Resource 'x' not found for 'variable x.1.id' with new graph, works fine with legacy graph

[dlcc]

Hi,

I am still having ongoing issues with:-
#11437

Following on from the previous issue, I was able to progress with using the legacy graph. Having upgraded TF along the way, I was able to use the new graph against the resultant infrastructure. However, I am trying to re-use the same TF files for a new installation and I am back to the same error but no choice to go back to legacy graph!

Error running plan: 1 error(s) occurred:

• aws_nat_gateway.gateway_2: 1 error(s) occurred:

• aws_nat_gateway.gateway_2: Resource 'aws_subnet.public' not found for variable 'aws_subnet.public.1.id'

$ terraform -v
Terraform v0.9.1

[dlcc]

resource "aws_nat_gateway" "gateway_1" {
allocation_id = "${aws_eip.nat_gateway_1.id}"
subnet_id = "${aws_subnet.public.0.id}"
}

resource "aws_nat_gateway" "gateway_2" {
allocation_id = "${aws_eip.nat_gateway_2.id}"
subnet_id = "${aws_subnet.public.1.id}"
}

resource "aws_nat_gateway" "gateway_3" {
allocation_id = "${aws_eip.nat_gateway_3.id}"
subnet_id = "${aws_subnet.public.2.id}"
}

resource "aws_subnet" "public" {
count = "${length( split (",", var.aws_zones))}"
vpc_id = "${aws_vpc.vpc.id}"
availability_zone = "${element(split(",", var.aws_zones), count.index)}"
cidr_block = "${lookup(var.public_subnets, count.index)}"
tags {
Name = "${var.app_name} public ${var.environment} ${element(split(",", var.aws_zones), count.index)}"
}
lifecycle {
create_before_destroy = true
}
}

[dlcc]

If I hardcode the count in aws_subnet.public, then it plans fine, e.g.

resource "aws_subnet" "public" {
# count = "${length( split (",", var.aws_zones))}"
count = "3"
...
}

I missed this off, also:

variable "aws_zones" {
default = "eu-west-1a,eu-west-1b,eu-west-1c"
}

[dlcc]

In fact, if I introduce this:

variable "xaws_zones" {
type = "list"
default = ["eu-west-1a","eu-west-1b","eu-west-1c"]
}

then this works fine:

resource "aws_route_table" "public" {
count = "${length( var.xaws_zones)}"
...
}

[dlcc]

I worked around it by using a list instead of splitting a string.

[dlcc]

In fact, this work around has also failed. Looks like it is plain intermittent I got this while running with debug on, not that it says much more.

7/04/11 13:03:15 [ERROR] root: eval: *terraform.EvalInterpolate, err: Resource 'aws_subnet.public' not found for variable 'aws_subnet.public.2.id'
2017/04/11 13:03:15 [ERROR] root: eval: *terraform.EvalSequence, err: Resource 'aws_subnet.public' not found for variable 'aws_subnet.public.2.id'

[dlcc]

When I did manage to get this to attempt to apply, it turned out that there was a typo in my VPC CIDR... which meant that the CIDRs for the subnets where not within the vpc range. have no idea if this was related or not It certainly wouldn't have been the first time I had the issue back in January, because simply using the legacy graph got around the issue.

[patrick-armitage]

@dlcc what was it that fixed your issue exactly? I think I'm having a similar issue

[dlcc]

@patrick-armitage I just kept retrying the apply a few times. Since my last comment, I had to destroy and recreate the infrastructure and it still failed a couple of times before it finally applied ok.

[malnick]

I'm running into this issue this evening on the latest Terraform.

[ahelal]

having same issue with Terraform v0.9.5

[apparentlymart]

Thanks for the detailed info here @dlcc. I'll look at this soon and try to figure out what's going here.

