https://pulumi.com logo
Title
f

fancy-artist-45287

03/21/2023, 11:46 AM
Hi, I am trying to add access policies to an existing key vault in azure from pulumi like described here https://learn.microsoft.com/en-us/azure/templates/microsoft.keyvault/vaults/accesspolicies?pivots=deployment-language-bicep but it doesn't seem like pulumi has anything equivalent to this? https://www.pulumi.com/registry/packages/azure-native/api-docs/keyvault/
Or do I need to use the Azure Classic over Azure Native?
r

rapid-engineer-94232

03/21/2023, 1:40 PM
What language are you using? The access policies are set on the key vault itself according to the docs you linked. I have only used it on new key vaults, but it should work if you have an existing key vault as well. Run the import first and after that you should be able to add the access policies you want
f

fancy-artist-45287

03/21/2023, 2:31 PM
typescript
well there is a chick egg problem here, so I need to modify the access policies after they have been created
I have been able to do so with the Azure Classic npm package based of terraform, but not the recommended npm package azure-native
m

melodic-tomato-39005

03/21/2023, 3:47 PM
Since the azure native provider is built on the OpenAPI spec Microsoft publishes, supporting access policies would require custom work. We have an open issue: https://github.com/pulumi/pulumi-azure-native/issues/594 For the time being, the best recommendation is to use the bridged (TF-based) provider for the policies, and you can use the native provider for everything else.
f

fancy-artist-45287

03/21/2023, 3:48 PM
Thank you for the response @melodic-tomato-39005
@melodic-tomato-39005 there is a note in the documentation for
azure.keyvault.AccessPolicy
NOTE: It’s possible to define Key Vault Access Policies both within the
azure.keyvault.KeyVault
resource via the
access_policy
block and by using the
azure.keyvault.AccessPolicy
resource. However it’s not possible to use both methods to manage Access Policies within a KeyVault, since there’ll be conflicts.
Seemed to me like this led to issues with my policies defined when creating the key vault, so I changed to adding access policies with azure classic approach but then I get the error that no access policy is defined when trying to create the key vault 🤦‍♂️
I changed to creating the keyvault, secrets, policies etc with the azure classic package but I keep getting the errors
azure:keyvault:Secret (storage-fa-dev.DataLakeConnectionString):
    error: 1 error occurred:
        * A resource with the ID "<https://kv-dev.vault.azure.net/secrets/storage-fa-dev-DataLakeConnectionString/11135227962c>" already exists - to be managed via Terraform this resource needs to be imported into the State. Please see the resource documentation for "azurerm_key_vault_secret" for more information.
However doing a
pulumi refresh
does not help, and I have also resorted to deleting the whole keyvault, access policies, secrets etc, and then do a
pulumi refresh
before
pulumi up
and I keep getting this error 🤷‍♂️ I guess TF keeps some kind of state also but how do I refresh that state if pulumi doesn't do it for me?
b

blue-potato-57538

03/22/2023, 2:28 PM
@fancy-artist-45287 what is not working if you add access policies using the accessPolicies property, from azure_native provider: https://www.pulumi.com/registry/packages/azure-native/api-docs/keyvault/vault/#accesspolicyentry ? I mean on my side this is how i add new policies for a keyvault, and didn't see an issue so far.
f

fancy-artist-45287

03/22/2023, 2:29 PM
when running
pulumi up
multiple times it sometimes removes and adds policies even tho nothing has changed in the code as it seems to get confused after a
pulumi refresh
However it’s not possible to use both methods to manage Access Policies within a KeyVault, since there’ll be conflicts.
Guess it's related to this note in the azure classic docs
To get rid of the Terraform error I had to completely delete my resource group in azure and my pulumi stack
b

blue-potato-57538

03/22/2023, 2:32 PM
Ok but if you maintain kevault only using azure-native?
f

fancy-artist-45287

03/22/2023, 2:34 PM
then I cant add accesspolicies after the keyvault has been created, can only supply access policies when it is created as mentioned here by Thomas Kappler
b

blue-potato-57538

03/22/2023, 2:35 PM
ok, i will give it a try to import an existing kv and then try to add policies and see how this will work out
f

