Terraform - force refresh of credentials?
As a part of my Terraform I'm attempting to execute following flow:
- Create Azure Key Vault with RBAC Security enabled (enable_rbac_authorization = true)
- Grant Service Principal that is running the script "Key Vault Administrator" or any other Key Vault RBAC related role that let's it write secrets to Key Vault on KV created in step 1
- Create a resource that includes generating a random password (ex. password for Virtual Machine admin account)
- Write that random password to secret created in step 1.
Code looks as follows:
data "azurerm_client_config" "current" {}
resource "azurerm_key_vault" "kv" {
name = var.name
location = var.location
resource_group_name = var.resource_group_name
sku_name = var.sku_name
enabled_for_disk_encryption = true
enabled_for_template_deployment = true
tenant_id = data.azurerm_client_config.current.tenant_id
soft_delete_retention_days = var.soft_delete_retention_days
purge_protection_enabled = true
enable_rbac_authorization = var.enable_rbac_authorization
public_network_access_enabled = var.public_network_access_enabled
tags = merge({ StartDate = formatdate("DD-MM-YYYY", time_static.time.rfc3339) }, var.env_tags)
lifecycle {
ignore_changes = [tags]
}
}
resource "azurerm_role_assignment" "kv_admin" {
count = var.vars_dataintelligence.dwh-keyvault.enable_rbac_authorization ? 1 : 0
scope = module.kv-dataintelligence.id
role_definition_name = "Key Vault Administrator"
principal_id = data.azurerm_client_config.current.object_id
}
... long code that creates VM here ....
resource "azurerm_key_vault_secret" "admin_password_secret" {
name = format("%s-%s", azurerm_windows_virtual_machine.name, "admin-pswd")
key_vault_id = azurerm_key_vault.id
value = azurerm_windows_virtual_machine.admin_password
depends_on = [azurerm_role_assignment.kv_admin]
}
Unfortunately, due to how Azure credentials work, I'm getting an error that Service Principal doesn't have an access to said Key Vault to be able to add that credential and "if access was recently granted refresh your credentials". If I re-run the flow secrets get added correctly (since Service Principal now refreshes its credentials), but that's not a perfect state since on execution 1 I will always get error.
One workaround that comes to mind is preemptively granting Service Principal needed access on a higher scope (Resource Group/Subscription) prior to running TF, but that also doesn't sound like ideal scenario, but slowly starting to think that this might be the only play I have.
Alternatively, could try to implement logic of single restart in case pipeline that runs the script fails on first time (GitHub Actions in our case).
Any suggestions/help as always appreciated
Creating a VM using random password that was stored in keyvault in terraform.
This requirement doesn't force to run the deployment command twice as it occurs due to permission issue of the user or SP to assign the role in the first place.
I know the key vault administrator alone will create the privilege to the user or SP but the assigning that role you need user access administrator role. The role will provide the access to assign role across different scopes.
My privileges to achieve this requirement in one go
The way you're referring the VM password to while creating the secret also needs to be modified.
Configuration:
variable "vm_admin_password" {
description = "The admin password for the VM."
type = string
sensitive = true
}
data "azurerm_client_config" "current" {}
resource "azurerm_resource_group" "rg" {
name = "testvk-resources"
location = "East US"
}
resource "azurerm_key_vault" "kv" {
name = "testtvskkv12345"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
sku_name = "standard"
tenant_id = data.azurerm_client_config.current.tenant_id
soft_delete_retention_days = 7
purge_protection_enabled = true
enable_rbac_authorization = true
public_network_access_enabled = true
enabled_for_disk_encryption = true
enabled_for_template_deployment = true
}
resource "azurerm_role_assignment" "kv_admin" {
scope = azurerm_key_vault.kv.id
role_definition_name = "Key Vault Administrator"
principal_id = data.azurerm_client_config.current.object_id
}
resource "azurerm_windows_virtual_machine" "vm" {
name = "testvkvm"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
network_interface_ids = [azurerm_network_interface.nic.id]
size = "Standard_D2_v2"
os_disk {
caching = "ReadWrite"
storage_account_type = "Standard_LRS"
}
source_image_reference {
publisher = "MicrosoftWindowsServer"
offer = "WindowsServer"
sku = "2016-Datacenter"
version = "latest"
}
computer_name = "hostname"
admin_username = "adminuser"
admin_password = var.vm_admin_password
depends_on = [ azurerm_role_assignment.kv_admin ]
}
resource "azurerm_network_interface" "nic" {
name = "testvk-nic"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
ip_configuration {
name = "internal"
subnet_id = azurerm_subnet.subnet.id
private_ip_address_allocation = "Dynamic"
}
}
resource "azurerm_subnet" "subnet" {
name = "subnet1"
resource_group_name = azurerm_resource_group.rg.name
virtual_network_name = azurerm_virtual_network.vnet.name
address_prefixes = ["10.0.2.0/24"]
}
resource "azurerm_virtual_network" "vnet" {
name = "testvk-vnet"
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
address_space = ["10.0.0.0/16"]
}
resource "azurerm_key_vault_secret" "admin_password_secret" {
name = "admin-password"
key_vault_id = azurerm_key_vault.kv.id
value = var.vm_admin_password
depends_on = [azurerm_role_assignment.kv_admin]
}
Deployement:
Refer:
azurerm_key_vault_secret | Resources | hashicorp/azurerm | Terraform | Terraform Registry
azurerm_windows_virtual_machine | Resources | hashicorp/azurerm | Terraform | Terraform Registry
- How to resolve paging when retrieving data from REST API in R
- SearchService deployment fails if the resource exists
- Azure Bicep - Referencing a variable that cannot be calculated at the start
- Local development with Azure SignalR Service and Azure Functions
- Azure Functions & Application Insights requests "Operation Link" empty
- Disabling allow public blob access using terraform
- how to retrieve all resources under given subnet using Azure Resource Graph Explorer query
- I'm using SSIS in ADF to move .csv from a blob container to another and then ingest into a Azure SQL database. I get an assembly error
- How to build expression in ADF from json using parameterized variable?
- Reference a variable azure pipeline not working
- Graph Powershell adding a user to PIM for a privileged security group
- Indexing static HTML blob storage content with Azure Cognitive Search is not working as expected
- Azure python webapp deploy shows as running even though it is successful
- Azure pipeline get Pull request source and target branch name
- Error while copying Azure Storage table from one Storage to another storage table using Powershell script
- Azure Function App Fails to Delete Blob Image After Deployment
- Use Azure AD authentication but manage roles in database in .NET 6
- Microsoft Azure VMs IaaS or PaaS?
- Can an application property be updated/deleted from a ServiceBusReceivedMessage?
- Why is my Blazor Web App throwing a SocketException when authenticating with OpenIddict when deployed to Azure App Service?
- RPC failed: curl 56 failure when receiving data from the peer
- Read 'Attribute & Claims' from SAML Entra application configuration using PowerShell
- Reading Excel file returns 'Invalid Request' error
- Is it possible to clone an Azure Container App?
- Unable to Enable Encryption at host for Azure VM
- Application Insights does not capture information level logging
- How to look up logical partition count and size in Cosmos DB
- AzureRmWebAppDeployment@4 tries to deploy to a wrong URL to Linux app plan
- Azure B2C client credentials flow throws invalid_grant AADB2C90085
- Why I can't create azurerm_app_service connection?