azurerm_key_vault ignores tenant_id

[rmmason]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.6.6

AzureRM Provider Version

3.103.1

Affected Resource(s)/Data Source(s)

azurerm_key_vault

Terraform Configuration Files

resource "azurerm_key_vault" "kv_test" {
  name                               = "test-kv"
  location                           = azurerm_resource_group.rg.location
  resource_group_name                = azurerm_resource_group.rg.name
  enable_rbac_authorization          = true
  tenant_id                          = "<subscription-tenant-id>"
  public_network_access_enabled      = true 
  sku_name                           = "standard"
  soft_delete_retention_days         = 7
  tags                               = var.tags
}

Debug Output/Panic Output

Error: retrieving `contact` for KeyVault: keyvault.BaseClient#GetCertificateContacts: Failure responding to request: StatusCode=401 -- Original Error: autorest/azure: Service returned an error. Status=401 Code="Unauthorized" Message="AKV10032: Invalid issuer. Expected one of https://sts.windows.net/#######, https://sts.windows.net/#######/, https://sts.windows.net/######, found https://sts.windows.net/######/

Expected Behaviour

The keyvault should be created with a directory id which matches the supplied tenant_id and there shouldn't be an error.

Actual Behaviour

The keyvault is created, however, it has ignored the tenant_id provided which was the same as the subscription and has a directory_id in the portal which matches the external users home directory and not the subscription directory.

The keyvault is subsequently unusable and has an error at the top of the overvoew pane which says "The directory () currently selected differes from this key vaults's directory. Some actions will be disabled."

Steps to Reproduce

1. Create an external user in the subscription directory.
2. Give the external user permissions that will allow them to create a key vault. We made this user an owner of the subscription.
3. Use the CLI to login to the subscription as the external user using: "az login --tenant "
4. Run terraform apply .

Important Factoids

Running the scripts as an External User as this is on a customers subscription.

References

No response

[wuxu92]

Hi @rmmason , Thanks for filing this issue. could you try adding the subscription-tenant-id to the auxiliary_tenant_ids field and see if it resolve the error?

[rmmason]

Hi @wuxu92 - Thank you for your response. We have already tried that and the error still occurs.

[wuxu92]

@rmmason, thank you for the update. Upon reviewing this case, I am wondering if there is a situation where it is necessary to create a key vault in a different tenant ID. I have not been able to find any documentation on this matter, apart from the swagger definition. Additionally, when observing the portal page, it appears that a key vault with a different tenant ID has limited functionality despite its provisioning state being "Succeeded." The linked document suggests that this should only occur when transferring an Azure Key Vault to another subscription.

[rmmason]

@wuxu92 - Can you provide me with the link to where you think it suggests it shouldn't work? So far the KeyVault is the only piece of architecture we have had a problem with.

We are authenticating as an external user in the current tenant so those user accounts do exist as (external users /guests) in the current tenant.

Maybe I could raise a ticket with Microsoft to ask if they could confirm if this should be possible on the backend and point them to this ticket if it is unclear in the documentation.

[sherySSH]

Facing the same issue but I am not external user. My user is present in tenant id. During "terraform plan" it gives me correct tenant id but after when I apply then I found that in tfstate the tenant id for Key Vault is completely different,