azurerm_client_config not returning object_id expected "access_policy.0.object_id" to be a valid UUID

[dapolloxp]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.0.3

AzureRM Provider Version

3.8.0

Affected Resource(s)/Data Source(s)

azurerm_client_config

Terraform Configuration Files

data "azurerm_client_config" "current" {}

data "http" "myip" {
  url = "http://ipv4.icanhazip.com"
}

resource "azurerm_key_vault" "vault" {
  name                = var.keyvault_name
  location            = var.location
  resource_group_name = var.resource_group_name
  tenant_id           = data.azurerm_client_config.current.tenant_id
  sku_name            = "standard"

  purge_protection_enabled        = false
  soft_delete_retention_days      = 7
  enabled_for_template_deployment = true
  enabled_for_deployment          = true


  network_acls {
    bypass         = "AzureServices"
    default_action = "Deny"
    ip_rules = [
      "${chomp(data.http.myip.body)}/32"
    ]

  }

  access_policy {
    tenant_id = data.azurerm_client_config.current.tenant_id
    object_id = data.azurerm_client_config.current.object_id <-- Generate Error
    certificate_permissions = [
      "Backup",
      "Create",
      "Delete",
      "DeleteIssuers",
      "Get",
      "GetIssuers",
      "Import",
      "List",
      "ListIssuers",
      "ManageContacts",
      "ManageIssuers",
      "Purge",
      "Recover",
      "Restore",
      "SetIssuers",
      "Update"
    ]

    key_permissions = [
      "List",
      "Encrypt",
      "Decrypt",
      "WrapKey",
      "UnwrapKey",
      "Sign",
      "Verify",
      "Get",
      "Create",
      "Update",
      "Import",
      "Backup",
      "Restore",
      "Recover",
      "Delete",
      "Purge"
    ]

    secret_permissions = [
      "List",
      "Get",
      "Set",
      "Backup",
      "Restore",
      "Recover",
      "Purge",
      "Delete"
    ]

    storage_permissions = [
      "Backup",
      "Delete",
      "DeleteSAS",
      "Get",
      "GetSAS",
      "ListSAS",
      "Purge",
      "Recover",
      "RegenerateKey",
      "Restore",
      "Set",
      "SetSAS",
      "Update"
    ]

  }

}



resource "azurerm_private_endpoint" "keyvault-endpoint" {
  name                = "keyvault-endpoint"
  location            = var.location
  resource_group_name = var.resource_group_name
  subnet_id           = var.shared_subnetid

  private_service_connection {
    name                           = "kv-private-link-connection"
    private_connection_resource_id = azurerm_key_vault.vault.id
    is_manual_connection           = false
    subresource_names              = ["vault"]
  }

  private_dns_zone_group {
    name                 = var.kv_private_zone_name
    private_dns_zone_ids = [var.kv_private_zone_id]
  }
}

Debug Output/Panic Output

Error: expected "access_policy.0.object_id" to be a valid UUID, got 
│ 
│   with module.hub_keyvault.azurerm_key_vault.vault,
│   on ../../modules/key_vault/main.tf line 32, in resource "azurerm_key_vault" "vault":
│   32:     object_id = data.azurerm_client_config.current.object_id

Expected Behaviour

object_id should be populated with the proper ID

Actual Behaviour

object_id is not present in state show

data "azurerm_client_config" "current" {
client_id = "04b07795-8ddb-461a-bbee-xxxxxxxxxxxxx"
id = "2022-05-31 18:08:40.380213 +0000 UTC"
subscription_id = "90376dc6-e4a0-49c3-930d-xxxxxxxxxxxxx"
tenant_id = "fb3a99b4-c0f5-4c61-9f05-xxxxxxxxxxxxx"
}

Steps to Reproduce

terraform apply using the azurerm_client_config should easily repro

Important Factoids

No response

References

No response

[rjhornsby]

Hitting what I strongly suspect is the same issue. Same error message trying to use the value data.azurerm_client_config.current.object_id while trying to build a azurerm_key_vault resource.

Edit: I stand corrected. I don't understand the cause, but while trying to track down the source of the problem, I was able to reproduce the OP's issue where the data.azurerm_client_config.current state is somehow missing the object_id attribute.

Edit 2: damit, microsoft. the client_config.current I have working is not in fact azurerm_client_config, but rather the nearly identically named -- but completely different azuread_client_config so that bit of trivia was also wrong.

If I replace data.azurerm_client_config.current.object_id with a string literal in the azurerm_key_vault resource block, everything seems to be fine. Some kind of really weird interaction between the data and the key_vault resource seems to be happening here that doesn't make much sense.

Original remarks below:

This may be a problem specifically with the azurerm_key_vault resource, but of course could be bugged elsewhere. This reference to object_id seems to behave correctly:

resource "azuread_application" "vault-instance-auth" {
  display_name = "vault-instance-auth"
  owners       = [data.azuread_client_config.current.object_id]
  ...

The object_id is definitely showing up in the state for me, but if data.azuread_client_config.current is not already in the state (ie from a previous terraform apply), trying to use object_id in the azurerm_key_vault causes terraform to bail out early before writing that client_config to the state, so trying to look it up with terraform state show ... errors.

Even if the state is correctly [already] populated for data.azuread_client_config.current, trying to use object_id in the azurerm_key_vault resource results in the fatal error described by the OP.

[madelaney]

I'm seeing this from tf1.2.1 on macOS:

tf -version
Terraform v1.2.1
on darwin_arm64
+ provider registry.terraform.io/hashicorp/azurerm v2.99.0

[tomaxsas]

same here after updating provider from 2.99 to 3.8.0 with latest terraform 1.2.1.

[ecoffman]

I am having this issue in a new project. I am running 1.2.2.

this is the output I am seeing:

 Error: expected "access_policy.0.object_id" to be a valid UUID, got
│
│   with module.key_vault_staging.azurerm_key_vault.key_vault,
│   on modules\key_vault\main.tf line 7, in resource "azurerm_key_vault" "key_vault":
│    7: resource "azurerm_key_vault" "key_vault" {
│
╵
╷
│ Error: expected "access_policy.0.object_id" to be a valid UUID, got
│
│   with module.key_vault_production.azurerm_key_vault.key_vault,
│   on modules\key_vault\main.tf line 7, in resource "azurerm_key_vault" "key_vault":
│    7: resource "azurerm_key_vault" "key_vault" {

This also happens in tf 1.1.3.

[tombuildsstuff]

Duplicate of #16982 - this is a breaking change within the Azure CLI.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.