'Azure AzApi provider in Terraform
I'm trying to use Azure AzApi provider to update the Azure key vault key rotation policy. Both "Azure AzApi provider" and Key Rotation Policy are very new features, released last week.
I don't get any error but it is not updating the attributes.
Code is very simple:
- read existing Key vault
- create a key using "azurerm_key_vault_key" resource
- Add Key rotation policy config using "azapi_update_resource" resource
My Code:
data "azurerm_key_vault" "this" {
name = "kv33eerr"
resource_group_name = "test"
}
resource "time_offset" "expiration_days" {
offset_days = 364
}
resource "azurerm_key_vault_key" "generated" {
name = "testkey01"
key_vault_id = data.azurerm_key_vault.this.id
key_type = "RSA"
key_size = 2048
expiration_date = time_offset.expiration_days.rfc3339
key_opts = [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
]
}
resource "azapi_update_resource" "rotaion" {
type = "Microsoft.KeyVault/vaults/keys@2021-10-01"
parent_id = data.azurerm_key_vault.this.id
name = azurerm_key_vault_key.generated.name
body = jsonencode(
{
properties = {
lifetimeactions = [
{
action = "rotate"
timeaftercreate = "p545d"
timebeforeexpiry = null
},
{
action = "notify"
timeaftercreate = null
timebeforeexpiry = "p20d"
}
],
expiresin = "p2y"
}
}
)
depends_on = [
azurerm_key_vault_key.generated
]
}
Terraform Apply:
Terraform will perform the following actions:
# azapi_update_resource.rotaion will be updated in-place
~ resource "azapi_update_resource" "rotaion" {
~ body = jsonencode(
~ {
~ properties = {
+ expiresin = "p2y"
+ lifetimeactions = [
+ {
+ action = "rotate"
+ timeaftercreate = "p545d"
+ timebeforeexpiry = null
},
+ {
+ action = "notify"
+ timeaftercreate = null
+ timebeforeexpiry = "p30d"
},
]
}
}
)
id = "/subscriptions/32055728-56f6-46dd-8fd1-3f50d4ae69a5/resourceGroups/test/providers/Microsoft.KeyVault/vaults/kv33eerr/keys/testkey01"
name = "testkey01"
~ output = jsonencode({}) -> (known after apply)
# (5 unchanged attributes hidden)
}
Plan: 0 to add, 1 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
azapi_update_resource.rotaion: Modifying... [id=/subscriptions/32055728-56f6-46dd-8fd1-3f50d4ae69a5/resourceGroups/test/providers/Microsoft.KeyVault/vaults/kv33eerr/keys/testkey01]
azapi_update_resource.rotaion: Modifications complete after 3s [id=/subscriptions/3205xxxx-56f6-46dd-8fd1-3f50d4ae69a5/resourceGroups/test/providers/Microsoft.KeyVault/vaults/kv33eerr/keys/testkey01]
Apply complete! Resources: 0 added, 1 changed, 0 destroyed.
key rotation policy:
az keyvault key rotation-policy show -n testkey01 --vault-name kv33eerr
{
"createdOn": null,
"expiresIn": null,
"id": null,
"lifetimeActions": [
{
"action": "Notify",
"timeAfterCreate": null,
"timeBeforeExpiry": "P30D"
}
],
"updatedOn": null
Solution 1:[1]
The payload is not accurate, strongly recommended to install AzApi VSCode Extension, it provides a rich authoring experience to help you use the AzApi provider: https://marketplace.visualstudio.com/items?itemName=azapi-vscode.azapi
resource "azapi_update_resource" "test" {
type = "Microsoft.KeyVault/vaults/keys@2021-11-01-preview"
name = azurerm_key_vault_key.generated.name
parent_id = azurerm_key_vault_key.generated.key_vault_id
body = jsonencode({
properties = {
rotationPolicy = {
lifetimeActions = [
{
action = {
type = "Rotate"
}
trigger = {
timeAfterCreate = "P20D"
timeBeforeExpiry = null
}
},
{
action = {
type = "Notify"
}
trigger = {
timeAfterCreate = null
timeBeforeExpiry = "P20D"
}
}
],
attributes = {
expiryTime = "P2Y"
}
}
}
})
}
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 |