Home > Blockchain >  Terraform azurerm_key_vault - Access policy raising errors
Terraform azurerm_key_vault - Access policy raising errors

Time:08-10

I have been provisioning an azurerm_key_vault for sometime, but after deciding to run a brand new plan I seem to be getting the below error:

 Error: expected access_policy.0.key_permissions.0 to be one of [Backup Create Decrypt Delete Encrypt Get Import List Purge Recover Restore Sign UnwrapKey Update Verify WrapKey], got create
│
│   with module.database.azurerm_key_vault.admin_vault,
│   on ../../modules/database/main.tf line 29, in resource "azurerm_key_vault" "admin_vault":
│   29:       "list"
│
╵
╷
│ Error: expected access_policy.0.key_permissions.1 to be one of [Backup Create Decrypt Delete Encrypt Get Import List Purge Recover Restore Sign UnwrapKey Update Verify WrapKey], got get
│
│   with module.database.azurerm_key_vault.admin_vault,
│   on ../../modules/database/main.tf line 29, in resource "azurerm_key_vault" "admin_vault":
│   29:       "list"
│
╵
╷
│ Error: expected access_policy.0.key_permissions.2 to be one of [Backup Create Decrypt Delete Encrypt Get Import List Purge Recover Restore Sign UnwrapKey Update Verify WrapKey], got list
│
│   with module.database.azurerm_key_vault.admin_vault,
│   on ../../modules/database/main.tf line 29, in resource "azurerm_key_vault" "admin_vault":
│   29:       "list"
│
╵
╷
│ Error: expected access_policy.0.secret_permissions.0 to be one of [Backup Delete Get List Purge Recover Restore Set], got list
│
│   with module.database.azurerm_key_vault.admin_vault,
│   on ../../modules/database/main.tf line 38, in resource "azurerm_key_vault" "admin_vault":
│   38:       "recover"
│
╵
╷
│ Error: expected access_policy.0.secret_permissions.1 to be one of [Backup Delete Get List Purge Recover Restore Set], got set
│
│   with module.database.azurerm_key_vault.admin_vault,
│   on ../../modules/database/main.tf line 38, in resource "azurerm_key_vault" "admin_vault":
│   38:       "recover"
│
╵
╷
│ Error: expected access_policy.0.secret_permissions.2 to be one of [Backup Delete Get List Purge Recover Restore Set], got get
│
│   with module.database.azurerm_key_vault.admin_vault,
│   on ../../modules/database/main.tf line 38, in resource "azurerm_key_vault" "admin_vault":
│   38:       "recover"
│
╵
╷
│ Error: expected access_policy.0.secret_permissions.3 to be one of [Backup Delete Get List Purge Recover Restore Set], got delete
│
│   with module.database.azurerm_key_vault.admin_vault,
│   on ../../modules/database/main.tf line 38, in resource "azurerm_key_vault" "admin_vault":
│   38:       "recover"
│
╵
╷
│ Error: expected access_policy.0.secret_permissions.4 to be one of [Backup Delete Get List Purge Recover Restore Set], got purge
│
│   with module.database.azurerm_key_vault.admin_vault,
│   on ../../modules/database/main.tf line 38, in resource "azurerm_key_vault" "admin_vault":
│   38:       "recover"
│
╵
╷
│ Error: expected access_policy.0.secret_permissions.5 to be one of [Backup Delete Get List Purge Recover Restore Set], got recover
│
│   with module.database.azurerm_key_vault.admin_vault,
│   on ../../modules/database/main.tf line 38, in resource "azurerm_key_vault" "admin_vault":
│   38:       "recover"

I am not sure why this is happening because I haven't change anything to the below code:

resource "random_id" "db" {
  keepers = {
    resource_group_name = var.resource_group.name
  }
  byte_length = 4
}

locals {
  prefix = "tf-${terraform.workspace}-${random_id.db.hex}"
}

data "azurerm_client_config" "current" {}

resource "azurerm_key_vault" "admin_vault" {
  name                       = "${local.prefix}-vlt"
  location                   = var.resource_group.location
  resource_group_name        = var.resource_group.name
  tenant_id                  = data.azurerm_client_config.current.tenant_id
  sku_name                   = "premium"
  soft_delete_retention_days = 7

  access_policy {
    tenant_id = data.azurerm_client_config.current.tenant_id
    object_id = data.azurerm_client_config.current.object_id

    key_permissions = [
      "create",
      "get",
      "list"
    ]

    secret_permissions = [
      "list",
      "set",
      "get",
      "delete",
      "purge",
      "recover"
    ]
  }

  tags = {
    environment = var.environment
  }
}

resource "random_password" "database_admin_password" {
  length  = 16
  special = true
}

resource "azurerm_key_vault_secret" "database_admin_password_secret" {
  name         = "database-admin-password"
  value        = random_password.database_admin_password.result
  key_vault_id = azurerm_key_vault.admin_vault.id
}

resource "azurerm_key_vault_secret" "database_admin_username_secret" {
  name         = "database-admin-username"
  value        = "psqladmin"
  key_vault_id = azurerm_key_vault.admin_vault.id

  tags = {
    environment = var.environment
  }
}

resource "azurerm_postgresql_server" "db_server" {
  name                = "${local.prefix}-db-server"
  location            = var.resource_group.location
  resource_group_name = var.resource_group.name

  sku_name   = terraform.workspace == "prod" ? "GP_Gen5_2" : "B_Gen5_1"
  storage_mb = terraform.workspace == "prod" ? 102400 : 10240

  backup_retention_days        = 35
  geo_redundant_backup_enabled = terraform.workspace == "prod"
  auto_grow_enabled            = true

  administrator_login          = azurerm_key_vault_secret.database_admin_username_secret.value
  administrator_login_password = azurerm_key_vault_secret.database_admin_password_secret.value
  version                      = "11"
  ssl_enforcement_enabled      = true

  tags = {
    environment = var.environment
  }
}

CodePudding user response:

The documentation for azurerm_key_vault shows that secret permissions begin with a capital letter - i.e. "Recover" instead of "recover".

Page link:https//www.codepudding.com/Blockchain/504983.html

Prev:How to auto renew Service Principals secrets in Azure
Next:Create Group in Azure AD creating a group which is already exists in AzureAD using Graph API
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding