Terraform grant azure function app with msi access to azure keyvault

4
votes

I'm experimenting with using Terraform to set up a scenario in Azure where Terraform creates:
- an Azure function app with Managed Service Identity
- an Azure Key Vault
- a Key Vault access policy that allows the function app to access secrets in the key vault

My problem is around using the object id (principle id) of the MSI set up for the function app in the definition of the key vault access policy, I suspect I doing something wrong (and/or stupid)...

The error I get from a Terraform apply is:

azurerm_key_vault_access_policy.msi-test-to-keyvault-test: "object_id" is an invalid UUUID: uuid: UUID string too short: 1

I suspect the issue may be with the way I'm trying to reference the object id of the service principle created created off the msi identity in the access policy definition:

object_id = "${azurerm_function_app.rg-func-app__funcapp.identity.principal_id}"

(the doco for azurerm function app attribute section says that identity exports principle_id, however I have no idea what the correct syntax is to reference this attribute :( )

The Terraform template is:

resource "azurerm_function_app" "rg-func-app__funcapp" {
  name = "${local.deployed-func-app-name}"
  location                  = "${azurerm_resource_group.rg-func-app.location}"
  resource_group_name       = "${azurerm_resource_group.rg-func-app.name}"
  app_service_plan_id       = "${azurerm_app_service_plan.rg-func-app__appsvcpln.id}"
  storage_connection_string = "${azurerm_storage_account.rg-func-app__sa.primary_connection_string}"

  version = "~1"

  app_settings {
    "TEST_KEYVAULT_URL" = "${azurerm_key_vault.test.vault_uri}"
  }

  identity {
    type = "SystemAssigned"
  }

}


resource "azurerm_key_vault" "test" {
  name = "msi-test-vault"
  location = "${azurerm_resource_group.rg-func-app.location}"
  resource_group_name = "${azurerm_resource_group.rg-func-app.name}"

  sku {
    name = "standard"
  }

  tenant_id = "${data.azurerm_client_config.current.tenant_id}"
}

resource "azurerm_key_vault_secret" "test" {
  name      = "secret-sauce"
  value     = "szechuan"
  vault_uri = "${azurerm_key_vault.test.vault_uri}"
}


resource "azurerm_key_vault_access_policy" "msi-test-to-keyvault-test" {
  vault_name           = "${azurerm_key_vault.test.name}"
  resource_group_name  = "${azurerm_key_vault.test.resource_group_name}"

  tenant_id = "${azurerm_key_vault.test.tenant_id}"
  object_id = "${azurerm_function_app.rg-func-app__funcapp.identity.principal_id}"

  key_permissions = [
    "get",
  ]

  secret_permissions = [
    "get",
  ] 
}

Any pointers gratefully received.

Cheers, Andy

2
azureterraform

2 Answers

6
votes

After a bit more poking around, a solution appears to be changing the incantation to retrieve the principle_id to:

object_id = "${lookup(azurerm_function_app.rg-func-app__funcapp.identity[0],"principal_id")}"

This results in the access policy being created as expected.

1
votes

Check out the terraform.tfstate file that has all the available options in it. Or terraform show command. This will reveal that the GUID property you are looking for can be found at

object_id = "${azurerm_function_app.rg-func-app__funcapp.identity.0.principal_id}"