Terraform Azure Data Factory Identity

0
votes

I'm trying to grant access to a keyvault for the newly created data factory. To achieve this I had following code ...

    module "subscription" {
      source = "../../general/subscription_getdetails"
    }
    
    module "df_resourcegroup" {
      source = "../../general/rg_getdetails"
      rg_name_solution = var.df_rg_name_solution
      rg_name_seqnr    = var.df_rg_name_seqnr
    }
    
    module "location" {
      source = "../../general/location/location_getdetails"
      location_name = var.df_location_name
      location_tier = var.df_location_tier
    }
    
    module "keyvault" {
      source = "../../security/kv_getdetails"
      kv_name_solution    = var.kv_name_solution
      kv_name_seqnr       = var.kv_name_seqnr
      kv_name_purpose     = var.kv_name_purpose
      kv_location_name    = var.kv_location_name
      kv_location_tier    = var.kv_location_tier
      kv_rg_name_solution = var.kv_rg_name_solution
      kv_rg_name_seqnr    = var.kv_rg_name_seqnr
    }
    
    resource "azurerm_data_factory" "df" {
      name                     = "adf-${module.df_resourcegroup.sitecode}-${module.subscription.environment}-${var.df_name_dataset}-${var.df_name_seqnr}"
      location                 = module.location.azure
      resource_group_name      = module.df_resourcegroup.rg.name
      public_network_enabled   = var.df_allow_public_access
  identity {
      type = "SystemAssigned"
  }    }
    
    
    resource "azurerm_key_vault_access_policy" "df_grant_keyvault_read" {
      key_vault_id = module.keyvault.kv.id
      tenant_id    = azurerm_data_factory.df.identity[0].tenant_id
      object_id    = azurerm_data_factory.df.identity[0].principal_id
    
      key_permissions = [
        "Get",
      ]
    
      secret_permissions = [
        "Get",
      ]
    }

But there must be something wrong with this as I'm getting this error... (I've tried not to address it as a list, doesn't work).

│ Error: Invalid index
│ 
│   on _modules/das/df_create/main.tf line 68, in resource "azurerm_key_vault_access_policy" "df_grant_keyvault_read":
│   68:   tenant_id    = azurerm_data_factory.df.identity[0].tenant_id
│     ├────────────────
│     │ azurerm_data_factory.df.identity is empty list of object
│ 
│ The given key does not identify an element in this collection value.
2
terraformterraform-provider-azure
Which version of Terraform are you using?Ked Mardemootoo
It States v0.15.4Harry Leboeuf
The error message implies the resource generated no attributes for that object. Are you expecting the resource to have information for identity?Matt Schuchard

2 Answers

0
votes

I found a way but with UserAssigned Identity....

resource "azurerm_user_assigned_identity" "uai_adf" {
  resource_group_name = module.df_resourcegroup.rg.name
  location            = module.location.azure

  name = "id-${module.df_resourcegroup.sitecode}-${module.subscription.environment}-adf-0${var.df_name_dataset}"
}

resource "azurerm_data_factory" "df" {
  name                     = "adf-${module.df_resourcegroup.sitecode}-${module.subscription.environment}-${var.df_name_dataset}-${var.df_name_seqnr}"

  location                 = module.location.azure
  resource_group_name      = module.df_resourcegroup.rg.name

  public_network_enabled   = var.df_allow_public_access
 
  identity {
      type         = "UserAssigned"
    identity_ids = [ azurerm_user_assigned_identity.uai_adf.id ]
  }
}

resource "azurerm_key_vault_access_policy" "df_grant_keyvault_read_secret" {
  key_vault_id = module.keyvault.kv.id
  tenant_id    = "${azurerm_user_assigned_identity.uai_adf.tenant_id}"
  object_id    = "${azurerm_user_assigned_identity.uai_adf.principal_id}"

  key_permissions = []
  secret_permissions = [ "Get" ]
}
0
votes
 module "subscription" {
      source = "../../general/subscription_getdetails"
    }
    
    module "df_resourcegroup" {
      source = "../../general/rg_getdetails"
      rg_name_solution = var.df_rg_name_solution
      rg_name_seqnr    = var.df_rg_name_seqnr
    }
    
    module "location" {
      source = "../../general/location/location_getdetails"
      location_name = var.df_location_name
      location_tier = var.df_location_tier
    }
    
    module "keyvault" {
      source = "../../security/kv_getdetails"
      kv_name_solution    = var.kv_name_solution
      kv_name_seqnr       = var.kv_name_seqnr
      kv_name_purpose     = var.kv_name_purpose
      kv_location_name    = var.kv_location_name
      kv_location_tier    = var.kv_location_tier
      kv_rg_name_solution = var.kv_rg_name_solution
      kv_rg_name_seqnr    = var.kv_rg_name_seqnr
    }
    
    resource "azurerm_data_factory" "df" {
      name                     = "adf-${module.df_resourcegroup.sitecode}-${module.subscription.environment}-${var.df_name_dataset}-${var.df_name_seqnr}"
      location                 = module.location.azure
      resource_group_name      = module.df_resourcegroup.rg.name
      public_network_enabled   = var.df_allow_public_access
  identity {
      type = "SystemAssigned"
  }    }
    
    **data "azurerm_client_config" "current" {
}**
    resource "azurerm_key_vault_access_policy" "df_grant_keyvault_read" {
      key_vault_id = module.keyvault.kv.id
      **tenant_id    = data.azurerm_client_config.current.tenant_id**
      object_id    = azurerm_data_factory.df.identity[0].principal_id
    
      key_permissions = [
        "Get",
      ]
    
      secret_permissions = [
        "Get",
      ]
    }