-
Notifications
You must be signed in to change notification settings - Fork 147
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable use of multiple deployment identities so can switch between GitHub Actions & local Dev Container builds #4138
Comments
Switching to a feature, as not sure its a change in behaviour. The ask is to enable multiple deployment identities to exist in parallel. I think the best way to do this would be to have an array of For example when we create the keyvault administrator role:
We do it for the current deployment ID and any also additional ones in config.yaml. |
@marrobi just to say I'm relatively comfortable with the workaround for this one - so not a priority for me. Just wanted to get it documented in case other people experience it - I'd (wrongly) assumed terraform would be able to switch out the deployer identities on the KV. |
@jonnyry thanks, I thought it was going to be an easy fix, but our scripts that read the config.yaml don't support arrays. I have it working in python, but converting the bah scripts to Python is more than I want to embark on right now. |
Summary
Deploying using GitHub Actions then switching and deploying (to the same TRE instance) using a DevContainer errors during the DevContainer deployment due to KeyVault permissions issue.
Problem occurs because the deployment methods use different user accounts (service principal vs user account) & Key Vault RBAC permissions are set up for one during the first deployment, and terraform errors when trying to read the Key Vault during the plan stage of the second deployment.
Steps to recreate
1. Deploy new TRE instance using GitHub Actions
Key Vault is set up with 'Key Vault Secrets Administrator' role applied to the CICD service principal account
2. Redeploy to same TRE instance using DevContainer, error occurs:
Terraform cannot read KV secrets during the plan stage as there is no 'Key Vault Secrets Administrator' RBAC role set up for the current user.
Workaround
Manually assign a Key Vault Administrator role to your user account at a scope higher than the Key Vault itself, such as the resource group or the subscription. If you assign to the Key Vault itself, terraform will error when trying to replace the role on the DevContainer deployment:
The text was updated successfully, but these errors were encountered: