Reputation: 619
Azurerm need 2 shots to destroy an Azure Key Vault
What I am doing
I run this azurerm Terraform script:
resource "azurerm_key_vault" "kv" {
name = "mykvfdlm"
location = "westeurope"
resource_group_name = "croustillant"
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard"
purge_protection_enabled = false
soft_delete_retention_days = 7
network_acls {
default_action = "Deny"
bypass = "AzureServices"
}
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = ["Get", "List", "Update", "Delete", "Purge"]
secret_permissions = ["Get", "List", "Set", "Delete", "Purge"]
}
}
data "azurerm_client_config" "current" {}
resource "azurerm_key_vault_secret" "secrets" {
name = each.key
value = each.value
key_vault_id = azurerm_key_vault.kv.id
for_each = var.secrets
}
variable "secrets" {
type = map(string)
default = {}
}
It is running from a SPN having these permissions on croustillant resources group:
My issue
I run:
terraform apply
everything is OK
Then:
terraform destroy
Get this error message:
│ Error: purging Key Vault (Subscription: "XXXXX" │ Resource Group Name: "croustillant" │ Key Vault Name: "mykvfdlm"): performing PurgeDeleted: vaults.VaultsClient#PurgeDeleted: Failure sending request: StatusCode=0 -- Original Error: Code="AuthorizationFailed" Message="The client 'XXXXX' with object id 'XXX' does not have authorization to perform action 'Microsoft.KeyVault/locations/deletedVaults/purge/action' over scope '/subscriptions/XXX' or the scope is invalid. If access was recently granted, please refresh your credentials."
All resource are deleted anyway, but KV not purged
If I run again:
terraform destroy
KV is purged and the command is OK
I am using:
- azurerm => 3.71.0
- terraform => 1.5.3
What I need
- I don't understand why the second shot is not working. Does anybody know?
- What I can do to make the script working with one single shot
I read the azurerm documentation:
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_key
I have the prerequisite asked on first note
Edit notes
Its working when adding owner at subscription level (not Resource Group). This is not possible in our security constraints.
Thank you
Upvotes: 0
Views: 734
Answers (1)
Reputation: 2476
I tried to destroy the Azure key vault after creating it using Terraform I was able to destroy the resource created successfully in one go.
The Terraform Azure provider cannot purge the deleted Azure Key Vault because you do not have the required permissions. You need to assign a role to the client (service principal or user) you're using for Terraform that includes the Microsoft.KeyVault/locations/deletedVaults/purge/action permission.
Here is a more concise version:
Terraform Azure purge permission error
You need the Microsoft.KeyVault/locations/deletedVaults/purge/action permission to purge a deleted Azure Key Vault. Assign the appropriate role to the Terraform client.
To resolve this issue, you should ensure that the Azure service principal or user account being used by Terraform has the appropriate permissions or custom role permission to purge deleted Key Vaults. You can do this by updating the access policies for the Key Vault.
My terraform configuration:
resource "azurerm_key_vault" "kv" {
name = "keyvaultvksb"
location = "East US"
resource_group_name = "v-sakavya"
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard"
purge_protection_enabled = false
soft_delete_retention_days = 7
network_acls {
default_action = "Deny"
bypass = "AzureServices"
}
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = ["Get", "List", "Update", "Delete", "Purge"]
secret_permissions = ["Get", "List", "Set", "Delete", "Purge"]
}
}
data "azurerm_client_config" "current" {}
resource "azurerm_key_vault_secret" "secrets" {
name = each.key
value = each.value
key_vault_id = azurerm_key_vault.kv.id
for_each = var.secrets
}
variable "secrets" {
type = map(string)
default = {}
}
Output:
Command Terraform_apply
Command Terraform_destroy
Upvotes: 0
Related Questions
- Terraform - Azure as a provider and limited access account
- Soft delete and Purge Protection should be enabled and retention days should be 90 days as Terraform error
- AuthorizationFailed error when listing secrets for Static Site after upgrading to Terraform v1.8.0 and azurerm v3.105.0
- Cannot create secret scope: Azure KeyVault is not available. Terraform
- Can't make feature prevent_deletion_if_contains_resources working in Terraform
- Azure terraform application gateway does not have secrets get permission on key vault
- Configuring an app service certificate seems to require write access to the Key Vault, IBYP?
- Terraform "AuthorizationFailed" with Azure provider
- Terraform azurerm_data_factory vsts_configuration failing with Error: Error configuring Repository for Data Factory