Error creating azurerm_app_service_certificate from Key Vault Secret

[JonathonAnderson]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.8.3

AzureRM Provider Version

3.113.0

Affected Resource(s)/Data Source(s)

azurerm_app_service_certificate

Terraform Configuration Files

data "azurerm_key_vault_certificate" "gateway" {
  for_each = { for config in var.gateway.config : config.certificate.display-name => config }

  name         = each.value.certificate.display-name
  key_vault_id = var.key-vault.id
}


resource "azurerm_app_service_certificate" "appcert" {
  for_each = { for config in var.gateway.config : config.name => config }

  name                = lower(format("az-asc-%s-%s-%s-%s-%s", each.key, var.tags["WorkloadName"], var.tags["Env"], var.rg.location, var.tags["Env-Serial"]))
  resource_group_name = var.rg.name
  location            = var.rg.location
  key_vault_secret_id = data.azurerm_key_vault_certificate.gateway[each.value.certificate.display-name].id
}

Debug Output/Panic Output

╷
│ Error: creating/updating Certificate: (Name "az-asc-scim-web-dev-eastus-001" / Resource Group "az-rg-web-dev-eastus-001"): web.CertificatesClient#CreateOrUpdate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="BadRequest" Message="The service does not have access to '/subscriptions/***/resourcegroups/az-rg-web-dev-eastus-001/providers/microsoft.keyvault/vaults/az-kv-web-dev-001' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation." Details=[{"Message":"The service does not have access to '/subscriptions/***/resourcegroups/az-rg-web-dev-eastus-001/providers/microsoft.keyvault/vaults/az-kv-web-dev-001' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation."},{"Code":"BadRequest"},{"ErrorEntity":{"Code":"BadRequest","ExtendedCode":"59716","Message":"The service does not have access to '/subscriptions/***/resourcegroups/az-rg-web-dev-eastus-001/providers/microsoft.keyvault/vaults/az-kv-web-dev-001' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation.","MessageTemplate":"The service does not have access to '{0}' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation.","Parameters":["/subscriptions/***/resourcegroups/az-rg-web-dev-eastus-001/providers/microsoft.keyvault/vaults/az-kv-web-dev-001"]}}]
│ 
│   with module.web["001"].module.app-gateway.azurerm_app_service_certificate.appcert["scim"],
│   on modules\app-gateway\main.tf line 199, in resource "azurerm_app_service_certificate" "appcert":
│  199: resource "azurerm_app_service_certificate" "appcert" {
│ 
╵

Expected Behaviour

App Service Certificate successfully created

Actual Behaviour

Received error

Note that the service principal running Terraform has full permissions on secrets and "Get", "List", "Update", "Create" permissions for certificates. The service principal is also a "Contributor" on the Key Vault itself

The managed identity for the app service has "Get" permissions on both secrets and certificates. I tried adding "Key Vault Reader" permissions for the app service, but no change.

When I run our code with TF_LOG = "Trace" the only thing I see is a PUT request for the app service certificate and a 400 response.

Steps to Reproduce

No response

Important Factoids

No response

References

No response