azurerm_key_vault_access_policy permissions are case sensitive

[collinstevens]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v0.14.7

• provider registry.terraform.io/hashicorp/azurerm v2.50.0
• provider registry.terraform.io/hashicorp/random v3.1.0

Affected Resource(s)

• azurerm_key_vault_access_policy

Terraform Configuration Files

terraform {
  backend "azurerm" {}

  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "=2.50.0"
    }
    random = {
      source  = "hashicorp/random"
      version = "3.1.0"
    }
  }
}

provider "azurerm" {
  features {}
}

provider "random" {
}

resource "random_integer" "id" {
  min = 10000
  max = 99999
}

resource "azurerm_resource_group" "rg" {
  name     = "rg-sandbox-${random_integer.id.result}"
  location = "eastus"
}

resource "azurerm_key_vault" "kv" {
  name                = "kv-sandbox-${random_integer.id.result}"
  location            = "eastus"
  resource_group_name = azurerm_resource_group.rg.name
  tenant_id           = var.active_directory_id
  
  # enabled_for_disk_encryption = true

  sku_name = "standard"
}

resource "azurerm_key_vault_access_policy" "ap" {
  key_vault_id = azurerm_key_vault.kv.id
  tenant_id    = var.active_directory_id
  object_id    = var.service_principal_id

  secret_permissions = [
    "get",
    "list",
    "set"
  ]
}

Debug Output

Panic Output

Expected Behaviour

Terraform should destroy access policies.

Actual Behaviour

Terraform created a key vault.
Terraform created an access policy for the key vault.
The Terraform configuration for the key vault was updated (uncomment enabled_for_disk_encryption) which caused Terraform to update the access policy permission casing to title-case.
The access policies must exactly match what Azure returns in the Azure REST API, but Terraform has updated the casing of the permissions which differs from the initial creation Terraform had performed (lowercase).

Steps to Reproduce

1. az ad sp create-for-rbac
2. Set a TF_VAR for service_principal_id with the appId from the previous step.
3. terraform apply
4. terraform state show azurerm_key_vault.kv observe the absence of the access policy.
5. terraform state show azurerm_key_vault_access_policy.ap observe the lower-case casing of the access policy permissions.
6. Uncomment the property enabled_for_disk_encryption on the key vault.
7. terraform apply
8. terraform state show azurerm_key_vault.kv observe the appearance of the access policy
9. terraform state show azurerm_key_vault_access_policy.ap observe the title-case casing of the access policy permissions.
10. terraform destroy observe the destroy will never finish and hang until timeout for the access policy.

Important Factoids

When a Key Vault is updated through Terraform, the casing of the access policy permissions in Terraform state is made to be title-case, but the casing of the access policy permissions in Azure itself remain what they were initially created as.

When a Key Vault is updated through the Azure Portal, the casing of the access policy permissions is made to be title-case.

References

[thomasriley]

Also seeing this issue. My current workaround when I know a change to a policy will require a delete and re-create, is to perform the KV access policy deletion myself manually via the Azure Portal, so that all Terraform has to do is create the new policy.

There was recently a change in the azurerm provider connected to KeyVault access policy casing, so there could be a connection: #10591 & #10593.

[collinstevens]

@thomasriley the solution is basically to use the exact casing the Azure Rest API uses for the permissions or what you see in the Azure Portal itself. It's title-case plus some abbreviations which are upper-case.

[jackofallops]

Hi @collinstevens / @thomasriley - I think the scenario here was fixed in 2.51.0 (specifically in #10931) - Are you able to update to that version and let us know if your issue is resolved?

[collinstevens]

@jackofallops I'm not able to regression this, but I've updated my Terraform version to 2.51.0 in addition to using the correct casing of the properties. With these two fixes, I'm not running into the issue anymore, but I cannot say if I wasn't using the proper casing and using 2.51.0 if the issue would be resolved.

I'll close this as it looks like 2.51.0 should fix this issue and my fix works for <2.51.0.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!