1

I have an Azure KeyVault with 4 Access Policies. Each Access Policy has its own unique ObjectId.

In trying to import our legacy Azure resources into a Terraform configuration, I've therefore create Terraform block like the below.

resource "azurerm_key_vault" "example" {
  name                = "examplekeyvault"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  tenant_id           = data.azurerm_client_config.current.tenant_id
  sku_name            = "premium"
}

resource "azurerm_key_vault_access_policy" "policy1" {
  key_vault_id = azurerm_key_vault.example.id
  tenant_id    = data.azurerm_client_config.current.tenant_id
  object_id    = 001

  key_permissions = [
    "Get",
  ]

  secret_permissions = [
    "Get",
  ]
}

The above worked okay and I was able to import "policy1" successfully.

However, when I then replicated the policy block and appended it with the next policy like the one below, it just doesn't appear to accept it as a properly formed Terraform configuration. My intention is obviously to import all four policies (if that is possible).

resource "azurerm_key_vault" "example" {
  name                = "examplekeyvault"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  tenant_id           = data.azurerm_client_config.current.tenant_id
  sku_name            = "premium"
}

resource "azurerm_key_vault_access_policy" "policy1" {
  key_vault_id = azurerm_key_vault.example.id
  tenant_id    = data.azurerm_client_config.current.tenant_id
  object_id    = 001 

  key_permissions = [
    "Get",
  ]

  secret_permissions = [
    "Get",
  ]
}

resource "azurerm_key_vault_access_policy" "policy2" {
  key_vault_id = azurerm_key_vault.example.id
  tenant_id    = data.azurerm_client_config.current.tenant_id
  object_id    = 002 

  key_permissions = [
    "Get",
  ]

  secret_permissions = [
    "Get",
  ]
}

In both of the above illustrations, I've only used dummy ObjectIds.

Am I doing this entirely the wrong way or is it just not possible to import multiple policies into one Terraform config? The Terraform registry documentation meanwhile says Azure permits a maximum of 1024 Access Policies per Key Vault.

Improve this question
5
  • 1
    "it just doesn't appear to accept it as a properly formed Terraform configuration" what does that mean? Include the error message in your question! Commented Sep 16, 2021 at 17:03
  • what is the error you are getting? Commented Sep 16, 2021 at 22:08
  • Well, it all turned out to be a red-herring. I got it working eventually........and yes, appending those multiple access policy blocks worked, once I'd completed the imports. Commented Sep 17, 2021 at 9:49
  • hello @hitman126, Could you please post your solution as an answer . This will be beneficial for other community members who come across same issue. Commented Sep 17, 2021 at 16:29
  • 1
    Hello @AnsumanBal-MT, so in the end, my proposed solution of simply appending additional policy blocks to the key vault access policy as depicted in my second code snippet, appeared to work as my subsequent Terraform Plan and Apply went well without any errors reported. I can only therefore conclude and/or assume that it was a correct solution. Commented Sep 19, 2021 at 9:41

1 Answer 1

Reset to default
2

In the end, my proposed solution of simply appending additional policy blocks to the key vault access policy as depicted in my second code snippet (above), appeared to work, as my subsequent Terraform Plan and Apply went well without any errors reported.

I can only therefore conclude and/or assume that appending those additional policy blocks was a correct solution after all.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Have you thought about using dynamic blocks? It will provide a nicer way to provide the access policy (especially if you have the same permission for each object id) terraform.io/language/expressions/dynamic-blocks

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.