Automation Account - Customer Managed Key - Error on deployment

[XristophD]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.7.3

AzureRM Provider Version

3.92.0

Affected Resource(s)/Data Source(s)

azurerm_automation_account

Terraform Configuration Files

The plan looks as the following, configuration is organized in modules and would provide too much information: 

========================================

# module.automationaccount.azurerm_automation_account.this will be created
  + resource "azurerm_automation_account" "this" {
      + dsc_primary_access_key        = (sensitive value)
      + dsc_secondary_access_key      = (sensitive value)
      + dsc_server_endpoint           = (known after apply)
      + hybrid_service_url            = (known after apply)
      + id                            = (known after apply)
      + local_authentication_enabled  = true
      + location                      = "westeurope"
      + name                          = "aa-infr-dev-weu-002"
      + private_endpoint_connection   = (known after apply)
      + public_network_access_enabled = false
      + resource_group_name           = "rg-infr-dev-weu"
      + sku_name                      = "Basic"

      + encryption {
          + key_vault_key_id = "https://abc-kv-infr-cmk-dev-w.vault.azure.net/keys/aa-infr-dev-weu-002/5d108ffa68b54688becfc7beadba6d62"
        }

      + identity {
          + principal_id = (known after apply)
          + tenant_id    = (known after apply)
          + type         = "SystemAssigned"
        }
    }

Debug Output/Panic Output

│ Error: creating Automation Account (Subscription: "<SubscriptionID>"
│ Resource Group Name: "rg-infr-dev-weu"
│ Automation Account Name: "aa-infr-dev-weu-002"): unexpected status 400 with response: {"code":"BadRequest","message":"Encryption identity is not null then Identity type should be UserAssigned  ."}

Expected Behaviour

The Automation Account ist created and the Encryption settings are configured as defined.
Since no User Assigned Identity is provided (in the identity block as well the encryption block), the System Assigned Identity should be used.

Actual Behaviour

The payload for the AZURERM-API call is using a malformed syntax on the managed identity:

2024-02-19T08:35:45.110Z [DEBUG] provider.terraform-provider-azurerm_v3.92.0_x5: AzureRM Request:
PUT /subscriptions//resourceGroups/rg-infr-dev-weu/providers/Microsoft.Automation/automationAccounts/aa-infr-dev-weu-002?api-version=2023-11-01 HTTP/1.1
Host: management.azure.com
User-Agent: HashiCorp/go-azure-sdk (Go-http-Client/1.1 automationaccount/2023-11-01) HashiCorp Terraform/1.7.3 (+https://www.terraform.io/) Terraform Plugin SDK/2.10.1 terraform-provider-azurerm/3.92.0 VSTS_e564b9d1-9ce7-4e9b-8340-069eb7224679_build_42_0 pid-222c6c49-1b0a-5959-a213-6608f9eb8820
Content-Length: 446
Content-Type: application/json; charset=utf-8
X-Ms-Correlation-Request-Id: 533a30be-cf69-2524-a458-c41c61a0f543
Accept-Encoding: gzip

{"identity":{"type":"SystemAssigned","userAssignedIdentities":null},"location":"westeurope","properties":{"disableLocalAuth":false,"encryption":{"identity":{"userAssignedIdentity":""},"keySource":"Microsoft.Keyvault","keyVaultProperties":{"keyName":"aa-infr-dev-weu-002","keyVersion":"5d108ffa68b54688becfc7beadba6d62","keyvaultUri":"https://pbb-kv-infr-cmk-dev-w.vault.azure.net/"}},"publicNetworkAccess":false,"sku":{"name":"Basic"}},"tags":{}}: timestamp=2024-02-19T08:35:45.110Z

Payload in JSON-Syntax shows, that encryption.identity.userAssignedIdentity is not set to null but an empty string. Therefore, the API expects an UserAssigned identity.

{
  "identity": { "type": "SystemAssigned", "userAssignedIdentities": null },
  "location": "westeurope",
  "properties": {
    "disableLocalAuth": false,
    "encryption": {
      "identity": { "userAssignedIdentity": "" },
      "keySource": "Microsoft.Keyvault",
      "keyVaultProperties": {
        "keyName": "aa-infr-dev-weu-002",
        "keyVersion": "5d108ffa68b54688becfc7beadba6d62",
        "keyvaultUri": "https://pbb-kv-infr-cmk-dev-w.vault.azure.net/"
      }
    },
    "publicNetworkAccess": false,
    "sku": { "name": "Basic" }
  },
  "tags": {}
}

Steps to Reproduce

terraform apply

Important Factoids

No response

References

No response

[wuxu92]

Hi @XristophD ,

The encryption.identity.userAssignedIdentity is not related to the account's identity block. I think it is required to retrieve the key vault resources, though it is defined as optional.

[XristophD]

Hello @wuxu92 , I am not sure if I understand your comment correct.

I am aware that encryption.identity.userAssignedIdentity is not (directly) related to the account's identity block. But the user-managed identity assigned to encryption.identity.userAssignedIdentity needs to be added to the identity block as well.

Anyway, this is not the issue I am facing right now.

I created a simplified deployment, let me know if you can replicate the issue with this.

Steps to replicate:

1. Create KeyVault with a Key with the following settings:

{
      name     = "aa-infr-cmktest-weu-01"
      key_type = "RSA"
      key_size = 4096
      key_opts = ["decrypt", "encrypt", "unwrapKey", "wrapKey"]
}

2. Deploy Automation Account with SystemAssigned identitiy and reference the key in the encryption settings:

resource "azurerm_automation_account" "aa_github_issue" {
  name                          = "aa-infr-cmktest-weu-01"
  resource_group_name           = "rg-yourresourcegroup-here"
  location                      = "westeurope"
  sku_name                      = "Basic"
  local_authentication_enabled  = false
  public_network_access_enabled = true

  identity {
    type         = "SystemAssigned"
  }

  encryption {
    key_vault_key_id = module.kv_weu.keys["aa-infr-cmktest-weu-01"].versionless_id
  }
}

3. Create Role Assignment to let the system assigned managed identity access the KeyVault Key (we do have RBAC auth enabled on the KeyVault)

resource "azurerm_role_assignment" "aa_github_issue_systemidentity_kv_weu_krypto_svc_encr_user" {
  scope                = module.kv_weu.keys["aa-infr-cmktest-weu-01"].resource_versionless_id
  role_definition_name = "Key Vault Crypto Service Encryption User"                             # Minimal Permission, read/wrap/unwrap
  principal_id         = azurerm_automation_account.aa_github_issue.identity[0].principal_id # System Assigned Managed Identity
}

Since we only use SystemAssigned identities in this setup, we do not have the requirement to set identity.identity_ids or encryption.user_assigned_identity_id information. The later cannot be set, since it would be a reference to itself, therefore, when the encryption block does only set key_vault_key_id the system assigned identitiy should always be used.

This is the first step we need to solve, the later step would be to set identity.type = "SystemAssigned, UserAssigned", assign (multiple) identity.identity_ids and reference either the system assigned identity, or one of the user assigned identities.

[wuxu92]

Thank you for providing the information @XristophD . I have reproduced the issue and created a PR (#24977 ) to resolve the issue. The steps I set a encryption with systemAssigned identity as below should wotk when the PR is merged:

1. Create a automation account with no encryption
2. create the role assignment to assign the keyvault role to the automation account's identity
3. add the encryption block with no use identity specified

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.