stackoom
  简体   繁体   中英

Terraform - How to get App Service object id for azurerm key vault access policy?

 原文  2019-01-14 21:29:55       azure/ terraform/ azure-keyvault

Question

Using Terraform, I am trying to add a keyvault access policy to an application (that is also created in Terraform), which requires an object_it (which is GUID) of that application. In ARM template it looks like this:

 "objectId": "[reference(variables('myAppResourceId'), '2015-08-31-PREVIEW').principalId]"

so Terraform needs the principal id there to be assigned to the object_id . If I use the value "object_id = ${azurerm_app_service.myApp.id}" like this:

  resource "azurerm_key_vault_access_policy" "pol1" {
  vault_name          = "${azurerm_key_vault.kv1.name}"
  resource_group_name = "${azurerm_key_vault.kv1.resource_group_name}"

  tenant_id = "${data.azurerm_subscription.current.subscription_id}"
  object_id = "${azurerm_app_service.myApp.id}"

  key_permissions = "${var.app_keys_permissions}"
  secret_permissions = "${var.app_secrets_permissions}"
}

then when I run apply command, I get the following error:

azurerm_key_vault_access_policy.pol1: "object_id" is an invalid UUUID: encoding/hex: invalid byte: U+002F '/'

this is probably the id that looks like an url with a slash,so this does not work, since I need the GUID only.

I tried also a suggestion from Terraform grant azure function app with msi access to azure keyvault , by using object_id = "${lookup(azurerm_app_service.app1.identity[0],"principal_id")}" for an app service instead of the function and I get an error:

 azurerm_key_vault_access_policy.appPolicy1: At column 43, line 1: list "azurerm_app_service.app1.identity" does not have any elements so cannot determine type. in:

${lookup(azurerm_app_service.app1.identity[0],"principal_id")}

could someone help me with this object_id please?

thanks

1 answers

solution1
 11 ACCPTED  2019-01-15 01:04:33

When you read the description for azurerm_key_vault_access_policy property object_id , then you should know it could mean the web app principal Id.

And the azurerm_app_service.myApp.id that you put is not the principal Id, it's the app service resource Id. You should put the azurerm_app_service.myApp.identity.principal_id that associated with your web app. Take a look at the Attributes of the App Service Resource . Hope this will help you.

However, something not mentionned in the documentation is the need to specify an identity block in your app_service declaration.

identity { type = "SystemAssigned" }

If you don't specify it, you might get an empty list as identity attribute.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Terraform azurerm_key_vault - Access policy raising errors My Terraform Service Principal gets a 403 access error on Key Vault even though I added an access policy for it Terraform Azurerm Recovery Services Vault Backup Policy Format Error Terraform Apply throwing error related to access policy with Azure Key Vault Unable to get access to Key Vault using Azure MSI on App Service How to specify .net core version with Terraform azurerm_app_service How to access key vault from azure app service In Terraform Azure azurerm, How to get App Config Connection String? Make Terraform azurerm_key_vault_certificate module create a new version of Key Vault Certificate Error when appending multiple key_vault_access_policy in a key_vault resource - resource needs to be imported into the State - Terraform / Azure
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM