search

Azure / aca-landing-zone-accelerator

The Azure Container Apps landing zone accelerator is an open-source collection of architectural guidance and reference implementation to accelerate deployment of Azure Container Apps at scale.
https://aka.ms/aca-lza
MIT License
171 stars 81 forks source link

KV access issue when running Terraform #115

Closed nad-au closed 3 months ago

nad-au commented 10 months ago

I'm running scenario with App Gateway as an alternative to Front Door because of separate issue https://github.com/Azure/aca-landing-zone-accelerator/issues/114

When creating a cert in KV I'm getting an access issue:

╷
│ Error: checking for presence of existing Secret "agwcert" (Key Vault "https://kv-sbox-lz-uy2qx.vault.azure.net/"): keyvault.BaseClient#GetSecret: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="Public network access is disabled and request is not from a trusted service nor via an approved private link.\r\nCaller: appid=***;oid=ed2bd1f9-d1ff-43f4-8c04-b9ccc91635df;iss=[https://sts.windows.net/***/\r\nVault:](https://sts.windows.net/***//r/nVault:) kv-sbox-lz-uY2QX;location=australiaeast" InnerError=***"code":"ForbiddenByConnection"***
│ 
│   with module.applicationGateway.module.appGatewayAddCertificates.azurerm_key_vault_secret.sslCertSecret,
│   on modules/application-gateway/certificate-config/main.tf line 12, in resource "azurerm_key_vault_secret" "sslCertSecret":
│   12: resource "azurerm_key_vault_secret" "sslCertSecret" ***
│ 
╵

I'm confused with the docs:

If you provide your client IP address, the Public IP address of the machine executing the Terraform deployment, it will be added to the Network ACL for the KeyVault used to house the Application Gateway certificate and it will allow you to proceed through the entire deployment.
If you would like to keep the KeyVault fully private, you will need to comment out the Application Gateway module in the [main.tf](https://file+.vscode-resource.vscode-cdn.net/home/neil/code/dbc/dbc.lz/terraform/main.tf) and leave the clientIP value blank in your tfvars file. Follow the [instructions for deploying Application Gateway separately on your jump box](https://file+.vscode-resource.vscode-cdn.net/home/neil/code/dbc/dbc.lz/terraform/modules/06-application-gateway/main.tf).

I'm trying to run Terraform in a GitHub Actions workflow and the Service Principal has owner role with subscription scope. It mentions commenting out the App Gateway module. Do you really mean this? You can't create App GW with SP?

thotheod commented 8 months ago

Hi. If I understand correctly, the problem is not the SP, but networking. When you deploy something through GitHub Actions, the GitHub Action Runners (GitHub-hosted runners) are located outside your private Virtual Network. In that case they cannot access any private service, such as Azure Key Vault with Private endpoint.

What you can alternatively do is to create a self hosted runner inside the Private Network where you plan to host Application Gateway, key vault or any other private resource.