azureterraformazure-keyvaultterraform-provider-azure
Error when appending multiple key_vault_access_policy in a key_vault resource - resource needs to be imported into the State - Terraform / Azure
I'm trying to deploy a key_vault resource that contains two key_vault_access_policy using this code:
data "azurerm_client_config" "current" {}
module "agw_user_assigned_identity" {
source = "../modules/resources-blocks/user_assigned_identity"
user_assigned_identity_name = "agw-user-signed-id"
resource_group_name = module.resource_group.name
resource_group_location = module.resource_group.location
}
module "key_vault" {
source = "../modules/resources-hub/key_vault"
key_vault_name = local.key_vault_name
resource_group_location = module.resource_group.location
resource_group_name = module.resource_group.name
tenant_id = data.azurerm_client_config.current.tenant_id
soft_delete_retention_days = 90
}
module "key_vault_private_certificate" {
source = "../modules/resources-blocks/key_vault_certificate"
key_vault_id = module.key_vault.id
certificate_name = local.agw_certificate_name
certificate_path = var.SSL_CERTIFICATE_PATH
certificate_password = var.SSL_CERTIFICATE_PASSWORD
depends_on = [module.key_vault_access_policy_agw]
}
module "key_vault_access_policy_users" {
source = "../modules/resources-blocks/key_vault_access_policy"
key_vault_id = module.key_vault.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
certificate_permissions = ["Backup", "Create", "Delete", "DeleteIssuers", "Get", "GetIssuers", "Import", "List", "ListIssuers", "ManageContacts", "ManageIssuers", "Purge", "Recover", "Restore", "SetIssuers", "Update"]
key_permissions = ["Backup", "Create", "Decrypt", "Delete", "Encrypt", "Get", "Import", "List", "Purge", "Recover", "Restore", "Sign", "UnwrapKey", "Update", "Verify", "WrapKey"]
secret_permissions = ["Backup", "Delete", "Get", "List", "Purge", "Recover", "Restore", "Set"]
storage_permissions = ["Backup", "Delete", "DeleteSAS", "Get", "GetSAS", "List", "ListSAS", "Purge", "Recover", "RegenerateKey", "Restore", "Set", "SetSAS", "Update"]
depends_on = [module.key_vault]
}
module "key_vault_access_policy_agw" {
source = "../modules/resources-blocks/key_vault_access_policy"
key_vault_id = module.key_vault.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = module.agw_user_assigned_identity.principal_id
secret_permissions = ["Get"]
depends_on = [module.key_vault_access_policy_users]
}
With the resources created in another file:
resource "azurerm_key_vault" "kv" {
name = var.key_vault_name
location = var.resource_group_location
resource_group_name = var.resource_group_name
enabled_for_disk_encryption = true
tenant_id = var.tenant_id
soft_delete_retention_days = var.soft_delete_retention_days
purge_protection_enabled = false
sku_name = "standard"
}
locals {
get_only_access = ["Get", "List"]
}
resource "azurerm_key_vault_access_policy" "acess_policy" {
key_vault_id = var.key_vault_id
tenant_id = var.tenant_id
object_id = var.object_id
key_permissions = var.get_only_access ? local.get_only_access : var.key_permissions
secret_permissions = var.get_only_access ? local.get_only_access : var.secret_permissions
storage_permissions = var.get_only_access ? local.get_only_access : var.storage_permissions
certificate_permissions = var.get_only_access ? local.get_only_access : var.certificate_permissions
}
The error that I get with the command "terraform apply -var-file="variables.tfvars"" is the following:
Error: A resource with the ID "/subscriptions/xxxxxxxxxxx/resourceGroups/xxxxxxxxxx/providers/Microsoft.KeyVault/vaults/xxxxxxxx/objectId/xxxxxxxxxxxx" already exists - to be managed via Terraform this resource needs to be imported into the State. Please see the resource documentation for "azurerm_key_vault_access_policy" for more information.
│
│ with module.key_vault_access_policy_users.azurerm_key_vault_access_policy.acess_policy,
│ on ..\modules\resources-blocks\key_vault_access_policy\main.tf line 5, in resource "azurerm_key_vault_access_policy" "acess_policy":
│ 5: resource "azurerm_key_vault_access_policy" "acess_policy" {
Could you please help me to solve this issue?
Just to give you a more general overview, the reason I'm trying to deploy this resources is because I'm creating an Application Gateway and I need to store the SSL certificate in the key_vault resource.
Solution
Error: A resource with the ID "/subscriptions/xxxxxxxxxxx/resourceGroups/xxxxxxxxxx/providers/Microsoft.KeyVault/vaults/xxxxxxxx/objectId/xxxxxxxxxxxx" already exists - to be managed via Terraform this resource needs to be imported into the State.
It commonly happens when the terraform state file (running locally) does not match the resources in the Portal terraform state file.
As @Marcin said, you should import the resource with the resourceID and add the respective objectID of keyvault.
Goto keyvault in the portal & get the "resourceID, objectID" as shown here:
Use
terraform import azurerm_key_vault_access_policy.xxxxx ResourceID
to fix this issue.
terraform import azurerm_key_vault_access_policy.example /subscriptions/<suscriptionID>/resourceGroups/<resourcegroupName>/providers/Microsoft.KeyVault/vaults/examples-keyvault/objectId/<ObjectID of Keyvault>
Refer terraform registry & SO worked by me for more information- regarding it.
Output:
- How can I define compile time constants in bicep configuration language?
- Outlook calendar don't render with FullCalendar
- Azure functions decoding error for IotHub device connection state message schema
- How do I set scope in Azure API Manager (APIM) when using D_application_id
- How to mount multiple disks in a loop using ansible
- How can I get sub value in nested json via KQL?
- Azure .NET SDK: Scale Azure SQL databases through SDK
- How can I invoke Azure Trusted Signing from a Linux OS?
- How to transfer "Set Variable" activity output into Json file using "Copy Data" activity or any other options?
- Verify Microsoft Access token on my ASP.NET Core Web API
- I'm trying to install the package from a private Azure DevOps repository using the pip install command, but I'm encountering an error
- Unable to define the sites for an App Registration for SahrePoint with Site.Selected
- Check if the resource exists before using data
- Not able to see azure 'LifecyclePolicyCompleted event' log
- Direct Web Push gives Error when used from Notification Hub
- Azure Remove User Consent to API
- Flutter-Azure Deviops pipelineThe discrepancy between the number of tests reported as passed or failed in the pipeline output and the test report
- App_location on deployment of a static webapp
- MSINotEnabled - Can't use KeyVault Reference in Azure Function
- Reading values from a key value based file and passing these values to azure devops template
- Deleting an Azure Loadbalancer Frontend IP configuration from python?
- How to retrieve the front door id from a Microsoft CDN (classic)
- What is HEAD operation in CosmosDB reported in Azure Monitoring
- Deploying a Python App to Azure App Service with Github Actions
- How to Query User Access Logs for Azure Front Door
- How can I add email recipients to a Graph API request programmatically?
- How to create Azure Devops Service Connection Docker Registry Type Other
- Problem with CORS policy in React front end with FastAPI on the back trying to use Microsoft Single Sign-on
- Azure Document Intelligence Custom Classification Python API
- Azure Function App unaccounted for time in Application Insights Timeline