Unable to create new azurerm_app_configuration_key

[ianmccaul]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.6.3

AzureRM Provider Version

3.79.0

Affected Resource(s)/Data Source(s)

azurerm_app_configuration_key

Terraform Configuration Files

# Configure the Azure provider
terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~> 3.79.0"
    }
  }

  required_version = ">= 1.1.0"
}

provider "azurerm" {
  features {}
  skip_provider_registration = true
}

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "East US 2"
}

resource "azurerm_app_configuration" "appconf" {
  name                = "appConfiantest1"
  resource_group_name = azurerm_resource_group.example.name
  location            = azurerm_resource_group.example.location
  sku = "standard"
}

data "azurerm_client_config" "current" {}

resource "azurerm_role_assignment" "appconf_dataowner" {
  scope                = azurerm_app_configuration.appconf.id
  role_definition_name = "App Configuration Data Owner"
  principal_id         = data.azurerm_client_config.current.object_id
}

resource "azurerm_app_configuration_key" "test" {
  configuration_store_id = azurerm_app_configuration.appconf.id
  key                    = "appConfKey1"
  value                  = "a test"

  depends_on = [
    azurerm_role_assignment.appconf_dataowner
  ]
}

Debug Output/Panic Output

2023-11-09T14:51:42.864-0500 [DEBUG] provider.terraform-provider-azurerm_v3.79.0_x5.exe: AzureRM Request: 
GET /kv/appConfKey1?api-version=1.0 HTTP/1.1
Host: appconfiantest1.azconfig.io
User-Agent: Go/go1.21.3 (amd64-windows) go-autorest/v14.2.1 tombuildsstuff/kermit/v0.20230703.1101016 appconfiguration/1.0 HashiCorp Terraform/1.6.3 (+https://www.terraform.io) Terraform Plugin SDK/2.10.1 terraform-provider-azurerm/3.79.0 pid-222c6c49-1b0a-5959-a213-6608f9eb8820
X-Ms-Correlation-Request-Id: 419a2f01-c938-355d-b319-a7e598e097c8
Accept-Encoding: gzip: timestamp=2023-11-09T14:51:42.864-0500
2023-11-09T14:51:42.922-0500 [DEBUG] provider.terraform-provider-azurerm_v3.79.0_x5.exe: AzureRM Response for https://appconfiantest1.azconfig.io/kv/appConfKey1?api-version=1.0: 
HTTP/2.0 403 Forbidden
Access-Control-Allow-Origin: *
Date: Thu, 09 Nov 2023 19:51:42 GMT
Strict-Transport-Security: max-age=15724800; includeSubDomains
X-Ms-Correlation-Request-Id: 419a2f01-c938-355d-b319-a7e598e097c8
X-Ms-Request-Id: 7982effb-44d0-4717-8e38-dba7b28e0565
Content-Length: 0: timestamp=2023-11-09T14:51:42.922-0500

Expected Behaviour

Creates config key

Actual Behaviour

Receive a 403 error and terraform will just loop until timeout.

Steps to Reproduce

So this issue only happens if you create the app config and the key separately in different apply's. Basically, if you have an app config you created, then in a future stage want to add a new key to it thats when you get the 403. It runs just fine if you create the key with the config in one stage, but all keys are not always known at creation time.

Additionally, I am running this as my account with owner permissions over the tenant. So its not a permission issue, especially considering if I create both at the same time it works fine.

Important Factoids

No response

References

There was an existing issue similar on the v2 version apparently #13229 but this is on 3.79 where I am encountering it.

[teowa]

Hi @ianmccaul , the 403 should be the permission issue. When you encounter the 403 error. Can you check at the Portal(choose the App configuration -> click the Access Control(IAM) at left panel -> click Role assignment at right panel) the specific role App Configuration Data Owner is assigned to your identity. Owner role is not be enough. You can also try assign the App Configuration Data Owner at subscription level.

[ianmccaul]

Hi @ianmccaul , the 403 should be the permission issue. When you encounter the 403 error. Can you check at the Portal(choose the App configuration -> click the Access Control(IAM) at left panel -> click Role assignment at right panel) the specific role App Configuration Data Owner is assigned to your identity. Owner role is not be enough. You can also try assign the App Configuration Data Owner at subscription level.

There is no permission higher than Owner, that will supersede any permission set with App Configuration Data Owner. But I do let the the terraform script in the bug run which creates my role assignment anyways, so I have that permissions. Again, this will run fine the as a single execution. The problem comes when you want to come in and add another key, or you can also comment out the key in the first run and uncomment and run again.

[ianmccaul]

So, after some additional testing there are some oddities with this. First off it would appear the 'App Configuration Data Owner' has to be created at the same time as the app config otherwise you will get the 403. I would expect it to honor the fact that I have higher level permissions and wouldnt need that. But the fact that if you miss creating that role assignment you have to tear down the app config and recreate it with the role at the same time, otherwise you will get that 403 trying to add keys to the config. It doesnt seem to work if you either assign yourself that permission in the portal, or add it after the fact in terraform. I would prefer my CI/CD principals for apps not have the ability to create role assignments when all they really need is contributor permissions to provision and manage resources.

[teowa]

Hi @ianmccaul ,

There is no permission higher than Owner, that will supersede any permission set with App Configuration Data Owner.

Neither Owner nor Contributor role contains the permissions in App Configuration Data Owner role, to manage app conf key, this role is required to be assigned.

It doesnt seem to work if you either assign yourself that permission in the portal, or add it after the fact in terraform.

Could you please check if there are more than one identity, and the one used to provision the app conf key is not assigned with the correct role?

[ianmccaul]

@teowa

There is no permission higher than Owner, that will supersede any permission set with App Configuration Data Owner.

Neither Owner nor Contributor role contains the permissions in App Configuration Data Owner role, to manage app conf key, this role is required to be assigned.

This is completely incorrect. Owner has all permissions, proven by the fact that I can add config keys perfectly fine in any app config via the portal. Additionally, using other IaC providers I have never needed this permission either, this looks to be purely a terraform issue.

It doesnt seem to work if you either assign yourself that permission in the portal, or add it after the fact in terraform.

Could you please check if there are more than one identity, and the one used to provision the app conf key is not assigned with the correct role?

This was ran via testing as my identity, so there are no other identities being pulled in. So I am not sure what you're asking here.

[teowa]

@ianmccaul

There is no permission higher than Owner, that will supersede any permission set with App Configuration Data Owner.

Neither Owner nor Contributor role contains the permissions in App Configuration Data Owner role, to manage app conf key, this role is required to be assigned.

This is completely incorrect. Owner has all permissions, proven by the fact that I can add config keys perfectly fine in any app config via the portal. Additionally, using other IaC providers I have never needed this permission either, this looks to be purely a terraform issue.

No, please read the doc https://learn.microsoft.com/en-us/azure/azure-app-configuration/concept-enable-rbac#azure-built-in-roles-for-azure-app-configuration

And Owner role does not contain any DataAction permission, from Portal:

[teowa]

And if App Configuration Data Owner role is not assigned, from Portal:

Switch to Microsoft Entra ID

Terraform now only uses Microsoft Entra ID to access App Configuration Data.

[rcskosir]

Thank you for taking the time to raise this! I am going to close this with @teowa‘s response as an answer. If that is not the case, please provide additional information including the version in which you are still experiencing this issue, thanks!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.