Open dennis1f opened 1 year ago
Thanks @dennis1f for raising this issue, let me confirm about the behavior, if system assigned identity is supported, I will raise a pr to fix it.
@dennis1f I checked the feature, indeed, the system managed identity is supported by customer managed key. But we'll have a cycle if we use system managed identity in customer managed key
servicebus -> key vault key
key vault -> servicebus (needs to grant the servicebus namespace with correct key permission)
Can you try using azapi to update the customer managed key with system managed identity enabled?
resource "azapi_update_resource" "test" {
resource_id = azurerm_servicebus_namespace.test.resource_id
type = "Microsoft.ServiceBus/namespaces@2021-06-01-preview"
body = jsonencode({
properties = {
encryption = {
keySource = "Microsoft.KeyVault"
keyVaultProperties = [
{
keyName = azurerm_key_vault_key.test.name
keyVaultUri = azurerm_key_vault.test.vault_uri
keyVersion = azurerm_key_vault_key.test.version
}
]
}
}
})
}
@xiaxyi I tried, it applied without errors, but did not change anything. The Identity Type "User Assigned" was still selected. However after adding identity = []
it also applied without errors and switched to "System Assigned".
I also used keyVersion = ""
, so the latest key is used, but that should not matter I guess.
body = jsonencode({
properties = {
encryption = {
keySource = "Microsoft.KeyVault"
keyVaultProperties = [
{
keyName = "servicebus"
keyVaultUri = "kvuri"
keyVersion = ""
identity = []
}
]
}
}
})
thanks @dennis1f for the update, looks like API use the new value to override the old one if the new value presents.
We are still considering whether to change the current behavior from terraform provider perspective because enabling system assigned identity
will cause loop, unless user choose to do the two steps deployments...
I'm experiencing the same issue, which is causing me to be unable to import already created azure resources, when will this be fixed please?
Is there an existing issue for this?
Community Note
Terraform Version
1.3.6
AzureRM Provider Version
3.50.0
Affected Resource(s)/Data Source(s)
azurerm_servicebus_namespace
Terraform Configuration Files
Debug Output/Panic Output
Expected Behaviour
azurerm_servicebus_namespace should support accessing customer managed keys in key vault with the system assigned identity of the service bus.
azurerm_servicebus_namespace.customer_managed_key.identity_id is not marked as required property
This is the resource used for testing:
{ "sku": { "name": "Premium", "tier": "Premium", "capacity": 1 }, "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/123/providers/Microsoft.ServiceBus/namespaces/azurermtest", "name": "azurermtest", "type": "Microsoft.ServiceBus/Namespaces", "location": "West Europe", "tags": {}, "identity": { "principalId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "type": "SystemAssigned" }, "properties": { "disableLocalAuth": true, "zoneRedundant": true, "encryption": { "keySource": "Microsoft.KeyVault", "keyVaultProperties": [ { "keyName": "servicebus", "keyVaultUri": "https://asasdasdasdsa.vault.azure.net", "keyVersion": "" } ], "requireInfrastructureEncryption": true }, "provisioningState": "Succeeded", "metricId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx:azurermtest", "createdAt": "2023-04-05T13:02:52.54Z", "updatedAt": "2023-04-05T14:22:05.58Z", "serviceBusEndpoint": "https://azurermtest.servicebus.windows.net:443/", "status": "Active" } }
Actual Behaviour
Using system assigned identity of service bus to authenticate against key vault to access the customer managed key should be possible.
azurerm_servicebus_namespace.customer_managed_key.identity_id is marked as required property in the azurerm provider, therefore it is not possible to use the system assigned identity
Steps to Reproduce
Important Factoids
No response
References
No response