[ferhimedamine]

• 1 having the same issue (terraform 0.9.5)
  Same code using 2 different s3 states.. one works the other not.
  ASG referencing an ELB ID

[dvelitchkov]

Having this issue with terraform 0.9.6

resource "aws_security_group" "satori_nat" {
  name        = "NATSG"
  description = "NAT traffic"
  vpc_id      = "${aws_vpc.satori_vpc.id}"

  ingress {
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = ["${aws_subnet.satori_a.1.cidr_block}", "${aws_subnet.satori_b.1.cidr_block}"]
  }

  ingress {
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["${aws_subnet.satori_a.1.cidr_block}", "${aws_subnet.satori_b.1.cidr_block}"]
  }

  egress {
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

When running "terraform apply":
Error running plan: 1 error(s) occurred:

• aws_security_group.satori_nat: 1 error(s) occurred:

• aws_security_group.satori_nat: Resource 'aws_subnet.satori_a' not found for variable 'aws_subnet.satori_a.1.cidr_block'

If I change the array indices to 0, apply succeeds; I can then change the indices to 1 and run "apply" again and it will actually succeed.

[kamoljan]

+1

[punmechanic]

Also experiencing this issue.. when I look at the state file, it appears that the item that I am pointing to isn't even being created at all (or at least, it is not stored in the state file). I was creating this resource using a fully generated name through the random provider. After I modified the property to have a prefix specified outside of the random provider like so:

  cluster_id = "scanner-${lower("${replace("${random_id.random.b64}", "_", "")}")}"

It worked fine.

[MazenAtaya]

Having the same issue with the latest version of terraform (0.10.3). I have an alb listener referencing an alb target group.

[boldandbusted]

Can I try out the "legacy-graph" as the original poster did with "-Xlegacy-graph" option to terraform?

[scarolan]

I think I have the same issue. Terraform 0.10.7. Attempting to add instances to an 'aws_elb' resource, using the correct TYPE.NAME.ATTR reference like so: aws_instance.spacelysprockets.0

• aws_elb.prod_lb: Resource 'aws_instance.spacelysprockets' not found for variable 'aws_instance.spacelysprockets.0'

[przemolb]

I also have the same issue with terraform 0.10.7 and 0.10.8:

Error: Error running plan: 1 error(s) occurred:

* module.storage.azurerm_storage_container.vhds: 1 error(s) occurred:

* module.storage.azurerm_storage_container.vhds: Resource 'azurerm_storage_account.vhds' not found for variable 'azurerm_storage_account.vhds.name'

[sarjuymd]

+1
resource alb listener and target group.
Terraform v0.9.11

[pgdagenais]

+1
ressource aws_launch_configuration and aws_autoscaling_group
Terraform v0.11.0

[ringods]

Terraform v0.11.0

* module.concourse.aws_ecs_service.concourse_web: Resource 'aws_ecs_task_definition.concourse_web_task_definition' not found for variable 'aws_ecs_task_definition.concourse_web_task_definition.arn'

EDIT: Removed one case as it was a typo on our side.

[dlcc]

@apparentlymart Is there any plans to look at this issue?

It was self-assigned in May and we are 6 months on :)

[yatagan]

+1
aws_ecs_task_definition
Terraform v0.11.0

[kostia-official]

I had such error when my aws_ecs_task_definition failed to create because of the wrong JSON in container definition. And I get error text only when I removed usage of the failed resource. Looks like a bug.

[cbreden]

Getting blocked by this as well. Here's a module snippet where I'm getting:

* module.alb_pvt.aws_alb_listener.alb_listener: 1 error(s) occurred:

* module.alb_pvt.aws_alb_listener.alb_listener: Resource 'aws_alb_target_group.alb_def_target' not found for variable 'aws_alb_target_group.alb_def_target.arn'

resource "aws_alb" "alb" {
  name            = "${var.alb_label}-alb-${var.private ? "private" : "public"}"
  internal        = "${var.private}"
  security_groups = ["${aws_security_group.sg.id}"]
  subnets         = ["${values(var.aws_subnets)}"]

  tags {
    Name        = "${var.alb_label}-alb-${var.private ? "private" : "public"}"
    VPC         = "${var.vpc_name}"
    Environment = "${var.env_name}"
    Terraform   = "Terraform"
  }
}

resource aws_alb_target_group alb_def_target {
  name     = "${aws_alb.alb.tags.Name}-null-default"
  port     = "80"
  protocol = "HTTP"
  vpc_id   = "${var.vpc_id}"

