Error when appending multiple key_vault_access_policy in a key_vault resource - resource needs to be imported into the State - Terraform / Azure

Question

I'm trying to deploy a key_vault resource that contains two key_vault_access_policy using this code:

data "azurerm_client_config" "current" {}


module "agw_user_assigned_identity" {
  source = "../modules/resources-blocks/user_assigned_identity"

  user_assigned_identity_name  = "agw-user-signed-id"
  resource_group_name     = module.resource_group.name
  resource_group_location = module.resource_group.location
}

module "key_vault" {
  source = "../modules/resources-hub/key_vault"

  key_vault_name          = local.key_vault_name
  resource_group_location = module.resource_group.location
  resource_group_name     = module.resource_group.name
  tenant_id = data.azurerm_client_config.current.tenant_id
  soft_delete_retention_days  = 90
}

module "key_vault_private_certificate" {
  source = "../modules/resources-blocks/key_vault_certificate"

  key_vault_id         = module.key_vault.id
  certificate_name     = local.agw_certificate_name
  certificate_path     = var.SSL_CERTIFICATE_PATH
  certificate_password = var.SSL_CERTIFICATE_PASSWORD
  depends_on = [module.key_vault_access_policy_agw]
}

module "key_vault_access_policy_users" {
  source = "../modules/resources-blocks/key_vault_access_policy"

  key_vault_id = module.key_vault.id
  tenant_id    = data.azurerm_client_config.current.tenant_id
  object_id    = data.azurerm_client_config.current.object_id

  certificate_permissions = ["Backup", "Create", "Delete", "DeleteIssuers", "Get", "GetIssuers", "Import", "List", "ListIssuers", "ManageContacts", "ManageIssuers", "Purge", "Recover", "Restore", "SetIssuers", "Update"]
  key_permissions = ["Backup", "Create", "Decrypt", "Delete", "Encrypt", "Get", "Import", "List", "Purge", "Recover", "Restore", "Sign", "UnwrapKey", "Update", "Verify", "WrapKey"]
  secret_permissions = ["Backup", "Delete", "Get", "List", "Purge", "Recover", "Restore", "Set"]
  storage_permissions = ["Backup", "Delete", "DeleteSAS", "Get", "GetSAS", "List", "ListSAS", "Purge", "Recover", "RegenerateKey", "Restore", "Set", "SetSAS", "Update"]

  depends_on = [module.key_vault]
}

module "key_vault_access_policy_agw" {
  source = "../modules/resources-blocks/key_vault_access_policy"

  key_vault_id = module.key_vault.id
  tenant_id    = data.azurerm_client_config.current.tenant_id
  object_id    = module.agw_user_assigned_identity.principal_id
  secret_permissions = ["Get"]

  depends_on = [module.key_vault_access_policy_users]
}

With the resources created in another file:

resource "azurerm_key_vault" "kv" {
  name                        = var.key_vault_name
  location                    = var.resource_group_location
  resource_group_name         = var.resource_group_name
  enabled_for_disk_encryption = true
  tenant_id                   = var.tenant_id
  soft_delete_retention_days  = var.soft_delete_retention_days
  purge_protection_enabled    = false
  sku_name                    = "standard"
}

locals {
  get_only_access = ["Get", "List"]
}

resource "azurerm_key_vault_access_policy" "acess_policy" {
  key_vault_id = var.key_vault_id
  tenant_id    = var.tenant_id
  object_id    = var.object_id

  key_permissions         = var.get_only_access ? local.get_only_access : var.key_permissions
  secret_permissions      = var.get_only_access ? local.get_only_access : var.secret_permissions
  storage_permissions     = var.get_only_access ? local.get_only_access : var.storage_permissions
  certificate_permissions = var.get_only_access ? local.get_only_access : var.certificate_permissions
}

The error that I get with the command "terraform apply -var-file="variables.tfvars"" is the following:

Error: A resource with the ID "/subscriptions/xxxxxxxxxxx/resourceGroups/xxxxxxxxxx/providers/Microsoft.KeyVault/vaults/xxxxxxxx/objectId/xxxxxxxxxxxx" already exists - to be managed via Terraform this resource needs to be imported into the State. Please see the resource documentation for "azurerm_key_vault_access_policy" for more information.
│
│   with module.key_vault_access_policy_users.azurerm_key_vault_access_policy.acess_policy,
│   on ..\modules\resources-blocks\key_vault_access_policy\main.tf line 5, in resource "azurerm_key_vault_access_policy" "acess_policy":
│    5: resource "azurerm_key_vault_access_policy" "acess_policy" {

Could you please help me to solve this issue?

Just to give you a more general overview, the reason I'm trying to deploy this resources is because I'm creating an Application Gateway and I need to store the SSL certificate in the key_vault resource.

Answer 1

This happens quite often when you had a failed apply attempt and tried to manually delete the key vault to sync it with state.

The error is expected, to sync with state you have to purge the key vault

az keyvault list-deleted

...
az keyvault purge --name <soft deleted key vault>

Answer 2

Error: A resource with the ID "/subscriptions/xxxxxxxxxxx/resourceGroups/xxxxxxxxxx/providers/Microsoft.KeyVault/vaults/xxxxxxxx/objectId/xxxxxxxxxxxx" already exists - to be managed via Terraform this resource needs to be imported into the State.

It commonly happens when the terraform state file (running locally) does not match the resources in the Portal terraform state file.

As @Marcin said, you should import the resource with the resourceID and add the respective objectID of keyvault.

Goto keyvault in the portal & get the "resourceID, objectID" as shown here:

Use

terraform import azurerm_key_vault_access_policy.xxxxx ResourceID 

to fix this issue.

terraform import azurerm_key_vault_access_policy.example /subscriptions/<suscriptionID>/resourceGroups/<resourcegroupName>/providers/Microsoft.KeyVault/vaults/examples-keyvault/objectId/<ObjectID of Keyvault>

Refer terraform registry & SO worked by me for more information- regarding it.

Output: