Support for secret_resource_manager_id attribute in azurerm_key_vault_certificate

somebears commented 10 months ago

Is there an existing issue for this?

[X] I have searched the existing issues

Community Note

Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Description

When working with Azure Key Vault Certificates I want to use certificate/secret level permissions. To do this, I need to access the secret that belongs to the Certificate. The provider exposes the "secret_id", but this is not the value I need, I need the resource ID of the secret. A similar thing already exists for the ID of the certificate in the form of the "id" and "resource_manager_id". I am proposing additional attributes "resource_manager_secret_id" (or "secret_resource_manager_id") and their "_versionless" variations.

New or Affected Resource(s)/Data Source(s)

azurerm_key_vault_certificate

Potential Terraform Configuration

resource "azurerm_role_assignment" "cert-secret-access" {
  scope                = azurerm_key_vault_certificate.this.resource_manager_versionless_secret_id
  role_definition_name = "Key Vault Secrets User"
  principal_id         = local.user
}

References

No response

wuxu92 commented 10 months ago

Hi @somebears, thank you for submitting this! The secret name of the certificate is actually identical to the certificate itself. Therefore, we can utilize the azurerm_key_vault_secret data source directly. You may try using the following configuration:

data "azurerm_key_vault_secret" "test" {
  name         = azureazurerm_key_vault_certificate.this.name
  key_vault_id = azurerm_key_vault.this.id
}

output secret_id {
  value = data.azurerm_key_vault_secret.test.resource_id
}

output secret_versionless_id {
  value = data.azurerm_key_vault_secret.test.resource_versionless_id
}

somebears commented 9 months ago

Hello @wuxu92 , Thank you for your reply. I am using the following workaround at the moment (mostly because I was not sure if the secret name is always identical to the certificate name)

locals {
  certificate_secret = regex("^${azurerm_key_vault.this.vault_uri}secrets/(?P<name>[\\w-]*)$", azurerm_key_vault_certificate.this.versionless_secret_id)
}
data "azurerm_key_vault_secret" "this" {
  name         = local.certificate_secret.name
  key_vault_id = azurerm_key_vault_certificate.this.key_vault_id
}

The impact here is minimal, It just felt like this parameter should be there.

wuxu92 commented 9 months ago

Hi @somebears According to the Azure document, the secret name is the same with the cetificate name: https://learn.microsoft.com/en-us/azure/key-vault/certificates/about-certificates#composition-of-a-certificate

When a Key Vault certificate is created, an addressable key and secret are also created with the same name. The Key Vault key allows key operations, and the Key Vault secret allows retrieval of the certificate value as a secret. A Key Vault certificate also contains public X.509 certificate metadata.

somebears commented 9 months ago

In case the "waiting-response" label is for me: I still think that this attribute should be added. I completely agree that there is an easy workaround and the topic is very minor.

hashicorp / terraform-provider-azurerm