Error during devops integration

[anaugust113]

Describe the bug
Error during devops integration after commit "#433 aztfmod/kv-access-policy" on aztfmod / terraform-azurerm-caf module

To Reproduce

Ran the rover command for devops integration in sandpit:

rover -lz /tf/caf/landingzones/caf_solution/add-ons/azure_devops
-var-folder /tf/caf/configuration/${environment}/level0/azure_devops
-tfstate azure_devops_contoso_demo.tfstate
-parallelism 30
-level level0
-env ${environment}
-a apply

Error:

Error: Invalid index

on /home/vscode/.terraform.cache/modules/caf/modules/security/keyvault_access_policies/policies.tf line 12, in module "azuread_apps":
12: object_id = var.azuread_apps[try(try(each.value.azuread_app_lz_key, each.value.lz_key),var.client_config.landingzone_key)][each.value.azuread_app_key].azuread_service_principal.object_id
|----------------
| each.value is object with 3 attributes
| each.value.lz_key is "launchpad"
| var.azuread_apps is object with 1 attribute "azdo-contoso_demo"
| var.client_config.landingzone_key is "azdo-contoso_demo"

The given key does not identify an element in this collection value.

Error: Invalid index

on /home/vscode/.terraform.cache/modules/caf/modules/security/keyvault_access_policies/policies.tf line 12, in module "azuread_apps":
12: object_id = var.azuread_apps[try(try(each.value.azuread_app_lz_key, each.value.lz_key),var.client_config.landingzone_key)][each.value.azuread_app_key].azuread_service_principal.object_id
|----------------
| each.value is object with 3 attributes
| each.value.lz_key is "launchpad"
| var.azuread_apps is object with 1 attribute "azdo-contoso_demo"
| var.client_config.landingzone_key is "azdo-contoso_demo"

The given key does not identify an element in this collection value.

Error: Invalid index

on /home/vscode/.terraform.cache/modules/caf/modules/security/keyvault_access_policies/policies.tf line 12, in module "azuread_apps":
12: object_id = var.azuread_apps[try(try(each.value.azuread_app_lz_key, each.value.lz_key),var.client_config.landingzone_key)][each.value.azuread_app_key].azuread_service_principal.object_id
|----------------
| each.value is object with 3 attributes
| each.value.lz_key is "launchpad"
| var.azuread_apps is object with 1 attribute "azdo-contoso_demo"
| var.client_config.landingzone_key is "azdo-contoso_demo"

The given key does not identify an element in this collection value.

Expected behavior
Successful integration with devops

Environment (please complete the following information):

OS: Windows 10
Rover Version aztfmod/rover:0.14.10-2104.2704

Additional context
Using the CAF starter files before merge from #56 from Azure/AL-ADOpatches

[heidecke]

@arnaudlh I see this issue also mentioned in gitter. Trying to find a workaround. Running on 2104.3 of the modules.

[heidecke]

I found what appears to be the fix. In the keyvault_access_policies_azuread_apps config block, the config key lz_key needs to be keyvault_lz_key.

You also need to make sure that the landingzone config block has the level set to level1, and the tfstates launchpad level changed to lower.

landingzone = {
  backend_type        = "azurerm"
  global_settings_key = "launchpad"
  level               = "level1"
  key                 = "azdo-contoso_demo"
  tfstates = {
    launchpad = {
      level   = "lower"
      tfstate = "caf_launchpad.tfstate"
    }
  }
}

keyvault_access_policies_azuread_apps = {

  level0 = {
    platform = {
      keyvault_lz_key    = "launchpad"
      azuread_app_key    = "contoso_demo"
      secret_permissions = ["Get", "List"]
    }
  }
...

[heidecke]

Added a PR (#73) with the proposed fixes. Let me know if this also works for you @anaugust113 ?

[anaugust113]

Yes, that resolved. Thanks for the fix @heidecke