search

Azure / terraform-azurerm-avm-res-keyvault-vault

Azure Verified Module for Key Vault
https://registry.terraform.io/modules/Azure/avm-res-keyvault-vault/azurerm/latest
MIT License
25 stars 29 forks source link

Bug: Cannot create secret or ssh key due to time propagation not applied after role assignment #78

Closed LaurentLesle closed 8 months ago

LaurentLesle commented 8 months ago 
 Error: checking for presence of existing Secret "demoname1-azureuser-password" (Key Vault "https://kv-k94r.vault.azure.net/"): keyvault.BaseClient#GetSecret: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="Caller is not authorized to perform action on resource.\r\nIf role assignments, deny assignments or role definitions were changed recently, please observe propagation time.\r\nCaller: appid=04b07795-8ddb-461a-bbee-02f9e1bf7b46;oid=93f1d009-7738-4237-ab19-68332c479887;iss=https://sts.windows.net/tenant/\r\nAction: 'Microsoft.KeyVault/vaults/secrets/getSecret/action'\r\nResource: '/subscriptions/xxxxx/resourcegroups/rg-k94r/providers/microsoft.keyvault/vaults/kv-k94r/secrets/demoname1-azureuser-password'\r\nAssignment: (not found)\r\nDenyAssignmentId: null\r\nDecisionReason: null \r\nVault: kv-k94r;location=southeastasia\r\n" InnerError={"code":"ForbiddenByRbac"}
│ 
│   with module.testvm.azurerm_key_vault_secret.admin_password[0],
│   on .terraform/modules/testvm/main.authentication.tf line 31, in resource "azurerm_key_vault_secret" "admin_password":
│   31: resource "azurerm_key_vault_secret" "admin_password" {
│ 
╵
╷
│ Error: checking for presence of existing Secret "demoname1-azureuser-ssh-private-key" (Key Vault "https://kv-k94r.vault.azure.net/"): keyvault.BaseClient#GetSecret: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="Caller is not authorized to perform action on resource.\r\nIf role assignments, deny assignments or role definitions were changed recently, please observe propagation time.\r\nCaller: appid=04b07795-8ddb-461a-bbee-02f9e1bf7b46;oid=93f1d009-7738-4237-ab19-68332c479887;iss=https://sts.windows.net/f7456228-ad6c-4ee8-93cd-f7619e8a4c9d/\r\nAction: 'Microsoft.KeyVault/vaults/secrets/getSecret/action'\r\nResource: '/subscriptions/xxx/resourcegroups/rg-k94r/providers/microsoft.keyvault/vaults/kv-k94r/secrets/demoname1-azureuser-ssh-private-key'\r\nAssignment: (not found)\r\nDenyAssignmentId: null\r\nDecisionReason: null \r\nVault: kv-k94r;location=southeastasia\r\n" InnerError={"code":"ForbiddenByRbac"}
│ 
│   with module.testvm.azurerm_key_vault_secret.admin_ssh_key[0],
│   on .terraform/modules/testvm/main.authentication.tf line 58, in resource "azurerm_key_vault_secret" "admin_ssh_key":
│   58: resource "azurerm_key_vault_secret" "admin_ssh_key" {
│

Step to reproduce. Create a VM that store the generated password into a keyvault secret


# Picked-up from AMV example folder of virtual machine minus disk encryption set.

module "naming" {
  source  = "Azure/naming/azurerm"
  version = ">= 0.3.0"
}

locals {
  tags = {
    scenario = "common_ubuntu_w_ssh"
  }
  test_regions = ["centralus", "eastasia", "westus2", "eastus2", "westeurope", "japaneast"]
}

resource "azurerm_resource_group" "this_rg" {
  name     = module.naming.resource_group.name_unique
  location = "southeastasia"
  tags     = local.tags
}

resource "azurerm_virtual_network" "this_vnet" {
  name                = module.naming.virtual_network.name_unique
  address_space       = ["10.0.0.0/16"]
  location            = azurerm_resource_group.this_rg.location
  resource_group_name = azurerm_resource_group.this_rg.name
  tags                = local.tags
}

resource "azurerm_subnet" "this_subnet_1" {
  name                 = "${module.naming.subnet.name_unique}-1"
  resource_group_name  = azurerm_resource_group.this_rg.name
  virtual_network_name = azurerm_virtual_network.this_vnet.name
  address_prefixes     = ["10.0.1.0/24"]
}

