You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
The current launchpad configure the keyvault access_policy using azurerm_key_vault instead of using a separate resource called azurerm_key_vault_access_policy. This is preventing the addition of other users to the keyvault for access after the launchpad has been deployed using terraform code in other Lx blueprints.
The current launchpad does not provide a good solution to manage multi-user access for code update when not using CI/CD. I had to implement separate AAD Security Groups to manage members using a L1 blueprint and assign this Security Group to the tfstate RG for Storage Blob Data Contributor access. The issue is that I can't do the same with the current code structure for the keyvault store. (well, technically you can but the azurerm terraform provider documentation clearly indicate that using both azurerm_key_vault and azurerm_key_vault_access_policy will cause issues).
Describe the solution you'd like
Move the access_policy block from the azurerm_key_vault to a seperate azurerm_key_vault_access_policy resource
Describe alternatives you've considered
Manually add the other user access policy via the portal... but I would rather do that properly through code to manage who has access to launchpad resources.
Additional context
When trying to destroy a launchpad as a different user than the one who created it I was getting:
- keyvault_name: kv-launchpad-hc26vvr07am
The user, group or application 'appid=04b07795-8ddb-461a-bbee-02f9e1bf7b46;oid=446fe20e-1b5c-45fc-a04e-5ae7cfb66684;numgroups=13;iss=https://sts.windows.net/4e1ed7ae-062e-4ec8-b989-de8cbd452c54/' does not have secrets get permission on key vault 'kv-launchpad-hc26vvr07am;location=canadacentral'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287
- Name:
Error on or near line 326: Not authorized to manage landingzones. User must be member of the security group to access the launchpad and deploy a landing zone; exiting with status 102
The text was updated successfully, but these errors were encountered:
Is your feature request related to a problem? Please describe.
The current launchpad configure the keyvault access_policy using azurerm_key_vault instead of using a separate resource called azurerm_key_vault_access_policy. This is preventing the addition of other users to the keyvault for access after the launchpad has been deployed using terraform code in other Lx blueprints.
The current launchpad does not provide a good solution to manage multi-user access for code update when not using CI/CD. I had to implement separate AAD Security Groups to manage members using a L1 blueprint and assign this Security Group to the tfstate RG for Storage Blob Data Contributor access. The issue is that I can't do the same with the current code structure for the keyvault store. (well, technically you can but the azurerm terraform provider documentation clearly indicate that using both azurerm_key_vault and azurerm_key_vault_access_policy will cause issues).
Describe the solution you'd like
Move the access_policy block from the azurerm_key_vault to a seperate azurerm_key_vault_access_policy resource
Describe alternatives you've considered
Manually add the other user access policy via the portal... but I would rather do that properly through code to manage who has access to launchpad resources.
Additional context
When trying to destroy a launchpad as a different user than the one who created it I was getting:
The text was updated successfully, but these errors were encountered: