Search code examples
terraform-provider-azure

How can I use Terraform to create a key vault access policy for my azurerm_windows_function_app_slot?

I created a resource azurerm_windows_function_app_slot.

data "azurerm_windows_function_app" "reconciliationFunctionApp" {
  name                = "${local.funcprefix}-func"
  resource_group_name = data.azurerm_resource_group.lp.name
}
resource "azurerm_windows_function_app_slot" "reconciliationFuncSlot" {
  name                       = local.slot
  function_app_id      = data.azurerm_windows_function_app.reconciliationFunctionApp.id
  storage_account_name = azurerm_storage_account.lpstorage.name

  site_config {}

  identity {
    type                              = "SystemAssigned"
    identity_ids                      = []
  }
}

It's working.

Now I need to reference it when creating an azurerm_key_vault_access_policy. Is there a work-around I can use to create this policy?

resource "azurerm_key_vault_access_policy" "reconciliationFunc" {
   key_vault_id = azurerm_key_vault.lp.id
   tenant_id    = data.azurerm_client_config.current.tenant_id
   object_id    = azurerm_windows_function_app_slot.reconciliationFuncSlot.identity[0].principal_id

   secret_permissions = [
     "Get",
     ...

What I have tried so far: First, as you can see above, I tried directly referencing the slot resource. That did not work and gives an error 'error: Missing required argument object_id'

Next I found this work-around https://github.com/hashicorp/terraform-provider-azurerm/issues/19316 and this answer https://stackoverflow.com/a/74096990/2256149 which led me to try this:

data "azurerm_windows_function_app" "reconciliationFuncSlot" {
  name = "${data.azurerm_windows_function_app.reconciliationFunctionApp.name}/slots/${azurerm_windows_function_app_slot.reconciliationFuncSlot.name}"
  resource_group_name = data.azurerm_resource_group.lp.name
  depends_on   = [azurerm_windows_function_app_slot.reconciliationFuncSlot]
}

resource "azurerm_key_vault_access_policy" "reconciliationFunc" {
   key_vault_id = azurerm_key_vault.lp.id
   tenant_id    = data.azurerm_client_config.current.tenant_id
   object_id    = data.azurerm_windows_function_app.reconciliationFuncSlot.identity[0].principal_id

   secret_permissions = [
     "Get",
     ...

But that also produces an error. "Error: 'name' may only contain alphanumeric characters and dashes and up to 60 characters in length"

Any suggestions about how I can create a key vault access policy for my function app slot? Thanks!

Solution

  • Create a key vault access policy for my azurerm_windows_function_app_slot using terraform.

    The github and SO links which you shared seems using data module to call the windows_function_app which is not required to achieve the requirement.

    In the second try you mentioned

     name = "${data.azurerm_windows_function_app.reconciliationFunctionApp.name}/slots/${azurerm_windows_function_app_slot.reconciliationFuncSlot.name}"

    in the data module which actually not required in this scenario as this configuration does not require the data module as we directly refer identity in policy no need to call it again with data module and in this module, name refer is causing the error as this differs from the actually and not follow the naming convention as mentioned in the error description. If the windows_function_app already existed refer the correct name and dont refer function_app slot name to function_app

    I tried the updated configuration with necessary changes as mentioned below

    Configuration:

    resource "azurerm_windows_function_app_slot" "reconciliationFuncSlot" {
  name                       = "vksb-slot"
  function_app_id            = azurerm_windows_function_app.reconciliationFunctionApp.id
  storage_account_name       = azurerm_storage_account.lpstorage.name

  site_config {}

  identity {
    type = "SystemAssigned"
  }
}


resource "azurerm_key_vault" "lp" {
  name                        = "vksbbs-key-vault"
  location                    = azurerm_resource_group.lp.location
  resource_group_name         = azurerm_resource_group.lp.name
  tenant_id                   = data.azurerm_client_config.current.tenant_id
  sku_name                    = "standard"
  purge_protection_enabled    = true
}


resource "azurerm_key_vault_access_policy" "reconciliationFunc" {
  key_vault_id      = azurerm_key_vault.lp.id
  tenant_id         = data.azurerm_client_config.current.tenant_id
  object_id         = azurerm_windows_function_app_slot.reconciliationFuncSlot.identity[0].principal_id

  secret_permissions = [
    "Get",
    "List",
  ]

  depends_on = [ azurerm_key_vault.lp, azurerm_windows_function_app_slot.reconciliationFuncSlot ]
}

    Deployment:

    enter image description here

    enter image description here

    enter image description here

    Refer:

    https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app_slot

    azurerm_key_vault_access_policy | Resources | hashicorp/azurerm | Terraform | Terraform Registry