Open Sbargaoui opened 8 months ago
@Sbargaoui Thank you for raising this issue. I have had a try with the Portal, it looks different from your post. To allow public access from selected networks, you have to Public network access first. would you have a try with your Terraform configuration by public_network_access_enabled=true
and give acls with specific networks.
@Sbargaoui Thank you for raising this issue. I have had a try with the Portal, it looks different from your post. To allow public access from selected networks, you have to Public network access first. would you have a try with your Terraform configuration by
public_network_access_enabled=true
and give acls with specific networks.
The settings in the portal look different when you are create a new Key Vault than when you update an existing one. But you are right, after setting public_network_access_enabled = true and network_acls something like this:
network_acls {
default_action = "Deny"
bypass = "AzureServices"
virtual_network_subnet_ids = [
azurerm_subnet.subnetxy.id
]
}
in the portal the option "Allow public access from specific virtual networks and IP addresses is selected and the vnet is set accordingly.
It appears that there's a distinction in behavior between creating a new key vault resource and updating an existing one.
When configuring a network_acls
block with public_network_access_enabled=true
, the expected behavior is to Allow public access from specific virtual networks and IP addresses
, which aligns with the intended functionality.
However, issues arise when attempting to update an existing resource to restrict access solely to specific sources, especially if it was initially configured as fully private or fully public. This inconsistency in behavior during updates is where the problem lies.
I have tried it in here. When creating a KV: Deny + Network ACLS check 'Allow public access from specific virtual networks and IP addresses'. However, when updating an existing KV that has drifted, the same code checks 'Disable public access'.
There is a bug.
Is there an existing issue for this?
Community Note
Terraform Version
1.7.5
AzureRM Provider Version
3.97.1
Affected Resource(s)/Data Source(s)
azurerm_key_vault
Terraform Configuration Files
Debug Output/Panic Output
Expected Behaviour
Resource
azurerm_key_vault
should support allowing public access from specific virtual networks and IP addresses when anetwork_acls
is specified.Actual Behaviour
Resource
azurerm_key_vault
only supportsAllow public access from all networks
orDisable public access
even when specifying anetwork_acls
block in order to allow public access from specific virtual networks and IP addresses. Thenetwork_acls
is taken into account when manually switching toAllow public access from specific virtual networks and IP addresses
as shown in the screenshot.Steps to Reproduce
terraform apply
Important Factoids
No response
References
No response