Terraform Azure data factory creation

Question

I'm trying to deploy Azure data factory along with customer managed key and identity but after terraform apply customer managed key is not showing in the data factory. When I try to add the customer managed key manually in data factory it is giving below error. Operation failed. Managed identity used in CMK not found.

    data "azurerm_client_config" "main" {}

resource "azurerm_resource_group" "main" {
    name = "rgsupports01"
    location = "East US 2"
}

resource "azurerm_user_assigned_identity" "main" {
    depends_on = [azurerm_resource_group.main]
    name = "supports01-mid"
    resource_group_name = azurerm_resource_group.main.name
    location = azurerm_resource_group.main.location
}

resource "azurerm_key_vault" "main" {
  name                        = "supportskv01"
  location                    = azurerm_resource_group.main.location
  resource_group_name         = azurerm_resource_group.main.name
  enabled_for_disk_encryption = true
  tenant_id                   = data.azurerm_client_config.main.tenant_id
  soft_delete_retention_days  = 7
  purge_protection_enabled    = false

  sku_name = "standard"

  access_policy {
    tenant_id = data.azurerm_client_config.main.tenant_id
    object_id = data.azurerm_client_config.main.object_id

    key_permissions = [
      "Get",
      "Unwrapkey",
      "Wrapkey",
      "Create",
      "Delete",
    ]

    secret_permissions = [
      "Get",
    ]

    storage_permissions = [
      "Get",
    ]
  }
}

    resource "azurerm_key_vault_access_policy" "main" {
  key_vault_id = azurerm_key_vault.main.id
  tenant_id    = data.azurerm_client_config.main.tenant_id
  object_id    = azurerm_user_assigned_identity.main.client_id

  key_permissions = [
    "Get","List","Unwrapkey","Wrapkey"
  ]

  secret_permissions = [
    "Get","List",
  ]
}

resource "azurerm_key_vault_key" "main" {
  depends_on = [azurerm_key_vault_access_policy.main]
  name         = "supportrsakeys01"
  key_vault_id = azurerm_key_vault.main.id
  key_type     = "RSA"
  key_size     = 2048

  key_opts = [
    "decrypt",
    "encrypt",
    "sign",
    "unwrapKey",
    "verify",
    "wrapKey",
  ]
}

resource "azurerm_data_factory" "adf" {
    #depends_on = [azurerm_key_vault_key.main]
    name       = "supportdfs01"
    resource_group_name = azurerm_resource_group.main.name
    location = azurerm_resource_group.main.location
    public_network_enabled = false
    customer_managed_key_id = resource.azurerm_key_vault_key.main.id
    identity {
        type = "UserAssigned"
        identity_ids = [resource.azurerm_user_assigned_identity.main.id]
    }

}

resource "azurerm_key_vault_access_policy" "new" {
  depends_on = [azurerm_data_factory.adf]
  key_vault_id = azurerm_key_vault.main.id
  tenant_id    = data.azurerm_client_config.main.tenant_id
  object_id    = azurerm_user_assigned_identity.main.principal_id

  key_permissions = [
    "Get","List","Unwrapkey","Wrapkey"
  ]

  secret_permissions = [
    "Get","List",
  ]
}

silent silent · Accepted Answer · 2021-08-19T14:27:11

Do not specific access_policy within the Key Vault resource, only use azurerm_key_vault_access_policy resources. The way you have specified it, will bring conflicts and probably mess up access policies. See here.

Terraform Azure data factory creation

1 Answers