resource "azurerm_subnet" "this_subnet_2" {
  name                 = "${module.naming.subnet.name_unique}-2"
  resource_group_name  = azurerm_resource_group.this_rg.name
  virtual_network_name = azurerm_virtual_network.this_vnet.name
  address_prefixes     = ["10.0.2.0/24"]
}

data "azurerm_client_config" "current" {}

resource "azurerm_user_assigned_identity" "example_identity" {
  location            = azurerm_resource_group.this_rg.location
  name                = module.naming.user_assigned_identity.name_unique
  resource_group_name = azurerm_resource_group.this_rg.name
  tags                = local.tags
}

module "avm_res_keyvault_vault" {
  source                      = "Azure/avm-res-keyvault-vault/azurerm"
  version                     = ">= 0.5.0"
  tenant_id                   = data.azurerm_client_config.current.tenant_id
  name                        = module.naming.key_vault.name_unique
  resource_group_name         = azurerm_resource_group.this_rg.name
  location                    = azurerm_resource_group.this_rg.location
  enabled_for_disk_encryption = true
  network_acls = {
    default_action = "Allow"
    bypass         = "AzureServices"
  }

  role_assignments = {
    deployment_user_secrets = { #give the deployment user access to secrets
      role_definition_id_or_name = "Key Vault Secrets Officer"
      principal_id               = data.azurerm_client_config.current.object_id
    }
    deployment_user_keys = { #give the deployment user access to keys
      role_definition_id_or_name = "Key Vault Crypto Officer"
      principal_id               = data.azurerm_client_config.current.object_id
    }
    user_managed_identity_keys = { #give the user assigned managed identity for the disk encryption set access to keys
      role_definition_id_or_name = "Key Vault Crypto Officer"
      principal_id               = azurerm_user_assigned_identity.example_identity.principal_id
    }
    user_managed_identity__secret_officer = { #give the user assigned managed identity for the disk encryption set access to keys
      role_definition_id_or_name = "Key Vault Secrets Officer"
      principal_id               = azurerm_user_assigned_identity.example_identity.principal_id
    }
  }

  wait_for_rbac_before_key_operations = {
    create = "60s"
  }

  wait_for_rbac_before_secret_operations = {
    create = "60s"
  }

  tags = local.tags

}

module "testvm" {
  source  = "Azure/avm-res-compute-virtualmachine/azurerm"
  version = ">= 0.6"

  admin_username                     = "azureuser"
  boot_diagnostics                   = true
  enable_telemetry                   = false
  encryption_at_host_enabled         = false
  generate_admin_password_or_ssh_key = true
  name                               = "demoname1"
  admin_credential_key_vault_resource_id = module.avm_res_keyvault_vault.resource.id
  disable_password_authentication    = false
  resource_group_name                = azurerm_resource_group.this_rg.name
  virtualmachine_os_type             = "Linux"
  virtualmachine_sku_size            = "Standard_DC4s_v3"
  # zone                               = 1

  managed_identities = {
    system_assigned            = true
    user_assigned_resource_ids = [azurerm_user_assigned_identity.example_identity.id]
  }

  network_interfaces = {
    network_interface_1 = {
      name = module.naming.network_interface.name_unique
      ip_configurations = {
        ip_configuration_1 = {
          name                          = "${module.naming.network_interface.name_unique}-ipconfig1"
          private_ip_subnet_resource_id = azurerm_subnet.this_subnet_1.id
        }
      }
    }
  }

  os_disk = {
    caching                = "ReadWrite"
    storage_account_type   = "StandardSSD_LRS"
  }

  role_assignments = {
    role_assignment_2 = {
      principal_id               = data.azurerm_client_config.current.client_id
      role_definition_id_or_name = "Virtual Machine Contributor"
      description                = "Assign the Virtual Machine Contributor role to the deployment user on this virtual machine resource scope."
    }
  }

  source_image_reference = {
    publisher = "Canonical"
    offer     = "0001-com-ubuntu-server-focal"
    sku       = "20_04-lts-gen2"
    version   = "latest"
  }

  tags = local.tags

}
LaurentLesle commented 8 months ago

Please assign to me. Will submit a PR to fix it

matt-FFFFFF commented 8 months ago

Thank you for raising this and helping to fix 😄