-1

I have an Azure KeyVault with 4 Access Policies. Each Access Policy has its own unique ObjectId.

In trying to import our legacy Azure resources into a Terraform configuration, I've therefore create Terraform block like the below.

resource "azurerm_key_vault" "example" {
  name                = "examplekeyvault"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  tenant_id           = data.azurerm_client_config.current.tenant_id
  sku_name            = "premium"
}

resource "azurerm_key_vault_access_policy" "policy1" {
  key_vault_id = azurerm_key_vault.example.id
  tenant_id    = data.azurerm_client_config.current.tenant_id
  object_id    = 001

  key_permissions = [
    "Get",
  ]

  secret_permissions = [
    "Get",
  ]
}

The above worked okay and I was able to import "policy1" successfully.

However, when I then replicated the policy block and appended it with the next policy like the one below, it just doesn't appear to accept it as a properly formed Terraform configuration. My intention is obviously to import all four policies (if that is possible).

resource "azurerm_key_vault" "example" {
  name                = "examplekeyvault"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  tenant_id           = data.azurerm_client_config.current.tenant_id
  sku_name            = "premium"
}

resource "azurerm_key_vault_access_policy" "policy1" {
  key_vault_id = azurerm_key_vault.example.id
  tenant_id    = data.azurerm_client_config.current.tenant_id
  object_id    = 001 

  key_permissions = [
    "Get",
  ]

  secret_permissions = [
    "Get",
  ]
}

resource "azurerm_key_vault_access_policy" "policy2" {
  key_vault_id = azurerm_key_vault.example.id
  tenant_id    = data.azurerm_client_config.current.tenant_id
  object_id    = 002 

  key_permissions = [
    "Get",
  ]

  secret_permissions = [
    "Get",
  ]
}

In both of the above illustrations, I've only used dummy ObjectIds.

Am I doing this entirely the wrong way or is it just not possible to import multiple policies into one Terraform config? The Terraform registry documentation meanwhile says Azure permits a maximum of 1024 Access Policies per Key Vault.

hitman126
  • 699
  • 1
  • 12
  • 43
  • 1
    "it just doesn't appear to accept it as a properly formed Terraform configuration" what does that mean? **Include the error message in your question!** – Mark B Sep 16 '21 at 17:03
  • what is the error you are getting? – Ricky Gummadi Sep 16 '21 at 22:08
  • Well, it all turned out to be a red-herring. I got it working eventually........and yes, appending those multiple access policy blocks worked, once I'd completed the imports. – hitman126 Sep 17 '21 at 09:49
  • hello @hitman126, Could you please post your solution as an answer . This will be beneficial for other community members who come across same issue. – Ansuman Bal Sep 17 '21 at 16:29
  • 1
    Hello @AnsumanBal-MT, so in the end, my proposed solution of simply appending additional policy blocks to the key vault access policy as depicted in my second code snippet, appeared to work as my subsequent Terraform Plan and Apply went well without any errors reported. I can only therefore conclude and/or assume that it was a correct solution. – hitman126 Sep 19 '21 at 09:41

1 Answers1

0

In the end, my proposed solution of simply appending additional policy blocks to the key vault access policy as depicted in my second code snippet (above), appeared to work, as my subsequent Terraform Plan and Apply went well without any errors reported.

I can only therefore conclude and/or assume that appending those additional policy blocks was a correct solution after all.

hitman126
  • 699
  • 1
  • 12
  • 43
  • Have you thought about using dynamic blocks? It will provide a nicer way to provide the access policy (especially if you have the same permission for each object id) https://www.terraform.io/language/expressions/dynamic-blocks – HoLengZai May 05 '22 at 07:46