fancy-artist-45287

03/22/2023, 2:43 PM
Given this sudo code you can see my problem
const kv = new keyvault();

const account = new storageaccont();
const secret = new secret(kv.id, account.connectionstring);

const app = new appservice();
const setting = new appsetting(app.id, secret.id);

const policy = new accesspolicy(kv.id, app.id, ['Get']);
so either I add the app settings post create of kv, app and accesspolicy or i create the policy post...
b

blue-potato-57538

03/22/2023, 4:21 PM
so your target is to map probably a file share to an web app service using the access key which will be stored in kv and from which the web app service will take it?
f

fancy-artist-45287

03/22/2023, 4:22 PM
yeah among many other things
b

blue-potato-57538

03/22/2023, 4:26 PM
I didn't see any issue with having the access policies being managed under kv with azure native:
const userAssignedIdentity = new azure_native.managedidentity.UserAssignedIdentity("userAssignedIdentity", {
    location: "westeurope",
    resourceGroupName: "1111111111111111111111111111111111",
    resourceName: "1111111111111111111111111111111111",
});

const kv1 = new azure_native.keyvault.Vault("kv1", {
    location: "westeurope",
    properties: {
        accessPolicies: [
        {
            tenantId: "1111111111111111111111111111111111",
            objectId: "1111111111111111111111111111111111",
            "permissions": {
              "certificates": [
                "Get",
              ],
              "keys": [
                "Get",
              ],
              "secrets": [
                "Get",
              ]
            }
          },{
            tenantId: "1111111111111111111111111111111111",
            objectId: userAssignedIdentity.clientId,
            "permissions": {
              "certificates": [
                "Get",
                "List",
              ],
              "keys": [
                "Get",
                "List",
              ],
              "secrets": [
                "Get",
                "List",
              ]
            }
          },],
        enablePurgeProtection: true,
        enableRbacAuthorization: false,
        enableSoftDelete: true,
        enabledForDeployment: false,
        enabledForDiskEncryption: false,
        enabledForTemplateDeployment: false,
Whatever pulumi refresh/up i did i was not able to see any issues with policies got deleted or recreated
f

fancy-artist-45287

03/22/2023, 4:29 PM
and you added policies with azure classic afterwards?🤔
b

blue-potato-57538

03/22/2023, 4:31 PM
no, but what is the point to use it with azure classic? since i can maintain it with azure native...i suppose this part is missing to me
f

fancy-artist-45287

03/22/2023, 4:33 PM
well since i dont know all access policies i need up front when creating the keyvault I need to add them afterwards? and azure native does not have that capability?
b

blue-potato-57538

03/22/2023, 4:35 PM
ok, but in my example i have created from the portal a keyvault, without any policy, and i've imported it into a pulumi project, and from the polumi project i started to add new policies, using the accessPolicies property
f

fancy-artist-45287

03/22/2023, 4:36 PM
yeah that should probably work
b

blue-potato-57538

03/22/2023, 4:38 PM
So under the accessPolicies properties, you add additional ones:
f

fancy-artist-45287

03/22/2023, 4:54 PM
So lets go through this step by step 1. Create Database 2. Create WebApp 3. Create KeyVault a. With secret Database connection string b. With access policy for WebApp 4. Add secret key vault reference from KeyVault to WebApp Step 4 can't be done before both the KeyVault and WebApp has been created, and I dont know of a way to add WebApp settings after it has been created. The other approach is 1. Create KeyVault 2. Create Database 3. Create Secret in KeyVault with Database Connectionstring 4. Create WebApp a. With secret we just created as app setting 5. Create AccessPolicy for WebApp to KeyVault Step 5 can't be done in Azure Native but can be done in Azure Classic
b

blue-potato-57538

03/22/2023, 5:05 PM
As long as you have resource references between them, i don't see why you will not be able to have option 1. Because pulumi is smart enough to know which resource needs to be created first, based on the references you do between resources. For accessing the keyvault from appservice i would recommend to use user assigned identity instead of system-assigned-identity
Also most of the time for these references you will need to make use of pulumi.interpolate which gives you flexibility for properties you want to use but are not available yet