0

I am running into a cycle error when assigning keyvault access policy to the resource's managed identity I am trying to create. Currently we have modules for App_Config, Windows Function, Redis, etc.. All of them are created with either system or user managed identiy. They all need access to keyvaults.

Currently I use the generate the keyvault's access_policies by looping thru the resources and grabbing the manage_identity for each resource.

What is the best way to break this cycle error and apply keyvault access to resources???

#################################

Update 1

After moving the azurerm_user_assigned_identity outside of the module it solved the Cycle error but Windows Function is complaining now that it needs System Assigned Identity..

[![MSI ERROR][1]][1]

Back to testing other options [1]: https://i.stack.imgur.com/zwVgd.png

Maki
  • 439
  • 1
  • 6
  • 17

2 Answers2

1

Cycle error occurs, when the azurerm_key_vault depends on the azurerm_managed_identity resource, when assigning access policy to the managed identity. Whereas azurerm_managed_identity resource also depends on the azurerm_key_vault resource, when using Key Vault's ID .

resource "azurerm_key_vault" "nscsecrets" {
  name                       = "kkkvault0123456"
  resource_group_name        = data.azurerm_resource_group.example.name
  location                   = data.azurerm_resource_group.example.location
  sku_name                   = "standard"
  tenant_id                  = data.azurerm_client_config.current.tenant_id
  soft_delete_retention_days = 7
  purge_protection_enabled   = true  

}

To resolve this cycle error, separating managed identity creation and the assignment of the Key Vault access policy into two separate Terraform configurations or modules is the way.

Indirect dependency between the resources can be avoided and cycle error can be resolved.

code:

resource "azurerm_key_vault_access_policy" "app_config_policy" {
  key_vault_id = azurerm_key_vault.key_vault.id

  tenant_id = var.tenant_id
  tenant_id          = azurerm_app_service.website_app.identity[0].tenant_id
  object_id = azurerm_managed_identity.app_config_identity.principal_id

  # Define the permissions for the access policy
  secret_permissions  = ["Backup", "Delete", "Get", "List", "Purge"]
  key_permissions     = ["Backup", "Create","List", "Purge", "Recover", "Restore", "Sign", "UnwrapKey", "Update", "Verify", "WrapKey", ]
  storage_permissions = ["Backup", "Delete", "Recover", "RegenerateKey", "Restore", "Set", "SetSAS", "Update", ]
}

resource "azurerm_key_vault_access_policy" "function_policy" {
  key_vault_id = azurerm_key_vault.key_vault.id

  tenant_id = var.tenant_id
  object_id =  data.azurerm_client_config.current.tenant_id

  # Define the permissions for the access policy
  secret_permissions  = ["Backup", "Delete", "Get", "List” ]
  key_permissions     = ["Backup", "Create", "Decrypt", "Delete", "Encrypt", "Get", "Import", "List", "Purge", "Recover", "Restore", "Sign", "UnwrapKey", "Update", "Verify", "WrapKey", ]
  storage_permissions = ["Backup", "Delete", "Update", ]
}

enter image description here

Reference: Importing multiple Azure KeyVault Access Policies | StackOverflow

kavyaS
  • 8,026
  • 1
  • 7
  • 19
  • I've tested azurerm_key_vault_access_policy and it indeed works breaking the "cycle" error but now the Key Vault policies are no longer been fully tracked by Terraform. User can add manual acl into KV and will not get purged during next Terraform Apply. I will try moving the manage identity out of the module. THANKS – Maki Jun 16 '23 at 12:49
  • Follow up on this. So moving the azurerm_user_assigned_identity definitely fixes the cycle error but found out that: App_Config and Windows Function specifically asking for MSI access. So back to the cycle error. – Maki Jun 16 '23 at 19:43
0

If you were to use user-assigned managed identities created by the azurerm_user_assigned_identity resource then you could:

  1. Create the user-assigned managed identities using azurerm_user_assigned_identity.
  2. Create the Key Vault.
  3. Call the consuming modules (App_Config, Windows Function, Redis).
simon-pearson
  • 1,601
  • 8
  • 10