForbidden"
Message="Unable to access key vault resource
'https://tf-keyvault-example.vault.azure.net/keys/TF-key-example/*****'
to enable encryption at rest. Please grant get, wrap and unwrap key
permissions to disk encryption set 'example-set'. Please visit
https://aka.ms/keyvaultaccessssecmk for more information."
Where and how should I add the permissions?

As the error print - Please grant get, wrap and unwrap key permissions to disk encryption set 'example-set'.
Add the following block:
# grant the Managed Identity of the Disk Encryption Set access to Read Data from Key Vault
resource "azurerm_key_vault_access_policy" "disk-encryption" {
key_vault_id = azurerm_key_vault.example.id
key_permissions = [
"get",
"wrapkey",
"unwrapkey",
]
tenant_id = azurerm_disk_encryption_set.example.identity.0.tenant_id
object_id = azurerm_disk_encryption_set.example.identity.0.principal_id
}
# grant the Managed Identity of the Disk Encryption Set "Reader" access to the Key Vault
resource "azurerm_role_assignment" "disk-encryption-read-keyvault" {
scope = azurerm_key_vault.example.id
role_definition_name = "Reader"
principal_id = azurerm_disk_encryption_set.example.identity.0.principal_id
}
More about azurerm_key_vault_access_policy and azurerm_role_assignment.
Update-
The issue was related to not specifying the correct object_id.
Later on, The Machine that builds the Terraform missed the SSH file path(e.g -"~/.ssh/id_rsa.pub") .
Fixed by running this command:
ssh-keygen -t rsa -b 4096 -C "your_email#example.com"
After that, the key vault permission was missing access policy to terraform user.
Besides all that, the sequence of the resources was mixed. fixed that to a more logical sequence.
The full and working code can be found here.

As Amit Baranes pointed out, you need to set the access policy for your encryption set.
In your above example you grant your data source client ID access to the key vault by way of access policy. The identity of your encryption set however only gets read to the vault by way of role.
Tucked away here the AzureRM VM resource documentation states:
NOTE: The Disk Encryption Set must have the Reader Role Assignment
scoped on the Key Vault - in addition to an Access Policy to the Key
Vault
You need to make sure you grant the encryption ID both the read role and an access policy.
A possible resulting full block looks like this, where we give your service principal and the identity access to the vault by way of an access policy. We also retain the read role
resource "azurerm_key_vault_key" "example" {
name = "TF-key-example"
key_vault_id = "${azurerm_key_vault.example.id}"
key_type = "RSA"
key_size = 2048
key_opts = [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
]
}
resource "azurerm_disk_encryption_set" "example" {
name = "example-set"
resource_group_name = "${azurerm_resource_group.example.name}"
location = "${azurerm_resource_group.example.location}"
key_vault_key_id = "${azurerm_key_vault_key.example.id}"
identity {
type = "SystemAssigned"
}
}
resource "azurerm_key_vault_access_policy" "service-principal" {
key_vault_id = "${azurerm_key_vault.example.id}"
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"create",
"get",
"list",
"wrapkey",
"unwrapkey",
]
secret_permissions = [
"get",
"list",
]
}
resource "azurerm_key_vault_access_policy" "encryption-set" {
key_vault_id = "${azurerm_key_vault.example.id}"
tenant_id = azurerm_disk_encryption_set.example.identity.0.tenant_id
object_id = azurerm_disk_encryption_set.example.identity.0.principal_id
key_permissions = [
"create",
"get",
"list",
"wrapkey",
"unwrapkey",
]
secret_permissions = [
"get",
"list",
]
}
resource "azurerm_role_assignment" "disk-encryption-read-keyvault" {
scope = "${azurerm_key_vault.example.id}"
role_definition_name = "Reader"
principal_id = "${azurerm_disk_encryption_set.example.identity.0.principal_id}"
}
You would probably want to reduce the access for the service principal, however i left it as is for now.

I just noticed Reader role is not fit anymore, you now need to use Key Vault Crypto Service Encryption User.
resource "azurerm_role_assignment" "disk-encryption-read-keyvault" {
scope = "${azurerm_key_vault.example.id}"
role_definition_name = "Key Vault Crypto Service Encryption User"
principal_id = ${azurerm_disk_encryption_set.example.identity.0.principal_id}"
}