fancy-artist-45287
03/21/2023, 11:46 AMrapid-engineer-94232
03/21/2023, 1:40 PMfancy-artist-45287
03/21/2023, 2:31 PMmelodic-tomato-39005
03/21/2023, 3:47 PMfancy-artist-45287
03/21/2023, 3:48 PMazure.keyvault.AccessPolicy
NOTE: It’s possible to define Key Vault Access Policies both within theSeemed to me like this led to issues with my policies defined when creating the key vault, so I changed to adding access policies with azure classic approach but then I get the error that no access policy is defined when trying to create the key vault 🤦♂️resource via theazure.keyvault.KeyVault
block and by using theaccess_policy
resource. However it’s not possible to use both methods to manage Access Policies within a KeyVault, since there’ll be conflicts.azure.keyvault.AccessPolicy
azure:keyvault:Secret (storage-fa-dev.DataLakeConnectionString):
error: 1 error occurred:
* A resource with the ID "<https://kv-dev.vault.azure.net/secrets/storage-fa-dev-DataLakeConnectionString/11135227962c>" already exists - to be managed via Terraform this resource needs to be imported into the State. Please see the resource documentation for "azurerm_key_vault_secret" for more information.
However doing a pulumi refresh
does not help, and I have also resorted to deleting the whole keyvault, access policies, secrets etc, and then do a pulumi refresh
before pulumi up
and I keep getting this error 🤷♂️ I guess TF keeps some kind of state also but how do I refresh that state if pulumi doesn't do it for me?blue-potato-57538
03/22/2023, 2:28 PMfancy-artist-45287
03/22/2023, 2:29 PMpulumi up
multiple times it sometimes removes and adds policies even tho nothing has changed in the code as it seems to get confused after a pulumi refresh
However it’s not possible to use both methods to manage Access Policies within a KeyVault, since there’ll be conflicts.Guess it's related to this note in the azure classic docs
blue-potato-57538
03/22/2023, 2:32 PMfancy-artist-45287
03/22/2023, 2:34 PMblue-potato-57538
03/22/2023, 2:35 PMfancy-artist-45287
03/22/2023, 2:43 PMconst kv = new keyvault();
const account = new storageaccont();
const secret = new secret(kv.id, account.connectionstring);
const app = new appservice();
const setting = new appsetting(app.id, secret.id);
const policy = new accesspolicy(kv.id, app.id, ['Get']);
blue-potato-57538
03/22/2023, 4:21 PMfancy-artist-45287
03/22/2023, 4:22 PMblue-potato-57538
03/22/2023, 4:26 PMconst userAssignedIdentity = new azure_native.managedidentity.UserAssignedIdentity("userAssignedIdentity", {
location: "westeurope",
resourceGroupName: "1111111111111111111111111111111111",
resourceName: "1111111111111111111111111111111111",
});
const kv1 = new azure_native.keyvault.Vault("kv1", {
location: "westeurope",
properties: {
accessPolicies: [
{
tenantId: "1111111111111111111111111111111111",
objectId: "1111111111111111111111111111111111",
"permissions": {
"certificates": [
"Get",
],
"keys": [
"Get",
],
"secrets": [
"Get",
]
}
},{
tenantId: "1111111111111111111111111111111111",
objectId: userAssignedIdentity.clientId,
"permissions": {
"certificates": [
"Get",
"List",
],
"keys": [
"Get",
"List",
],
"secrets": [
"Get",
"List",
]
}
},],
enablePurgeProtection: true,
enableRbacAuthorization: false,
enableSoftDelete: true,
enabledForDeployment: false,
enabledForDiskEncryption: false,
enabledForTemplateDeployment: false,
fancy-artist-45287
03/22/2023, 4:29 PMblue-potato-57538
03/22/2023, 4:31 PMfancy-artist-45287
03/22/2023, 4:33 PMblue-potato-57538
03/22/2023, 4:35 PMfancy-artist-45287
03/22/2023, 4:36 PMblue-potato-57538
03/22/2023, 4:38 PMfancy-artist-45287
03/22/2023, 4:54 PMblue-potato-57538
03/22/2023, 5:05 PM