I’m using terraform to trying to deploy event-hubs to Azure, but I always get this error when I do terraform plan:
│ Error: making Read request on Azure KeyVault Secret evnhs-d-test-01-tp-test-01-tp-seli: keyvault.BaseClient#GetSecret: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="The user, group or application 'appid=xxx;oid=xxx;iss=https://sts.windows.net/6f/' does not have secrets get permission on key vault 'kv-d-test-01-tp;location=westeurope'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287" InnerError={"code":"AccessDenied"}
│
│ with module.eventhub_02.azurerm_key_vault_secret.event_hub_namespace_secrets_send_listen,
│ on .terraform/modules/eventhub/event-hub/main.tf line 235, in resource "azurerm_key_vault_secret" "event_hub_namespace_secrets_send_listen":
│ 235: resource "azurerm_key_vault_secret" "event_hub_namespace_secrets_send_listen" {
│
I have 2 repositories, one with the modules and another where I deploy the Azure infrastructure.
I have a module called events-hub with this main.tf:
# Event Hub namespace to store Event Hubs
resource "azurerm_eventhub_namespace" "event_hub_namespace" {
name = format("evnhs-%s", var.event_hub_namespace_name)
location = var.location
resource_group_name = var.resource_group_name
sku = var.event_hub_namespace_sku
capacity = var.event_hub_namespace_capacity
auto_inflate_enabled = false
lifecycle {
ignore_changes = [auto_inflate_enabled]
}
tags = var.tags
}
...
}
# Defines a namespace-level authorization rule for send and listen operations.
resource "azurerm_eventhub_namespace_authorization_rule" "evhns_auth_rule" {
name = format("send-list-%s", var.event_hub_namespace_name)
namespace_name = format("evhns-%s", var.event_hub_namespace_name)
resource_group_name = var.resource_group_name
listen = true
send = true
manage = false
depends_on = [azurerm_eventhub_namespace.event_hub_namespace]
}
resource "azurerm_key_vault_secret" "event_hub_namespace_secrets_send_listen" {
name = format("%s-seli", azurerm_eventhub_namespace.event_hub_namespace.name)
value = azurerm_eventhub_namespace_authorization_rule.evhns_auth_rule.primary_connection_string
key_vault_id = var.keyvault_id
depends_on = [azurerm_eventhub_namespace_authorization_rule.evhns_auth_rule]
}
no meu outro repositório tenho um key-vaul.tf que tem um com as permissões necessárias para o deploy e um outro file chamado event-hub.tf:
module "eventhub" {
source = "git::[email protected]:..."
keyvault_id = module.kv_engel_data_02.vault_id
event_hub_namespace_name = format("%s-test-01-tp", var.environment)
event_hub_namespace_sku = "Standard"
event_hub_namespace_capacity = "5"
location = var.default_location
resource_group_name = var.default_resource_group
tags = merge(var.tags, local.eventhub_tags)
event_hubs_with_capture = [
{
resource_group_name = var.default_resource_group
eventhub_name = "raw-engellogsin"
...
archive_name_format = "{Namespace}/{EventHub}/captured/{Year}_{Month}_{Day}_{Hour}_{Minute}_{Second}_{PartitionId}"
},
]
event_hubs_without_capture = []
log_analytics_workspace_id = module.log_analytics.resource_id
}
I have owner permission on my key vault and I think it’s fine…I don’t understand why this name is like that: evnhs-d-test-01-tp-test-01-tp-seli shouldn’t it be like this?evnhs-d-test-01-tp-seli? How can I correct the error I have above?
I know this is something simple, and that it must be in front of my eyes, but I’m not seeing it
I’ve already tried to see if there was a problem with event_hub_namespace_name, if it was repeating somewhere, I confirmed that my key vault is ok with the necessary permissions…
My key-vault.tf it's something like this:
module "kv_data_01" {
source = "git::[email protected]:..."
resource_group_name = var.default_resource_group
kv_name = format("kv-%s-test-data-01-tp", var.environment)
location = var.default_location
environment = var.environment
key_vault_secrets = []
kv_tenant_id = var.sp_tenantid
kv_sku_name = "standard"
tags = merge(local.kv_test_data_tags, var.tags)
access_policies_list = [
{
object_id : var.kv_test_data_01_default_access[var.environment],
key_permissions = ["Get", "List", "Create", "Encrypt", "Decrypt", "Update"],
secret_permissions = ["Get", "List", "Purge", "Set", "Delete"],
storage_permissions = ["Get", "List"],
certificate_permissions = ["Backup", "Create", "Delete", "Get", "List", "Import", "Purge", "Recover", "Restore", "Update"]
}
,
{
object_id : var.adsg-iot-team,
key_permissions = ["Get", "List", "Create", "Encrypt", "Decrypt", "Update"],
secret_permissions = ["Get", "List", "Purge", "Set", "Delete"],
storage_permissions = ["Get", "List"],
certificate_permissions = ["Backup", "Create", "Delete", "Get", "List", "Import", "Purge", "Recover", "Restore", "Update"]
}
,
{
object_id : var.sp_objid # service principal that deploys objects
key_permissions = ["Get", "List", "Create", "Encrypt", "Decrypt", "Update"],
secret_permissions = ["Get", "List", "Purge", "Set", "Delete", "Recover", "Restore"],
storage_permissions = ["Get", "List"],
certificate_permissions = ["Backup", "Create", "Delete", "Get", "List", "Import", "Purge", "Recover", "Restore", "Update"]
}
,
{
object_id : var.adsg-owners,
key_permissions = ["Get", "List", "Create", "Encrypt", "Decrypt", "Update"],
secret_permissions = ["Get", "List", "Purge", "Set", "Delete", "Recover", "Restore"],
storage_permissions = ["Get", "List"],
certificate_permissions = ["Backup", "Create", "Delete", "Get", "List", "Import", "Purge", "Recover", "Restore", "Update"]
}
,
]
log_analytics_workspace_id = module.log_analytics.resource_id
}