azure azure-keyvault azure-virtual-network pulumi

Adding existing VNet to Azure KeyVault using Pulumi fails

I have an existing key vault in Azure for which I am trying to add an existing VNet through Pulumi code. I face the below error:

error: azure:keyvault/keyVault:KeyVault resource 'exampleKeyVault' has a problem: Invalid or unknown key. Examine values at 'KeyVault.NetworkAcls.VirtualNetworkRules'.

This is my code:

example_key_vault = azure.keyvault.KeyVault("exampleKeyVault",
                                            resource_group_name=resourceGroup,
                                            name="keyVaultName",
                                            tenant_id=current.tenant_id,
                                            sku_name="premium",
                                            soft_delete_retention_days=7,
                                            network_acls=pulumi_azure_native.keyvault.NetworkRuleSetArgs(
                                                bypass="AzureServices",
                                                ip_rules=None,
                                                default_action="Deny",
                                                virtual_network_rules=[pulumi_azure_native.keyvault.VirtualNetworkRuleArgs(id="/subscriptions/xxxx/resourceGroups/yyyy/providers/Microsoft.Network/virtualNetworks/zzzz/subnets/mysubnet")],),
                                            access_policies=[azure.keyvault.KeyVaultAccessPolicyArgs(
                                                tenant_id=current.tenant_id,
                                                object_id=current.object_id,
                                                key_permissions=[
                                                    "list",
                                                    "create",
                                                    "get",
                                                    "purge",
                                                    "recover",
                                                    "delete"
                                                ],
                                                secret_permissions=["set",
                                                                    "list",
                                                                    "get",
                                                                    "delete",
                                                                    "purge",
                                                                    "recover"],
                                            )])

Solution

You're passing the wrong type to your resource. network_acls doesn't take the type pulumi_azure_native.keyvault.NetworkRuleSetArgs it takes pulumi.azure.KeyVaultNetworkAcls

See here for more information: https://www.pulumi.com/registry/packages/azure/api-docs/keyvault/keyvault/#keyvaultnetworkacls

You'll need something like this:

example_key_vault = azure.keyvault.KeyVault("exampleKeyVault",
                                            resource_group_name=resourceGroup,
                                            name="keyVaultName",
                                            tenant_id=current.tenant_id,
                                            sku_name="premium",
                                            soft_delete_retention_days=7,
                                            network_acls=pulumi.azure.NetworkRuleSetArgs(
                                                bypass="AzureServices",
                                                ip_rules=None,
                                                default_action="Deny",
                                                virtual_network_rules=[pulumi_azure_native.keyvault.VirtualNetworkRuleArgs(id="/subscriptions/xxxx/resourceGroups/yyyy/providers/Microsoft.Network/virtualNetworks/zzzz/subnets/mysubnet")],),
                                            access_policies=[azure.keyvault.KeyVaultAccessPolicyArgs(
                                                tenant_id=current.tenant_id,
                                                object_id=current.object_id,
                                                key_permissions=[
                                                    "list",
                                                    "create",
                                                    "get",
                                                    "purge",
                                                    "recover",
                                                    "delete"
                                                ],
                                                secret_permissions=["set",
                                                                    "list",
                                                                    "get",
                                                                    "delete",
                                                                    "purge",
                                                                    "recover"],
                                            )])

I can also see you're making the same mistake at virtual_network_rules, you need to ensure you're not missing provider types inside the same resource