Key Vault Permissions
key vault
To manage Azure resources using Terraform, you need to ensure that your service principal or managed identity has the appropriate permissions for each block. Here’s a breakdown of the necessary permissions grouped by resource group and other scopes:
Primary Subscription (azurerm.primary)
Resource Group: rg-esp-qa
Permissions:
Microsoft.Resources/subscriptions/resourceGroups/read
Resource Group: NET-EUS2-QA-RG
Permissions:
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Network/virtualNetworks/read
Microsoft.Network/virtualNetworks/subnets/read
Resource Group: Defined by variable var.resource_group_name (for Key Vault)
Permissions:
Microsoft.KeyVault/vaults/write
Microsoft.KeyVault/vaults/read
Microsoft.KeyVault/vaults/delete
Microsoft.KeyVault/vaults/accessPolicies/write
Secondary Subscription (azurerm.secondary)
Resource Group: NET-EUS2-PROD-RG
Permissions:
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Network/privateDnsZones/read
Microsoft.Network/privateDnsZones/A/read
Microsoft.Network/privateDnsZones/A/write
Resource Group: NET-EUS2-QA-RG (for Private Endpoint)
Permissions:
Microsoft.Network/privateEndpoints/write
Microsoft.Network/privateEndpoints/read
Microsoft.Network/privateEndpoints/delete
Microsoft.Network/privateDnsZones/virtualNetworkLinks/read
Microsoft.Network/privateDnsZones/virtualNetworkLinks/write
Data Sources
azurerm_resource_group
Permissions:
Microsoft.Resources/subscriptions/resourceGroups/read
azurerm_virtual_network
Permissions:
Microsoft.Network/virtualNetworks/read
azurerm_subnet
Permissions:
Microsoft.Network/virtualNetworks/subnets/read
azurerm_private_dns_zone
Permissions:
Microsoft.Network/privateDnsZones/read
azurerm_private_dns_zone_virtual_network_link
Permissions:
Microsoft.Network/privateDnsZones/virtualNetworkLinks/read
Resources
azurerm_key_vault
Permissions:
Microsoft.KeyVault/vaults/write
Microsoft.KeyVault/vaults/read
Microsoft.KeyVault/vaults/delete
Microsoft.KeyVault/vaults/accessPolicies/write
azurerm_private_endpoint
Permissions:
Microsoft.Network/privateEndpoints/write
Microsoft.Network/privateEndpoints/read
Microsoft.Network/privateEndpoints/delete
azurerm_private_dns_a_record
Permissions:
Microsoft.Network/privateDnsZones/A/write
Microsoft.Network/privateDnsZones/A/read
Custom Role Definition and Assignment (Commented Out)
If you plan to use the custom role definition and assignment, you will need:
Role Definition
Permissions:
A comprehensive list of actions across various services (as defined in the commented-out azurerm_role_definition block)
Role Assignment
Permissions:
Microsoft.Authorization/roleAssignments/write
Microsoft.Authorization/roleAssignments/read
Summary of Key Actions
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Network/virtualNetworks/read
Microsoft.Network/virtualNetworks/subnets/read
Microsoft.KeyVault/vaults/write
Microsoft.KeyVault/vaults/read
Microsoft.KeyVault/vaults/delete
Microsoft.KeyVault/vaults/accessPolicies/write
Microsoft.Network/privateDnsZones/read
Microsoft.Network/privateDnsZones/A/write
Microsoft.Network/privateDnsZones/A/read
Microsoft.Network/privateEndpoints/write
Microsoft.Network/privateEndpoints/read
Microsoft.Network/privateEndpoints/delete
Microsoft.Network/privateDnsZones/virtualNetworkLinks/read
Microsoft.Network/privateDnsZones/virtualNetworkLinks/write
Microsoft.Authorization/roleAssignments/write
Microsoft.Authorization/roleAssignments/read
Ensure the service principal or managed identity used by Terraform has these permissions to successfully create and manage the resources.
Comments
Post a Comment