azurerm_key_vault --> enable_rbac_authorization doesn't work?!

[thatdotnetguy]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.8.3

AzureRM Provider Version

3.100.0

Affected Resource(s)/Data Source(s)

azurerm_key_vault

Terraform Configuration Files

resource "azurerm_key_vault" "keyvault" {
  name                        = var.name
  location                    = var.location
  resource_group_name         = var.resource_group_name
  tenant_id                   = var.tenant_id
  public_network_access_enabled = false
  enable_rbac_authorization   = true
  soft_delete_retention_days  = 7
  purge_protection_enabled    = false
  sku_name = "standard"
}

Debug Output/Panic Output

Output says it's all rainbows...

  # module.contractreview_keyvault.azurerm_key_vault.keyvault will be created
  + resource "azurerm_key_vault" "keyvault" {
      + access_policy                 = (known after apply)
      + enable_rbac_authorization     = true
      + id                            = (known after apply)
      + location                      = "australiaeast"
      + name                          = "myprojectname-develop-contracts"
      + public_network_access_enabled = false
      + purge_protection_enabled      = false
      + resource_group_name           = "myprojectname-develop"
      + sku_name                      = "standard"
      + soft_delete_retention_days    = 7
      + tenant_id                     = "***"
      + vault_uri                     = (known after apply)
    }

Plan: 1 to add, 0 to change, 0 to destroy.
module.contractreview_keyvault.azurerm_key_vault.keyvault: Creating...
module.contractreview_keyvault.azurerm_key_vault.keyvault: Creation complete after 6s [id=/subscriptions/***/resourceGroups/myprojectname-develop/providers/Microsoft.KeyVault/vaults/myprojectname-develop-contracts]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Expected Behaviour

In portal --> created key vault --> Access configuration should be set to "Azure role-based access control (recommended"

Actual Behaviour

Vault access policy is set instead

Steps to Reproduce

resource "azurerm_key_vault" "keyvault" { name = var.name location = var.location resource_group_name = var.resource_group_name tenant_id = var.tenant_id public_network_access_enabled = false enable_rbac_authorization = true soft_delete_retention_days = 7 purge_protection_enabled = false sku_name = "standard" }

Important Factoids

No

References

No

[Xiol]

I can replicate this on v3.106.1.

Worth noting that in the state, RBAC is set to false regardless of the enable_rbac_authorization setting:

❯ terraform state show module.keyvault.azurerm_key_vault.main
# module.keyvault.azurerm_key_vault.main:
resource "azurerm_key_vault" "main" {
    access_policy                   = []
    enable_rbac_authorization       = false   # <------
    enabled_for_deployment          = false
    enabled_for_disk_encryption     = false
...snip...

[Xiol]

Okay, so turns out my problem was that while I had Owner permission on the created KeyVault, inherited from the subscription, I had a role constraint that prevented me from changing the KeyVault to RBAC.

Removing the 'Role Based Access Control Administration' constraint on the Owner role allowed me to create the Key Vault via Terraform with RBAC enabled.

Looks like when this constraint is present it silently prevents you from setting RBAC via TF - it does error if you attempt to switch it via the Portal, though.

[wave-ys]

I encountered the same issue. But my case was that I had had a Key Vault with the same name before and when I applied Terraform, it simply recovered the key vault. So I had to disable this auto-recovery feature. I spent total four hours before finally realising that :(

The document is here: azurerm_key_vault