  health_check {
    interval = 15
    path     = "/"
    timeout  = 10
    matcher  = "200"
  }

  tags {
    Service     = "${aws_alb.alb.tags.Name}-null-default"
    Swarm       = "${var.alb_label}-${var.env_name}"
    Environment = "${var.env_name}"
    Terraform   = "Terraform"
  }

  depends_on = [
    "aws_alb.alb"
  ]
}

resource "aws_alb_listener" "alb_listener" {
  load_balancer_arn = "${aws_alb.alb.arn}"
  port              = "443"
  protocol          = "HTTPS"
  ssl_policy        = "ELBSecurityPolicy-2015-05"
  certificate_arn   = "${var.private ? var.pvt_certificate_arn : var.pub_certificate_arn}"

  default_action {
    target_group_arn = "${aws_alb_target_group.alb_def_target.arn}"
    type             = "forward"
  }

  depends_on = [
    "aws_alb_target_group.alb_def_target",
    "aws_alb.alb"
  ]
}

resource "aws_security_group" "sg" {
  name        = "${var.alb_label}-alb-${var.private ? "private" : "public"}-sg"
  description = "Security group (${var.private ? "private" : "public"}) for alb directed at swarm cluster instances"

  vpc_id = "${var.vpc_id}"

  ingress {
    from_port = 443
    to_port   = 443
    protocol  = "tcp"

    cidr_blocks = [
      "0.0.0.0/0",
    ]
  }
  egress {
    from_port = 0
    to_port   = 0
    protocol  = "-1"

    cidr_blocks = [
      "0.0.0.0/0",
    ]
  }
  tags {
    Name      = "${var.alb_label}-alb-${var.private ? "private" : "public"}-sg"
    VPC       = "${var.vpc_name}"
    Terraform = "Terraform"
  }
}

[Jeyanthinath]

for me the same is coming while referring data-source variable in resource file (but for the custom provider)

Terraform v0.11.1

[ghost]

A similar issue with the ouput ("public_ip") in the following configuration. If I change to 0, the plan works.

Error: Error running plan: 1 error(s) occurred:

* output.public_ip: Resource 'aws_instance.my_ec2' not found for variable 'aws_instance.my_ec2.1.public_ip'

$ terraform --version
Terraform v0.11.1
+ provider.aws v1.6.0
+ provider.template v1.0.0

data "template_file" "user_data" {
  template = "${file("user_data.sh")}"
}

resource "aws_instance" "my_ec2" {
  count         = 2
  ami           = "${var.ami_id}"
  instance_type = "t2.micro"
  key_name      = "${var.key_name}"

  subnet_id = "${count.index +1 == 1 ? var.subnet_1 : var.subnet_2}"

  user_data = "${data.template_file.user_data.rendered}"

  tags {
    Name = "${format("%s-ec2-%01d", var.prefix, count.index +1 )}"
  }
}

resource "aws_eip" "elastic_ip" {
  instance = "${aws_instance.my_ec2.0.id}"
}

output "elastic_ip" {
  value = "${aws_eip.elastic_ip.public_ip}"
}

output "public_ip" {
  value = "${aws_instance.my_ec2.1.public_ip}"
}

[dlcc]

@mitchellh Is there any possibility this could be prioritised as it appears to be affecting a number of people and has been open quite a while. Thanks.

[apparentlymart]

Hi all,

We are expecting to address this along with a number of other similar issues as part of integrating an improved interpreter for the expression language. I apologize that we haven't done a great job of tracking down all of the various GitHub issues that this current work relates to, giving the impression of inaction.

We're planning to release an experimental, opt-in version of the new parser and interpreter in the near future, which we'll then use to gather feedback and verify that the various issues have been addressed. After that, we'll make Terraform use the new implementation by default. This work has started, and although we took a break over the holiday period we've now picked it up again and are currently planning the next set of changes.

Sorry for the silence here. I'm going to relabel this issue so that we'll be able to find it again for future updates.

