Grant dev Terraform CI access to Key Vault#83
Conversation
Terraform Plan (
|
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 69a8c91c14
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| resource "azurerm_key_vault_access_policy" "ci_deployers" { | ||
| for_each = var.ci_deployer_object_ids | ||
|
|
||
| key_vault_id = azurerm_key_vault.kv.id | ||
| tenant_id = data.azurerm_client_config.current.tenant_id | ||
| object_id = each.value |
There was a problem hiding this comment.
Bootstrap CI access before refreshing managed secrets
For the existing dev vault state that this change targets, the CI identity still has no data-plane permission when the workflow invokes its normal terraform apply -auto-approve (.github/workflows/infrastructure.yml:222-227). Terraform refreshes the tracked azurerm_key_vault_secret resources before it can create this policy, so those reads receive 403 and the apply exits before this resource or its depends_on edges can take effect. Consequently, merging this commit alone leaves the failed CI run unable to apply; the policy must be granted through a bootstrap path that does not require reading the existing secrets first.
Useful? React with 👍 / 👎.
Summary
Fixes
Validation
Follow-up