Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error creating azurerm_app_service_certificate from Key Vault Secret #27317

Open
1 task done
JonathonAnderson opened this issue Sep 9, 2024 · 1 comment
Open
1 task done

Error creating azurerm_app_service_certificate from Key Vault Secret #27317

JonathonAnderson opened this issue Sep 9, 2024 · 1 comment
Labels
service/app-service v/3.x

Comments

@JonathonAnderson
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.8.3

AzureRM Provider Version

3.113.0

Affected Resource(s)/Data Source(s)

azurerm_app_service_certificate

Terraform Configuration Files

data "azurerm_key_vault_certificate" "gateway" {
  for_each = { for config in var.gateway.config : config.certificate.display-name => config }

  name         = each.value.certificate.display-name
  key_vault_id = var.key-vault.id
}


resource "azurerm_app_service_certificate" "appcert" {
  for_each = { for config in var.gateway.config : config.name => config }

  name                = lower(format("az-asc-%s-%s-%s-%s-%s", each.key, var.tags["WorkloadName"], var.tags["Env"], var.rg.location, var.tags["Env-Serial"]))
  resource_group_name = var.rg.name
  location            = var.rg.location
  key_vault_secret_id = data.azurerm_key_vault_certificate.gateway[each.value.certificate.display-name].id
}

Debug Output/Panic Output

╷
│ Error: creating/updating Certificate: (Name "az-asc-scim-web-dev-eastus-001" / Resource Group "az-rg-web-dev-eastus-001"): web.CertificatesClient#CreateOrUpdate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="BadRequest" Message="The service does not have access to '/subscriptions/***/resourcegroups/az-rg-web-dev-eastus-001/providers/microsoft.keyvault/vaults/az-kv-web-dev-001' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation." Details=[{"Message":"The service does not have access to '/subscriptions/***/resourcegroups/az-rg-web-dev-eastus-001/providers/microsoft.keyvault/vaults/az-kv-web-dev-001' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation."},{"Code":"BadRequest"},{"ErrorEntity":{"Code":"BadRequest","ExtendedCode":"59716","Message":"The service does not have access to '/subscriptions/***/resourcegroups/az-rg-web-dev-eastus-001/providers/microsoft.keyvault/vaults/az-kv-web-dev-001' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation.","MessageTemplate":"The service does not have access to '{0}' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation.","Parameters":["/subscriptions/***/resourcegroups/az-rg-web-dev-eastus-001/providers/microsoft.keyvault/vaults/az-kv-web-dev-001"]}}]
│ 
│   with module.web["001"].module.app-gateway.azurerm_app_service_certificate.appcert["scim"],
│   on modules\app-gateway\main.tf line 199, in resource "azurerm_app_service_certificate" "appcert":
│  199: resource "azurerm_app_service_certificate" "appcert" {
│ 
╵

Expected Behaviour

App Service Certificate successfully created

Actual Behaviour

Received error

Note that the service principal running Terraform has full permissions on secrets and "Get", "List", "Update", "Create" permissions for certificates. The service principal is also a "Contributor" on the Key Vault itself

The managed identity for the app service has "Get" permissions on both secrets and certificates. I tried adding "Key Vault Reader" permissions for the app service, but no change.

When I run our code with TF_LOG = "Trace" the only thing I see is a PUT request for the app service certificate and a 400 response.

Steps to Reproduce

No response

Important Factoids

No response

References

No response
@github-actions github-actions bot added the v/3.x label Sep 9, 2024
@pregress
Copy link

You should grant the Web sites enterprise app the correct access rights.
If you are using rbac:

resource "azurerm_role_assignment" "example" {
  scope                = azurerm_key_vault.example.id
  role_definition_name = "Key Vault Certificate User"
  # https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex%2CRBAC#authorize-app-service-to-read-from-the-vault
  principal_id = "20f3f530-1402-4f5b-977b-d50cc851b63f"
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
service/app-service v/3.x
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pregress @JonathonAnderson @rcskosir