terraformterraform-provider-azure
Terraform: How to create block with dynamic and static content
For a resource, how can I create a block that has both dynamic and static content? For the example below, all my azure key vaults will have a standard set of access policies, and a few have one or more additional policies. For this test key vault, I want to apply the dynamic block of access policies, as well as add a specific policy unique to this key vault only.
I've tried various ways to combine the two, but no luck.
resource "azurerm_key_vault" "key_vault-test" {
name = "kv-test"
location = azurerm_resource_group.rg-webapps.location
resource_group_name = azurerm_resource_group.rg-webapps.name
sku_name = "standard"
tenant_id = data.azurerm_client_config.current.tenant_id
dynamic "access_policy" {
for_each = var.keyvault_accesspolicies
content {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = access_policy.value["object_id"]
certificate_permissions = access_policy.value["certificate_permissions"]
key_permissions = access_policy.value["key_permissions"]
secret_permissions = access_policy.value["secret_permissions"]
}
}
access_policy = [
{
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = "<some guid>"
application_id = ""
certificate_permissions = []
key_permissions = []
secret_permissions = [
"Get"
]
storage_permissions = []
}
]
}
Solution
You are declaring static access policy in a wrong way . There shouldn't be an "=[" after access policy .
I tried with the below code and it successfully got added :
provider "azurerm" {
features {}
}
variable "keyvault_accesspolicies" {
default = {
one = {
object_id="objectID1"
certificate_permissions=["Get"]
key_permissions=["Get"]
secret_permissions=["Get"]
},
second = {
object_id="objectid2"
certificate_permissions=["Get","List"]
key_permissions=["Get","List"]
secret_permissions=["Get","List"]
}
}
}
data "azurerm_client_config" "current" {}
data "azurerm_resource_group" "name" {
name = "ansumantest"
}
resource "azurerm_key_vault" "key_vault-test" {
name = "ansumankvtest12"
location = data.azurerm_resource_group.name.location
resource_group_name = data.azurerm_resource_group.name.name
sku_name = "standard"
tenant_id = data.azurerm_client_config.current.tenant_id
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
secret_permissions = ["Get"]
}
dynamic "access_policy" {
for_each = var.keyvault_accesspolicies
content {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = access_policy.value["object_id"]
certificate_permissions = access_policy.value["certificate_permissions"]
key_permissions = access_policy.value["key_permissions"]
secret_permissions = access_policy.value["secret_permissions"]
}
}
}
Output:
