Terraform-provider-azurerm: Error when provisioning app service ssl cert
Community Note
- Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform (and AzureRM Provider) Version
Terraform v0.12.13
- provider.azuread v0.6.0
- provider.azurerm v1.36.0
- provider.random v2.2.0
Affected Resource(s)
azurerm_app_service_certificate
Terraform Configuration Files
According to the documentation found here:
NOTE: If using key_vault_secret_id, the magic Resource Principal with id of abfa0a7c-a6b6-4736-8310-5855508787cd must have 'Secret get' and 'Certificate get' permissions on the Key Vault containing the certificate. (Source: App Service Blog)
Here is where I am creating the access policy for the "special" service principal referenced in the documentation.
resource "azurerm_key_vault_access_policy" "accesspolicy_app_service" {
key_vault_id = "${azurerm_key_vault.keyvault.id}"
tenant_id = "${var.tenant_id}"
object_id = "abfa0a7c-a6b6-4736-8310-5855508787cd"
secret_permissions = [
"get",
]
certificate_permissions = [
"get",
]
}
Here is where I am creating the SSL cert in the app service:
resource "azurerm_app_service_certificate" "user_api_ssl" {
name = "user-api-cert"
resource_group_name = "${azurerm_resource_group.rg.name}"
location = "${azurerm_resource_group.rg.location}"
key_vault_secret_id = "${azurerm_key_vault_certificate.foo_com_ssl_cert.secret_id}"
}
Debug Output
Panic Output
Error: Error creating/updating App Service Certificate "user-api-cert" (Resource Group "foo-api-dev"): web.CertificatesClient#CreateOrUpdate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="BadRequest" Message="The service does not have access to '/subscriptions/1234/resourcegroups/foo-api-dev/providers/microsoft.keyvault/vaults/foo-dev' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation." Details=[{"Message":"The service does not have access to '/subscriptions/1234/resourcegroups/foo-api-dev/providers/microsoft.keyvault/vaults/foo-dev' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation."},{"Code":"BadRequest"},{"ErrorEntity":{"Code":"BadRequest","ExtendedCode":"59716","Message":"The service
does not have access to '/subscriptions/1234/resourcegroups/foo-api-dev/providers/microsoft.keyvault/vaults/foo-dev' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation.","MessageTemplate":"The service does not have access to
'{0}' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation.","Parameters":["/subscriptions/1234/resourcegroups/foo-api-dev/providers/microsoft.keyvault/vaults/foo-dev"]}}]
on functions.tf line 54, in resource "azurerm_app_service_certificate" "user_api_ssl":
54: resource "azurerm_app_service_certificate" "user_api_ssl" {
Expected Behavior
Because I created an access policy that allows Secret.get and Certificate.get for the special service principal "abfa0a7c-a6b6-4736-8310-5855508787cd", the app service certificate should be created successfully.
Actual Behavior
It throws an error saying that I don't have the access to do this.
Steps to Reproduce
terraform apply
Important Factoids
References
- #0000
markti
All 2 comments
Do you have an access policy that allows the service principal that Terraform is using to authenticate with Azure? The special one you added is only used by the certificate order in the portal, so for rekeying and syncing, but if the service principal used by Terraform doesn't have permission to your vault, I think this is expected.
jmprice18
on 22 Jan 2020
Not sure if the documentation has changed since you posted, but it goes on to say:-
This Object ID can be retrieved via following data reference, since it is different in every AAD Tenant:
data "azuread_service_principal" "MicrosoftWebApp" {
application_id = "abfa0a7c-a6b6-4736-8310-5855508787cd"
}
What you are specifying as object_id for the permissions, is actually the application_id. You have to retrieve the object id for that application id in your directory and use that reference instead.
One thing to be aware of as a bit of a gotcha (I experienced today), make sure you add the azuread provider and specify the tenant and subscription you are trying to lookup (especially if you have multiple directories/subscriptions), otherwise it will default to your first/main directory and then give you the wrong object_id. (and you'll still have an error when adding the certificate)
i.e.
provider "azuread" {
tenant_id = <<your tenant id>>
subscription_id = <<your subscription id>>
version = "~>0.3.1"
}
CraigGEwers
on 12 Feb 2020
Related issues
rolandjohann
路
3Comments
Lachlan-White
路
3Comments
Kanikamiglani31
路
3Comments
pdeva
路
3Comments
alant94
路
3Comments
Most helpful comment
Not sure if the documentation has changed since you posted, but it goes on to say:-
What you are specifying as object_id for the permissions, is actually the application_id. You have to retrieve the object id for that application id in your directory and use that reference instead.
One thing to be aware of as a bit of a gotcha (I experienced today), make sure you add the azuread provider and specify the tenant and subscription you are trying to lookup (especially if you have multiple directories/subscriptions), otherwise it will default to your first/main directory and then give you the wrong object_id. (and you'll still have an error when adding the certificate)
i.e.