[rszalski]

Stumbled on this as well, the culprit was like in @kozzztya's case: malformed task_definition caused it to not be created (without errors) and then aws_ecs_service stopped with an error:

module.ecs_cluster.aws_ecs_service.xxx: 1 error(s) occurred:

* module.ecs_cluster.aws_ecs_service.xxx: Resource 'aws_ecs_task_definition.yyy' not found for variable 'aws_ecs_task_definition.yyy.arn'

• It seams that "parent" resource is not being created for some reason
• In my case the reason was malformed JSON with Container Definition (which should be reported as error, but wasn't)
• If using ECS, check if this is the cause (especially when missing jsonencode when passing vars to container defs)

Hope this helps with debugging.

[Resisty]

Hello,

I'm having this issue when running terraform plan

* module.testing_ecs_static_analysis.aws_lambda_function.static_analysis_s3_to_sqs_ecs_lambda: 1 error(s) occurred:

* module.testing_ecs_static_analysis.aws_lambda_function.static_analysis_s3_to_sqs_ecs_lambda: Resource 'aws_ecs_task_definition.update_es_from_static_analysis' not found for variable 'aws_ecs_task_definition.update_es_from_static_analysis.family'

The resource definitely exists and is named correctly:

(venv) project 🍔  ag update_es_from_static_analysis
testing_ecs_static_analysis/ecs.tf
1:data "template_file" "update_es_from_static_analysis_json_document" {
2:  template = "${file("${path.module}/templates/update_es_from_static_analysis.json")}"
19:resource "aws_ecs_task_definition" "update_es_from_static_analysis" {
21:  container_definitions = "${data.template_file.update_es_from_static_analysis_json_document.rendered}"

testing_ecs_static_analysis/iam_policies.tf
36:      "${aws_ecs_task_definition.update_es_from_static_analysis.arn}",

testing_ecs_static_analysis/lambda_functions.tf
20:      ECS_TASK                = "${aws_ecs_task_definition.update_es_from_static_analysis.family}"

If anybody has any suggestions, I'd very much appreciate it, thanks!

EDIT: After a lot of googling and playing around with stuff, I'm posting this for posterity.

In the template file, you cannot quote your variables and you must jsonencode them. For example, the following is correct:

# some_template.json
"environment": [
    {
        "name": "something",
        "value": ${some_variable}
    }
]
----------------
# ecs.tf
data "template_file" "temp" {
  template = "${file("${path.module}/templates/some_template.json")}"
  vars {
    some_variable = "${jsonencode(var.some_variable)}"

[adamist521]

It's not directory solving Issue but I have found that some people's issue could be due to error message handling in terraform. (haven't looked into the code yet thogh...)

My error was on alb_target_group but terraform kept me notifying for alb_listener error.

---

My issue was also with aws_alb. My first error was following.

Error: Error running plan: 1 error(s) occurred:

* aws_alb_listener.worker: 1 error(s) occurred:

* aws_alb_listener.worker: Resource 'aws_alb_target_group.worker' not found for variable 'aws_alb_target_group.worker.arn'

So I deleted aws_alb_listener part on .tf file then I got following error.

Error: Error running plan: 1 error(s) occurred:

* aws_alb_target_group.worker: expected length of name to be in the range (0 - 32), got ********************

(I had too long name for target_group.)
So I shortened the name of alb_target_group and put back my alb_listener code then all went well. The problem was that the first error message should have told me about the target-group...
Could be worth a try for anyone suffering from this issue.

[mukund1989]

Experienced similar issue with aws_launch_configuration hashicorp/terraform-provider-aws#4056

[christopherriley]

It's not directory solving Issue but I have found that some people's issue could be due to error message handling in terraform.

@adamist521 thanks a lot, this was exactly my problem (in my case it was aws_elasticsearch_domain.domain_name too long/invalid/etc)

[eschwartz]

error message handling in terraform.

WOW that is really frustrating.

