1

I am trying to create access policy for data factory using terraform using below terraform code. For first deployment(Through Azure Devops) everything creating perfectly. When I redeploy without changes anything i can see terraform is detecting few changes with key vault and complete ADF access policy is getting removed from access policies. And when I redeploy once again ADF access policy is getting created again. Every alternative times same is happing. But every time my testate file looks same.

Key vault code

resource "azurerm_key_vault" "kv" {
  name                        = "${lower("${var.applicationName}-${var.environment}")}-akv"
  location                    = azurerm_resource_group.myresourcegroup.location
  resource_group_name         = azurerm_resource_group.myresourcegroup.name
  enabled_for_disk_encryption = true
  tenant_id                   = data.azurerm_client_config.current.tenant_id
  sku_name                    = var.skuname
  purge_protection_enabled    = false
    
   access_policy {
    tenant_id = data.azurerm_client_config.current.tenant_id
    object_id = data.azurerm_client_config.current.object_id

    key_permissions = [
      "Get","List","Create"
    ]

    secret_permissions =  [ "Backup", "Delete", "Get", "List", "Recover", "Restore", "Set", "Purge"]
    storage_permissions = [ "Get","List","Set"]

  }
    
    access_policy {
    tenant_id = data.azurerm_client_config.current.tenant_id
    object_id = var.group_object_id

    key_permissions = [
            "Get","List","Create"
    ]

    secret_permissions =  [
        "Backup", "Delete", "Get", "List", "Recover", "Restore", "Set", "Purge"
    ]
    storage_permissions = [ 
       "Get","List","Set"
    ]

  }

      
    network_acls {
    bypass         = "AzureServices"
    default_action = "Deny"
    ip_rules       = ["198....."]
  }
}

code for Access policy for data factory.

resource "azurerm_key_vault_access_policy" "adfpolicy" {
key_vault_id = azurerm_key_vault.kv.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = azurerm_data_factory.adf.identity[0].principal_id
     key_permissions = [
    "Get", "Create", "List", "Restore", "Recover", "Unwrapkey", "Wrapkey", "Purge", "Encrypt", "Decrypt", "Sign", "Verify"
    ]
    secret_permissions = [
    "Get", "List"
    ]
    depends_on = [azurerm_resource_group.myresourcegroup, azurerm_virtual_network.vnet, azurerm_subnet.public_subnet, azurerm_key_vault.kv, azurerm_data_factory.adf]
}

Data factory code

resource "azurerm_data_factory" "adf" {
  name                = "${var.applicationName}-${var.environment}-adf"
  location            = azurerm_resource_group.myresourcegroup.location
  resource_group_name = azurerm_resource_group.myresourcegroup.name
    
identity {
    type = "SystemAssigned,UserAssigned"
    identity_ids = [azurerm_user_assigned_identity.base.id]
 }
    
}
venkat
  • 111
  • 1
  • 1
  • 11

1 Answers1

2

According to azurerm_key_vault | Resources | hashicorp/azurerm | Terraform Registry

We can define Key Vault Access Policies in two ways i.e,one in the azurerm_key_vault resource via the access_policy block and the other by the azurerm_key_vault_access_policy resource. But using both the ways may lead to conflicts.

So please check for that case. And also try definig policies through azurerm_key_vault_access_policy resource only rather than within the azurerm_key_vault module itself.

Also try see if you can use conditional (for_each and if )to update access policy only if it changes and not apply when everything is same.

References:

  1. terraform-provider-azurerm/issues
  2. terraform-importing-multiple-azure-keyvault-access-policies
kavyaS
  • 8,026
  • 1
  • 7
  • 19