Use azurerm_key_vault_access_policy to set access policy

[bernardmaltais]

Is your feature request related to a problem? Please describe.
The current launchpad configure the keyvault access_policy using azurerm_key_vault instead of using a separate resource called azurerm_key_vault_access_policy. This is preventing the addition of other users to the keyvault for access after the launchpad has been deployed using terraform code in other Lx blueprints.

The current launchpad does not provide a good solution to manage multi-user access for code update when not using CI/CD. I had to implement separate AAD Security Groups to manage members using a L1 blueprint and assign this Security Group to the tfstate RG for Storage Blob Data Contributor access. The issue is that I can't do the same with the current code structure for the keyvault store. (well, technically you can but the azurerm terraform provider documentation clearly indicate that using both azurerm_key_vault and azurerm_key_vault_access_policy will cause issues).

Describe the solution you'd like
Move the access_policy block from the azurerm_key_vault to a seperate azurerm_key_vault_access_policy resource

Describe alternatives you've considered
Manually add the other user access policy via the portal... but I would rather do that properly through code to manage who has access to launchpad resources.

Additional context
When trying to destroy a launchpad as a different user than the one who created it I was getting:

- keyvault_name: kv-launchpad-hc26vvr07am
The user, group or application 'appid=04b07795-8ddb-461a-bbee-02f9e1bf7b46;oid=446fe20e-1b5c-45fc-a04e-5ae7cfb66684;numgroups=13;iss=https://sts.windows.net/4e1ed7ae-062e-4ec8-b989-de8cbd452c54/' does not have secrets get permission on key vault 'kv-launchpad-hc26vvr07am;location=canadacentral'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287
 - Name: 
Error on or near line 326: Not authorized to manage landingzones. User must be member of the security group to access the launchpad and deploy a landing zone; exiting with status 102

[bernardmaltais]

Here is the proposed code for the keyvault.tf file:

resource "azurecaf_naming_convention" "keyvault" {
  for_each = var.keyvaults

  name          = each.value.name
  resource_type = "kv"
  convention    = lookup(each.value, "convention", local.global_settings.convention)
  prefix        = lookup(each.value, "useprefix", false) == true ? local.prefix_start_alpha : ""
  max_length    = lookup(each.value, "max_length", null)
}

resource "azurerm_key_vault" "keyvault" {
  for_each = var.keyvaults 

  name                = azurecaf_naming_convention.keyvault[each.key].result
  location            = lookup(each.value, "location", local.global_settings.default_location)
  resource_group_name = azurerm_resource_group.rg[each.value.resource_group_key].name
  tenant_id           = data.azurerm_client_config.current.tenant_id

  sku_name = each.value.sku_name

  tags = {
    tfstate     = var.level
    environment = local.global_settings.environment
  }
}

resource "azurerm_key_vault_access_policy" "keyvault_access_policy" {
  for_each = azurerm_key_vault.keyvault

  key_vault_id = each.value.id

  tenant_id = data.azurerm_client_config.current.tenant_id
  object_id = var.logged_user_objectId

  key_permissions    = []
  secret_permissions = ["Get", "List", "Set", "Delete"]
}

A bunch of other code need to be adjusted also. See pull request below.

[bernardmaltais]

Summited the following pull request to implement: #70

[arnaudlh]

Closing as fixed in 2010