I just had a similar issue:

Resource 'aws_ecs_task_definition.ecs_task_definition' not found for variable 'aws_ecs_task_definition.ecs_task_definition.arn'

output "ecs_task_definition_arn" {
  value       = "${aws_ecs_task_definition.ecs_task_definition.arn}"
  description = "ARN of the ECS task definition"
}

The problem had nothing to do with the error message. The problem was that my JSON for the ecs_task_definition.container_definitions was invalid 😠

If I comment out the output, I get the correct error:

module.ecs_service_a.aws_ecs_task_definition.ecs_task_definition: ECS Task Definition container_definitions is invalid: Error decoding JSON: invalid character '"' after object key:value pair

[KIVagant]

I enabled DEBUG mode and found that the real error is hiding somewhere in the middle of the output:

$ export TF_LOG=DEBUG
$ export TF_TF_LOG_PATH=/var/log/terraform_plan.log
$ terraform plan
...
2018/08/02 15:58:09 [2018/08/02 15:58:09 [DEBUG] Attaching resource state to "aws_ecs_service.service-svc": &terraform.ResourceState{Type:"aws_ecs_service", Dependencies:[]string{"..........."}, Primary:(*terraform.InstanceState)(0xc4209e6320), Deposed:[]*terraform.InstanceState{}, Provider:"", mu:sync.Mutex{state:0, sema:0x0}}
2018/08/02 15:58:09 [ERROR] root: eval: *terraform.EvalSequence, err: Warnings: []. Errors: [ECS Task Definition container_definitions is invalid: Error decoding JSON: json: cannot unmarshal string into Go struct field PortMapping.HostPort of type int64]
...
Error: Error running plan: 1 error(s) occurred:

* module.tf_dks.aws_ecs_service.service-svc: 1 error(s) occurred:

2018-08-02T15:58:12.251+0300 [DEBUG] plugin.terraform-provider-template_v1.0.0_x4: 2018/08/02 15:58:12 [ERR] plugin: stream copy 'stderr' error: stream closed
* module.tf_dks.aws_ecs_service.service-svc: Resource 'aws_ecs_task_definition.service-td' not found for variable 'aws_ecs_task_definition.service-td.revision'

So the real problem was that I added quotes around values for ports inside a task definition:

json: cannot unmarshal string into Go struct field PortMapping.HostPort of type int64]

    "portMappings": [
      {
        "hostPort": "${host_port}",    ← ← ← error
        "containerPort": ${container_port}, ← ← ← works fine
        "protocol": "http"
      }

[fawaf]

#13510 (comment)

We're planning to release an experimental, opt-in version of the new parser and interpreter in the near future, which we'll then use to gather feedback and verify that the various issues have been addressed. After that, we'll make Terraform use the new implementation by default. This work has started, and although we took a break over the holiday period we've now picked it up again and are currently planning the next set of changes.

@apparentlymart is there anywhere that i can get the opt-in version?

[lukasbernat]

similar issue here. tf does not seem to find a resource with id 1:
public-igw-subnet-az1 = "${aws_subnet.az1.1.id}"
error:

• module.test-mgmnt-vpc.var.public-igw-subnet-az2: Resource 'aws_subnet.az2' not found for variable 'aws_subnet.az2.1.id'
  az1.0.id is found.:
  natgw-public-subnet-az1 = "${aws_subnet.az1.0.id}"
  WORKAROUND:
  apply tf with both subnets set to '0'. then modify subnet to '1' and re-apply.

[lukas@localhost test-mgnmt]$ terraform version
Terraform v0.11.10

• provider.aws v1.42.0

[apparentlymart]

Hi all!

The work I mentioned before was merged into master a couple weeks ago, so we've been revisiting the various issues we previously tagged as planned to be addressed by that work.

Reading through the subsequent discussion since my last comment, it seems like a lot of you are encountering the same root cause as the problem over in #18129, which is actually covering the combination of two problems:

• Validation errors from the provider are not always surfacing up to the UI and blocking the creation of the plan.
• Downstream processing can find itself in a strange state where resource results are not available for interpolation. The validation error suppression bug is one cause of that -- we'd then enter a state that should never have been possible if the error had been respected -- but there were some others too.

