azurerm_servicebus_namespace Customer Managed Key with System Assigned Identity not working

[dennis1f]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.3.6

AzureRM Provider Version

3.50.0

Affected Resource(s)/Data Source(s)

azurerm_servicebus_namespace

Terraform Configuration Files

provider "azurerm" {
  features {}
}

resource "azurerm_servicebus_namespace" "azurermtest" {
  name                          = "azurermtest"
  location                      = "West Europe"
  resource_group_name           = "123"
  sku                           = "Premium"
  capacity                      = 1
  local_auth_enabled            = false
  public_network_access_enabled = false
  zone_redundant                = true

  customer_managed_key {
    key_vault_key_id                  = "https://asasdasdasdsa.vault.azure.net/keys/servicebus"
    infrastructure_encryption_enabled = true
  }

  identity {
    type = "SystemAssigned"
  }
}

Debug Output/Panic Output

>terraform validate
╷
│ Error: Missing required argument
│
│   on main.tf line 15, in resource "azurerm_servicebus_namespace" "azurermtest":
│   15:   customer_managed_key {
│
│ The argument "identity_id" is required, but no definition was found.

Expected Behaviour

azurerm_servicebus_namespace should support accessing customer managed keys in key vault with the system assigned identity of the service bus.

azurerm_servicebus_namespace.customer_managed_key.identity_id is not marked as required property

This is the resource used for testing: { "sku": { "name": "Premium", "tier": "Premium", "capacity": 1 }, "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/123/providers/Microsoft.ServiceBus/namespaces/azurermtest", "name": "azurermtest", "type": "Microsoft.ServiceBus/Namespaces", "location": "West Europe", "tags": {}, "identity": { "principalId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "type": "SystemAssigned" }, "properties": { "disableLocalAuth": true, "zoneRedundant": true, "encryption": { "keySource": "Microsoft.KeyVault", "keyVaultProperties": [ { "keyName": "servicebus", "keyVaultUri": "https://asasdasdasdsa.vault.azure.net", "keyVersion": "" } ], "requireInfrastructureEncryption": true }, "provisioningState": "Succeeded", "metricId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx:azurermtest", "createdAt": "2023-04-05T13:02:52.54Z", "updatedAt": "2023-04-05T14:22:05.58Z", "serviceBusEndpoint": "https://azurermtest.servicebus.windows.net:443/", "status": "Active" } }

Actual Behaviour

Using system assigned identity of service bus to authenticate against key vault to access the customer managed key should be possible.

azurerm_servicebus_namespace.customer_managed_key.identity_id is marked as required property in the azurerm provider, therefore it is not possible to use the system assigned identity

Steps to Reproduce

1. terraform validate

Important Factoids

No response

References

No response

[xiaxyi]

Thanks @dennis1f for raising this issue, let me confirm about the behavior, if system assigned identity is supported, I will raise a pr to fix it.

[xiaxyi]

@dennis1f I checked the feature, indeed, the system managed identity is supported by customer managed key. But we'll have a cycle if we use system managed identity in customer managed key

servicebus -> key vault key
key vault -> servicebus (needs to grant the servicebus namespace with correct key permission)

Can you try using azapi to update the customer managed key with system managed identity enabled?

resource "azapi_update_resource" "test" {
  resource_id = azurerm_servicebus_namespace.test.resource_id
  type        = "Microsoft.ServiceBus/namespaces@2021-06-01-preview"

  body = jsonencode({
    properties = {
      encryption = {
        keySource = "Microsoft.KeyVault"
        keyVaultProperties = [
          {
            keyName     = azurerm_key_vault_key.test.name
            keyVaultUri = azurerm_key_vault.test.vault_uri
            keyVersion  = azurerm_key_vault_key.test.version
          }
        ]
      }
    }
  })
}

[dennis1f]

@xiaxyi I tried, it applied without errors, but did not change anything. The Identity Type "User Assigned" was still selected. However after adding identity = [] it also applied without errors and switched to "System Assigned". I also used keyVersion = "", so the latest key is used, but that should not matter I guess.

  body = jsonencode({
    properties = {
      encryption = {
        keySource = "Microsoft.KeyVault"
        keyVaultProperties = [
          {
            keyName     = "servicebus"
            keyVaultUri = "kvuri"
            keyVersion  = ""
            identity = []
          }
        ]
      }
    }
  })

[xiaxyi]

thanks @dennis1f for the update, looks like API use the new value to override the old one if the new value presents.

We are still considering whether to change the current behavior from terraform provider perspective because enabling system assigned identity will cause loop, unless user choose to do the two steps deployments...

[hisbanliu]

I'm experiencing the same issue, which is causing me to be unable to import already created azure resources, when will this be fixed please?