Skip to content

Permissions in self_permissions Block Not Matching Terraform Expected Format #17

New issue
New issue
Open
Open
Permissions in self_permissions Block Not Matching Terraform Expected Format#17
@morbendor

Description

@morbendor
morbendor
opened on Feb 27, 2025

I encountered an issue while using version 2.1.0. The permission names in the self_permissions block (such as secret_permissions, key_permissions, certificate_permissions, etc.) are defined with lowercase values (e.g., "recover", "restore"). However, Terraform expects these permission values to start with uppercase letters (e.g., "Recover", "Restore").

Problem:
This is the configuration I initially used:

 self_permissions = {
    object_id               = local.service_principal_object_id
    tenant_id               = data.azurerm_client_config.current.tenant_id
    key_permissions         = ["create", "delete", "get", "backup", "decrypt", "encrypt", "import", "list", "purge", "recover", "restore", "sign", "update", "verify"]
    secret_permissions      = ["backup", "delete", "get", "list", "purge", "recover", "restore", "set"]
    certificate_permissions = ["backup", "create", "delete", "deleteissuers", "get", "getissuers", "import", "list", "listissuers", "managecontacts", "manageissuers", "purge", "recover", "restore", "setissuers", "update"]
    storage_permissions     = ["backup", "delete", "deletesas", "get", "getsas", "list", "listsas", "purge", "recover", "regeneratekey", "restore", "set", "setsas", "update"]
  }

When applying this configuration, I received the following error:

│ Error: expected access_policy.0.secret_permissions.6 to be one of ["Get" "List" "Set" "Delete" "Recover" "Backup" "Restore" "Purge"], got restore
│ 
│   with module.key-vault.azurerm_key_vault.main,
│   on .terraform/modules/key-vault/main.tf line 97, in resource "azurerm_key_vault" "main":
│   97: resource "azurerm_key_vault" "main" {

Solution:
To fix the issue, I updated the permission values to use uppercase letters. Here's the corrected configuration:

self_permissions = {
  object_id               = local.service_principal_object_id
  tenant_id               = data.azurerm_client_config.current.tenant_id
  key_permissions         = ["Create", "Delete", "Get", "Backup", "Decrypt", "Encrypt", "Import", "List", "Purge", "Recover", "Restore", "Sign", "Update", "Verify"]
  secret_permissions      = ["Backup", "Delete", "Get", "List", "Purge", "Recover", "Restore", "Set"]
  certificate_permissions = ["Backup", "Create", "Delete", "DeleteIssuers", "Get", "GetIssuers", "Import", "List", "ListIssuers", "ManageContacts", "ManageIssuers", "Purge", "Recover", "Restore", "SetIssuers", "Update"]
  storage_permissions     = ["Backup", "Delete", "DeleteSAS", "Get", "GetSAS", "List", "ListSAS", "Purge", "Recover", "RegenerateKey", "Restore", "Set", "SetSAS", "Update"]
}

After making this change, the configuration worked as expected.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions