Home > Software engineering >  Iterating over map to create key vault secrets throws error if secret doesn't exist
Iterating over map to create key vault secrets throws error if secret doesn't exist

Time:02-12

I have a map of key vault secrets that I would want to use in an application. Some of these already exist in Azure Key Vault:

variable "keyvault_secrets" {
  type = map(string)
  default = {
    service_bus = "AzureWebJobsServiceBus",
    mongo_connection = "MongoConnection",
    sendgrid_api_key = "SendgridApiKey",
    twilio_auth_token = "TwilioAccountAuthToken",
    twilio_sid = "TwilioAccountSid",
    twilio_message_service_sid = "TwilioMessageServiceSid",
    resdis_session_connection = "RedisSessionConnection"
  }
}

I then have the following blocks to create the key vault and secrets:

data "azurerm_key_vault_secret" "these" {
  for_each = var.keyvault_secrets
  key_vault_id = azurerm_key_vault.default.id
  name = each.value
}

resource "azurerm_key_vault_access_policy" "api" {
  key_vault_id = azurerm_key_vault.default.id
  object_id = azurerm_app_service.api[0].identity[0].principal_id
  tenant_id = data.azurerm_client_config.current.tenant_id
  depends_on = [azurerm_app_service.api]
  key_permissions = []
  secret_permissions = [
    "Get"
  ]
}

resource "azurerm_key_vault" "default" {
  location = var.azure_location
  name = "kv-quiztime-${terraform.workspace}-001"
  resource_group_name = azurerm_resource_group.default[0].name
  sku_name = module.vars.env["keyvault_plan_sku"]["name"]
  tenant_id = data.azurerm_client_config.current.tenant_id
  tags = local.common_tags
}

resource "azurerm_key_vault_secret" "these" {
  for_each = var.keyvault_secrets
  key_vault_id = azurerm_key_vault.default.id
  name = each.value
  value = data.azurerm_key_vault_secret.these[each.key] ? data.azurerm_key_vault_secret.these[each.key].value : "not set"
  content_type = "Connection String"
}

However, when I run terraform plan I get the following error:

Error: KeyVault Secret "RedisSessionConnection" (KeyVault URI "https://kv-[hidden]-dev-001.vault.azure.net/") does not exist │ │ with data.azurerm_key_vault_secret.these["resdis_session_connection"], │ on keyvaults.tf line 2, in data "azurerm_key_vault_secret" "these": │ 2: data "azurerm_key_vault_secret" "these" {

Because it doesn't exist, I would expect it to be created. What am I doing wrong? Or do I have incorrect expectations?

CodePudding user response:

The error "does not exist" is from data.azurerm_key_vault_secret.these. Data sources must exist, otherwise you get that error. You can't query a data of a resource that does not exist. TF does not support such functionality nor it has no way to check for the existence beforehand.

You would have to design your own custom data source to implement working with resources that may or may not exist.

Page link:https//www.codepudding.com/Softwareengineering/298216.html

Prev:Any reason Azure App Service Outbound IP showing IPV6 when integrated with vNET?
Next:How to Read Synapse Analytics SQL Script (JSON Format) as a SQL Script in an IDE?
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding