azurerm_key_vault: Documentation says application_id is optional, but gives a required error

[TheFlyingArcher]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform 0.15.3
AzureRM 2.59

Affected Resource(s)

• azurerm_key_vault

Terraform Configuration Files

resource "azurerm_key_vault" "key_vault" {
  name                            = format("%s-kv-%s", var.name, var.namespace)
  location                        = var.location
  resource_group_name             = azurerm_resource_group.usq_rg.name
  enabled_for_deployment          = true
  enabled_for_disk_encryption     = true
  enabled_for_template_deployment = true
  enable_rbac_authorization       = false
  purge_protection_enabled        = true
  sku_name                        = "standard"
  tenant_id                       = data.azurerm_client_config.config.tenant_id

  access_policy = [{
    certificate_permissions = ["Backup", "Create", "Delete", "DeleteIssuers", "Get", "GetIssuers", "Import", "List", "ListIssuers", "ManageContacts", "Recover", "Restore", "SetIssuers", "Update"]
    key_permissions         = ["Backup", "Create", "Decrypt", "Delete", "Encrypt", "Get", "Import", "List", "Purge", "Recover", "Restore", "Sign", "UnwrapKey", "Update", "Verify", "WrapKey"]
    object_id               = data.azurerm_client_config.config.object_id
    secret_permissions      = ["Backup", "Delete", "Get", "List", "Recover", "Restore", "Set"]
    storage_permissions     = ["Backup", "Delete", "DeleteSAS", "Get", "GetSAS", "List", "ListSAS", "Recover", "RegenerateKey", "Restore", "Set", "SetSAS", "Update"]
    tenant_id               = data.azurerm_client_config.config.tenant_id
  }]
}

Debug Output

│   on _modules/ca_azure/main.tf line 18, in resource "azurerm_key_vault" "key_vault":
│   18:   access_policy = [{
│   19:     certificate_permissions = ["Backup", "Create", "Delete", "DeleteIssuers", "Get", "GetIssuers", "Import", "List", "ListIssuers", "ManageContacts", "Recover", "Restore", "SetIssuers", "Update"]
│   20:     key_permissions         = ["Backup", "Create", "Decrypt", "Delete", "Encrypt", "Get", "Import", "List", "Purge", "Recover", "Restore", "Sign", "UnwrapKey", "Update", "Verify", "WrapKey"]
│   21:     object_id               = data.azurerm_client_config.config.object_id
│   22:     secret_permissions      = ["Backup", "Delete", "Get", "List", "Recover", "Restore", "Set"]
│   23:     storage_permissions     = ["Backup", "Delete", "DeleteSAS", "Get", "GetSAS", "List", "ListSAS", "Recover", "RegenerateKey", "Restore", "Set", "SetSAS", "Update"]
│   24:     tenant_id               = data.azurerm_client_config.config.tenant_id
│   25:   }]
│     ├────────────────
│     │ data.azurerm_client_config.config.object_id will be known only after apply
│     │ data.azurerm_client_config.config.tenant_id will be known only after apply
│
│ Inappropriate value for attribute "access_policy": element 0: attribute "application_id" is required.

Expected Behaviour

The application_id in the access_policy block is marked as optional or the documentation is updated to reflect changed behavior

Actual Behaviour

See the Debug Output. It produces an error contrary to what the documentation says.

Steps to Reproduce

1. Grab the example above and slap it in a configuration
2. Run either terraform apply or terraform init && terraform plan

[TheFlyingArcher]

UPDATE: I don't get the bug using azurerm_key_vault_access_policy so that's a viable workaround. Should we be using the dedicated resource if it exists rather than inline blocks in the "parent" resource? I kind of went through similar with Front Door not too long ago.

[ArcturusZhang]

Hi @bcline760 thanks for this issue!

Actually this does not come from the resource but an issue with the usage of terraform config language.
The implementation of the azurerm_key_vault has the optional application_id, you can check the implementation here: https://github.com/terraform-providers/terraform-provider-azurerm/blob/d155f299d12e6e2440f42d7c8695569f8256b9c6/azurerm/internal/services/keyvault/key_vault_resource.go#L116

Terraform pops this out because you are using an object array and assign it to access_policy. During the assignment, maybe terraform is checking whether the object you input matches the definition of the assignee (I am only guessing) and raise this error. To solve this, you can either use the block syntax as the following:

resource "azurerm_key_vault" "key_vault" {
  # omitted irrelevant attributes

  access_policy {
    certificate_permissions = ["Backup", "Create", "Delete", "DeleteIssuers", "Get", "GetIssuers", "Import", "List", "ListIssuers", "ManageContacts", "Recover", "Restore", "SetIssuers", "Update"]
    key_permissions         = ["Backup", "Create", "Decrypt", "Delete", "Encrypt", "Get", "Import", "List", "Purge", "Recover", "Restore", "Sign", "UnwrapKey", "Update", "Verify", "WrapKey"]
    object_id               = data.azurerm_client_config.config.object_id
    secret_permissions      = ["Backup", "Delete", "Get", "List", "Recover", "Restore", "Set"]
    storage_permissions     = ["Backup", "Delete", "DeleteSAS", "Get", "GetSAS", "List", "ListSAS", "Recover", "RegenerateKey", "Restore", "Set", "SetSAS", "Update"]
    tenant_id               = data.azurerm_client_config.config.tenant_id
  }
}

Or you can add the application_id in your self-defined object like this:

resource "azurerm_key_vault" "key_vault" {
  # omitted irrelevant attributes

  access_policy = [{
    certificate_permissions = ["Backup", "Create", "Delete", "DeleteIssuers", "Get", "GetIssuers", "Import", "List", "ListIssuers", "ManageContacts", "Recover", "Restore", "SetIssuers", "Update"]
    key_permissions         = ["Backup", "Create", "Decrypt", "Delete", "Encrypt", "Get", "Import", "List", "Purge", "Recover", "Restore", "Sign", "UnwrapKey", "Update", "Verify", "WrapKey"]
    object_id               = data.azurerm_client_config.config.object_id
    secret_permissions      = ["Backup", "Delete", "Get", "List", "Recover", "Restore", "Set"]
    storage_permissions     = ["Backup", "Delete", "DeleteSAS", "Get", "GetSAS", "List", "ListSAS", "Recover", "RegenerateKey", "Restore", "Set", "SetSAS", "Update"]
    tenant_id               = data.azurerm_client_config.config.tenant_id

    application_id = null
  }]
}

Both the above approaches solve your issue.

If these two solutions work for you, please let me know so that I could close this issue.

[y-melo]

Had the same issue trying to setup permissions for AKS.
@ArcturusZhang Option 2 worked for me.

# omitted irrelevant attributes
access_policy = [{
      tenant_id    = azurerm_kubernetes_cluster.aks.identity[0].tenant_id
      object_id    = azurerm_kubernetes_cluster.aks.identity[0].principal_id
      key_permissions = ["Get", ]
      secret_permissions = ["Get",]

      application_id = null
      storage_permissions = []
      certificate_permissions = []
    } 
] 

FYI:
I'm setting up more than one access_policy and before came here I tried to use the resource azurerm_key_vault_access_policy
but it creates the first policy, then it overwrote with the latest one. I didn't try to reproduce (because this workaround worked), but it seems to be an issue.