The second issue here has now been addressed through additional safety checks and a redesign of how the expression evaluation is implemented, which is merged in master and ready to be included in the forthcoming v0.12.0 final release. As you can see over in #18129, the problem that the validation errors isn't surfacing is still not solved but we intend to address it before v0.12.0 final.

Given that the second problem here was surfacing in lots of different ways I used this issue as an excuse to do test one more situation that was causing this error; specifically, I adapted @dlcc's config from way back at the start of this thread to make a repro case:

provider "aws" {
  region = "us-west-2"
}

variable "app_name" {
  default = "foo"
}

variable "environment" {
  default = "bar"
}

variable "aws_zones" {
  default = "us-west-2a,us-west-2b,us-west-2c"
}

variable "public_subnets" {
  type = map(string)
  default = {
    "0" = "10.1.1.0/24"
    "1" = "10.1.2.0/24"
    "2" = "10.1.3.0/24"
  }
}

resource "aws_vpc" "vpc" {
  cidr_block = "10.1.0.0/16"
}

resource "aws_nat_gateway" "gateway_1" {
  allocation_id = "${aws_eip.nat_gateway_1.id}"
  subnet_id     = "${aws_subnet.public.0.id}"
}

resource "aws_nat_gateway" "gateway_2" {
  allocation_id = "${aws_eip.nat_gateway_2.id}"
  subnet_id     = "${aws_subnet.public.1.id}"
}

resource "aws_nat_gateway" "gateway_3" {
  allocation_id = "${aws_eip.nat_gateway_3.id}"
  subnet_id     = "${aws_subnet.public.2.id}"
}

resource "aws_subnet" "public" {
  count             = "${length(split(",", var.aws_zones))}"
  vpc_id            = "${aws_vpc.vpc.id}"
  availability_zone = "${element(split(",", var.aws_zones), count.index)}"
  cidr_block        = "${lookup(var.public_subnets, count.index)}"
  tags = {
    Name = "${var.app_name} public ${var.environment} ${element(split(",", var.aws_zones), count.index)}"
  }
  lifecycle {
    create_before_destroy = true
  }
}

resource "aws_eip" "nat_gateway_1" {
}
resource "aws_eip" "nat_gateway_2" {
}
resource "aws_eip" "nat_gateway_3" {
}

I was able to apply this without problems, which matches what I've seen with this in other cases where the validation-related problem wasn't the root cause.

Since we already have #18129 tracking the validation error bug, I'm going to close this one out now.

I also wanted to quickly address the comment I made earlier about a "preview release": unfortunately our plans for that had to change along the way when it proved to be impractical to ship both the new and old configuration engines in the same release. However, we do now have a v0.12.0-alpha2 release which is intended to serve the same purpose as that opt-in preview would've. Please do not use it against any "real" infrastructure -- there are still many things to fix -- but if you'd like to try it with your own examples in a experimental way, we'd be grateful for any new top-level issues if you find any non-validation-related instances where similar problems might still be occurring.

Thank you all for sharing your examples and error messages here -- they were all very useful in tracking down the different situations that were addressed in the new build, even though we didn't address each one individually in comments -- and for your continued patience while we finish up this complex release.

[iamsortiz]

In my case the problem was also related to the parent resource, but with Azure:

1. The error appeared at azurerm_key_vault_access_policy which was using the values from a azurerm_key_vault
2. azurerm_key_vault has limtations it's name length
3. Because the variable with the Key Vault name didn't met the requirements, it seems it could not create that parent resource.
4. Hence the error in the child resource

But Terraform 💔 Failed to give feedback on:

• Any problem when planning to create the Key Vault resource
• The underlying error on why it could not create the resource

PD: I know the issue Is closed, I just made the comment to ease the debugging of other fellow Terraform/Azure users that might stumble upon the same problem, and end up looking this at this Issue, as I did.

[MattHartz]

@iamsortiz I have an embedded access_policy, and if i remove it it seems to not complain. Did you happen to see that at all?

[iamsortiz]

@iamsortiz I have an embedded access_policy, and if i remove it it seems to not complain. Did you happen to see that at all?

I have my KeyVault access policies as 'isolated resources' instead of embedded, so I didn't get to see the behaviour you describe.

