15

Using Terraform, I am trying to add a keyvault access policy to an application (that is also created in Terraform), which requires an object_it (which is GUID) of that application. In ARM template it looks like this:

 "objectId": "[reference(variables('myAppResourceId'), '2015-08-31-PREVIEW').principalId]"

so Terraform needs the principal id there to be assigned to the object_id. If I use the value "object_id = ${azurerm_app_service.myApp.id}" like this:

  resource "azurerm_key_vault_access_policy" "pol1" {
  vault_name          = "${azurerm_key_vault.kv1.name}"
  resource_group_name = "${azurerm_key_vault.kv1.resource_group_name}"

  tenant_id = "${data.azurerm_subscription.current.subscription_id}"
  object_id = "${azurerm_app_service.myApp.id}"

  key_permissions = "${var.app_keys_permissions}"
  secret_permissions = "${var.app_secrets_permissions}"
}

then when I run apply command, I get the following error:

azurerm_key_vault_access_policy.pol1: "object_id" is an invalid UUUID: encoding/hex: invalid byte: U+002F '/'

this is probably the id that looks like an url with a slash,so this does not work, since I need the GUID only.

I tried also a suggestion from Terraform grant azure function app with msi access to azure keyvault, by using object_id = "${lookup(azurerm_app_service.app1.identity[0],"principal_id")}" for an app service instead of the function and I get an error:

 azurerm_key_vault_access_policy.appPolicy1: At column 43, line 1: list "azurerm_app_service.app1.identity" does not have any elements so cannot determine type. in:

${lookup(azurerm_app_service.app1.identity[0],"principal_id")}

could someone help me with this object_id please?

thanks

tridy
  • 1,166
  • 1
  • 12
  • 21

1 Answers1

18

When you read the description for azurerm_key_vault_access_policy property object_id, then you should know it could mean the web app principal Id.

And the azurerm_app_service.myApp.id that you put is not the principal Id, it's the app service resource Id. You should put the azurerm_app_service.myApp.identity.principal_id that associated with your web app. Take a look at the Attributes of the App Service Resource. Hope this will help you.

However, something not mentionned in the documentation is the need to specify an identity block in your app_service declaration. 

identity { type = "SystemAssigned" }

If you don't specify it, you might get an empty list as identity attribute.

Simon30
  • 317
  • 3
  • 12
Charles Xu
  • 29,862
  • 2
  • 22
  • 39
  • That was the problem that I had initially. The docs say: You can access the Principal ID via: `${azurerm_app_service.test.identity.0.principal_id}` and the Tenant ID via: `${azurerm_app_service.test.identity.0.principal_id}` so, when I try getting principal id: `object_id = "${azurerm_app_service.app1.identity.0.principal_id}"` I gen the following error: `* azurerm_key_vault_access_policy.appPolicy1: Resource 'azurerm_app_service.app1' does not have attribute 'identity.0.principal_id' for variable 'azurerm_app_service.app1.identity.0.principal_id'` – tridy Jan 15 '19 at 08:29
  • You could use the principal Id if you set it in the app service resource. Do you set it? – Charles Xu Jan 15 '19 at 08:43
  • Could you please explain a bit more. Is it that I should also create _azuread_service_principal_ and assign _application_id_ and then app1 will have identity.0.principal_id. Or do you mean that I should include _identity_ section in _azurerm_app_service_ and include principal Id there? – tridy Jan 15 '19 at 09:41
  • What you say are the two ways that you can do it. I mean the second one. But I think they can all work for you. – Charles Xu Jan 15 '19 at 09:46
  • 4
    Alright. it seems like adding `identity { type = "SystemAssigned" }` to azurerm_app_service did the trick and now `output "application_identity_principal_id" { value = "${azurerm_app_service.app1.identity.0.principal_id}" }` shows the id. I think that will solve my problem. Thanks for pointing it out the explicit need for the identity assignment. – tridy Jan 15 '19 at 10:37
  • When trying to reference an App Service using its object_id in terraform KeyVault policy **azurerm_key_vault_access_policy**, this answer also fixes the following **Error: "object_id" isn't a valid UUID** – Ralph Willgoss Jan 24 '20 at 20:00