Import bootstrapped dev Key Vault policy before apply#85
Conversation
Terraform Plan (
|
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: bd7f17b9a7
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
|
||
| resource "azurerm_key_vault_access_policy" "ci_deployers" { | ||
| for_each = var.ci_deployer_object_ids | ||
| for_each = setsubtract(var.ci_deployer_object_ids, [data.azurerm_client_config.current.object_id]) |
There was a problem hiding this comment.
Preserve the old CI policy state before excluding it
When an existing dev state was applied with the prior configuration, it can contain azurerm_key_vault_access_policy.ci_deployers["d487..."] for the same GitHub Actions principal now represented by deployer. This exclusion makes Terraform plan a destroy for that old address; Key Vault access policies are keyed by object ID, so that destroy deletes the same remote policy imported at deployer, leaving the CI principal without secret access after apply. Move that state address to deployer (or explicitly remove the obsolete state entry without destroying the remote policy) as part of this migration.
Useful? React with 👍 / 👎.
Summary
Fixes
Validation