I'll try in future refactors with the 'embedded way'.

Maybe this way if the parent resource fails, it will explicitly say so, and the error feedback will be more clear and to the point.

Thank you : D

[MattHartz]

@iamsortiz Thanks for the response. Yeah that was where I was originally, experimenting in a lot of places. Small question, have you tried setting key vault secrets? If so, did you get it to work? I'm strugging with 403 errors and other github issue posts haven't helped. :(

[iamsortiz]

@MattHartz

have you tried setting key vault secrets?

Yes indeed

If so, did you get it to work?

Yes

I'm strugging with 403 errors and other github issue posts haven't helped. :(

I guess you are ❌ missing a KeyVault "access policy"❌ giving you permission to write a secret (RBAC is not enough)

• ✔️ Try setting up the a Terraform - Azure RM - KeyVault - Access Policy for you KeyVault, giving you write permissions on secrets

Example with admin-like rights:

# [EXPLANATION] You can get the "tenant_id" from this data. You'll needed to setup the KeyVault Access Policy
data "azurerm_client_config" "current" {}

resource "azurerm_key_vault_access_policy" "AccessPolicy-Admins" {
  vault_name          = "${azurerm_key_vault.KeyVault.name}"
  resource_group_name = "${azurerm_key_vault.KeyVault.resource_group_name}"
  # [EXPLANATION] Data needed, coming from "azurerm_client_config"
  tenant_id = "${data.azurerm_client_config.current.tenant_id}"
  # [CHANGETHIS] You need the ID from a Azure Active Directory user or group here
  object_id = "${var.Auth-Admins}"
  # [EXPLANATION] Admin-like permissions
  certificate_permissions = ["create", "delete", "deleteissuers", "get", "getissuers", "import", "list", "listissuers", "managecontacts", "manageissuers", "purge", "recover", "setissuers", "update"]
  key_permissions         = ["backup", "create", "decrypt", "delete", "encrypt", "get", "import", "list", "purge", "recover", "restore", "sign", "unwrapKey", "update", "verify", "wrapKey"]
  secret_permissions      = ["backup", "delete", "get", "list", "purge", "recover", "restore", "set"]
}

• To get the object_id you first need your AAD user, or a an AAD group which you would like to assignt the Access Policy.
  • You can get that from Azure CLI (maybe also from the Azure Portal)
    • Azure CLI - List AAD users
    • Azure CLI - List AAD groups

Good luck ! ❤️

[eyeofthetornado]

I am getting similar issue trying to refer route53_resolver_endpoint id from aws_route53_resolver_rule

resource "aws_route53_resolver_endpoint" "obresolver" {
  name      = "obresolver"
  direction = "OUTBOUND"

  count          = "${var.count_subnets}"

  security_group_ids = [
    "${var.security_group_ids}"
  ]

  ip_address {
    subnet_id      = "${element(split(",", var.subnet_ids), 0)}"
    ip             = "${cidrhost(element(split(",", var.private_subnets), 0), -4)}"
  }

  ip_address {
    subnet_id      = "${element(split(",", var.subnet_ids), 1)}"
    ip             = "${cidrhost(element(split(",", var.private_subnets), 1), -4)}"
  }

  ip_address {
    subnet_id      = "${element(split(",", var.subnet_ids), 2)}"
    ip             = "${cidrhost(element(split(",", var.private_subnets), 2), -4)}"
  }

  tags             = "${merge(var.tags, var.tags_billing)}"
}

resource "aws_route53_resolver_rule" "fwd" {
  domain_name          = "${var.domain}"
  rule_type            = "FORWARD"
  resolver_endpoint_id = "${aws_route53_resolver_endpoint.obresolver.id}"

  target_ip {
    ip = "${element(var.domain_name_servers,0)}"
  }

  tags {
    Environment = "Prod"
  }
}

Error is:

module.route53_domain_1.aws_route53_resolver_rule.fwd: Resource 'aws_route53_resolver_endpoint.obresolver' not found for variable 'aws_route53_resolver_endpoint.obresolver.id'

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.