How can I use Terraform to create a key vault access policy for my azurerm_windows_function_app_slot?
I created a resource azurerm_windows_function_app_slot.
data "azurerm_windows_function_app" "reconciliationFunctionApp" {
name = "${local.funcprefix}-func"
resource_group_name = data.azurerm_resource_group.lp.name
}
resource "azurerm_windows_function_app_slot" "reconciliationFuncSlot" {
name = local.slot
function_app_id = data.azurerm_windows_function_app.reconciliationFunctionApp.id
storage_account_name = azurerm_storage_account.lpstorage.name
site_config {}
identity {
type = "SystemAssigned"
identity_ids = []
}
}
It's working.
Now I need to reference it when creating an azurerm_key_vault_access_policy. Is there a work-around I can use to create this policy?
resource "azurerm_key_vault_access_policy" "reconciliationFunc" {
key_vault_id = azurerm_key_vault.lp.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = azurerm_windows_function_app_slot.reconciliationFuncSlot.identity[0].principal_id
secret_permissions = [
"Get",
...
What I have tried so far: First, as you can see above, I tried directly referencing the slot resource. That did not work and gives an error 'error: Missing required argument object_id'
Next I found this work-around https://github.com/hashicorp/terraform-provider-azurerm/issues/19316 and this answer https://stackoverflow.com/a/74096990/2256149 which led me to try this:
data "azurerm_windows_function_app" "reconciliationFuncSlot" {
name = "${data.azurerm_windows_function_app.reconciliationFunctionApp.name}/slots/${azurerm_windows_function_app_slot.reconciliationFuncSlot.name}"
resource_group_name = data.azurerm_resource_group.lp.name
depends_on = [azurerm_windows_function_app_slot.reconciliationFuncSlot]
}
resource "azurerm_key_vault_access_policy" "reconciliationFunc" {
key_vault_id = azurerm_key_vault.lp.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_windows_function_app.reconciliationFuncSlot.identity[0].principal_id
secret_permissions = [
"Get",
...
But that also produces an error. "Error: 'name' may only contain alphanumeric characters and dashes and up to 60 characters in length"
Any suggestions about how I can create a key vault access policy for my function app slot? Thanks!
Create a key vault access policy for my azurerm_windows_function_app_slot using terraform.
The github and SO links which you shared seems using data module to call the windows_function_app which is not required to achieve the requirement.
In the second try you mentioned
name = "${data.azurerm_windows_function_app.reconciliationFunctionApp.name}/slots/${azurerm_windows_function_app_slot.reconciliationFuncSlot.name}"
in the data module which actually not required in this scenario as this configuration does not require the data module as we directly refer identity in policy no need to call it again with data module and in this module, name refer is causing the error as this differs from the actually and not follow the naming convention as mentioned in the error description. If the windows_function_app already existed refer the correct name and dont refer function_app slot name to function_app
I tried the updated configuration with necessary changes as mentioned below
Configuration:
resource "azurerm_windows_function_app_slot" "reconciliationFuncSlot" {
name = "vksb-slot"
function_app_id = azurerm_windows_function_app.reconciliationFunctionApp.id
storage_account_name = azurerm_storage_account.lpstorage.name
site_config {}
identity {
type = "SystemAssigned"
}
}
resource "azurerm_key_vault" "lp" {
name = "vksbbs-key-vault"
location = azurerm_resource_group.lp.location
resource_group_name = azurerm_resource_group.lp.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard"
purge_protection_enabled = true
}
resource "azurerm_key_vault_access_policy" "reconciliationFunc" {
key_vault_id = azurerm_key_vault.lp.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = azurerm_windows_function_app_slot.reconciliationFuncSlot.identity[0].principal_id
secret_permissions = [
"Get",
"List",
]
depends_on = [ azurerm_key_vault.lp, azurerm_windows_function_app_slot.reconciliationFuncSlot ]
}
Deployment:
Refer:
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app_slot
azurerm_key_vault_access_policy | Resources | hashicorp/azurerm | Terraform | Terraform Registry
- Azure postgresql flexible server restore with terraform
- Azure Container App Fails to Pull Image from ACR: UNAUTHORIZED Authentication Required
- Terraform resource group name for the creation of alerts for azure front door
- Terraform code not creating multiple rules in Azure Storage lifecycle
- Adding additional storage to VM with terraform
- How to get the "Function Url" which is with in a Function-App deployed using Terraform?
- Unable to ping azure vm1 to azure vm2
- Having one Azure Monitor Alert Rule for all severities
- Terraform Initialize Error on Azure Devops release pipeline
- Azure DevOps Pipeline Throwing Error with Terraform While Deploying to Azure
- How I can to import my automation account job schedule in Terraform?
- terraform kubernetes provider depending on azurerm_kubernetes_cluster resource
- "context deadline exceeded" after running Terraform apply but Azure resource still created. Terraform Import wants to recreate resource
- Principals of type Application cannot validly be used in role assignments
- Failing to create azurerm_private_endpoint getting error unexpected status 400 (400 Bad Request) with error: SubscriptionNotRegisteredForFeature:
- trying to write module for azurerm_storage_management_policy
- How to update Azure's load balancer from basic to standard in Terraform?
- Can't create data collection rule for Azure log analytics using Terraform - missing Terraform options?
- Terraform resource creation from yaml input file
- azurerm_virtual_machine does not have attribute identity.0.principal_id
- How to set the virtual machine image details e.g. publisher, offer, sku and version
- Azure Logic app standard - set vnetPrivatePortsCount via Terraform
- AKS with user defined routes
- Terraform azurerm_virtual_machine_extension
- Adding sql server logins and user in a loop via Terraform in azure
- Terraform the Creation on a Azure Standard Logic App and "SQL Connector"
- Trying to use terraform if/else statement on a block in terraform
- Terraform rollback/state update after failed apply on Azure
- How to Start postgres.exe and Change Postgres Account on an Azure Virtual Machine Using Terraform
- How can I use Terraform to create a key vault access policy for my azurerm_windows_function_app_slot?