Bug report - RBAC is not working on Key Vaults with other role assignments

[joselcaguilar]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Version of the module you are using

5.6.1

Rover Version

No response

Terraform Version

1.3.1

AzureRM Provider Version

2.99.0

Affected Resource(s)/Data Source(s)

azurerm_key_vault_certificate, azurerm_key_vault_certificate_issuer, azurerm_key_vault_key and azurerm_key_vault_secret

Terraform Configuration Files

https://github.com/joselcaguilar/aks-baseline-automation/tree/881f6efbafba0d95a9619d95b8941fa6ffdd5624/IaC/terraform/configuration

Expected Behaviour

Apply the Key Vault RBAC roles described on role_mapping just after the Key Vault creation, otherwise, due to we're applying roles for more resources, it waits until the end of the deployment, we should have something similar to modules\security\keyvault\initial_policy.tf but for RBAC initial roles.

Actual Behaviour

https://github.com/joselcaguilar/aks-baseline-automation/actions/runs/3170507723/jobs/5163131109

Error: checking for presence of existing Certificate "appgateway" in https://abc.vault.azure.net/: keyvault.BaseClient#GetCertificate: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="Caller is not authorized to perform action on resource.\r\nIf role assignments, deny assignments or role definitions were changed recently, please observe propagation time.\r\nCaller: appid=***;oid=98be57ac-c40d-4f91-9360-d14966671234;iss=[https://sts.windows.net/***/\r\nAction:](https://sts.windows.net/***//r/nAction:) 'Microsoft.KeyVault/vaults/certificates/read'\r\nResource: '/subscriptions/***/resourcegroups/rg-bu0001a0008/providers/microsoft.keyvault/vaults/secretsvaultre1/certificates/appgateway'\r\nAssignment: (not found)\r\nVault: secretsvaultre1;location=westeurope\r\n" InnerError={"code":"ForbiddenByRbac"}
│ 
│   with module.caf.module.keyvault_certificate_requests["appgateway"].azurerm_key_vault_certificate.csr,
│   on .terraform/modules/caf/modules/security/keyvault_certificate_request/module.tf line 1, in resource "azurerm_key_vault_certificate" "csr":
│    1: resource "azurerm_key_vault_certificate" "csr" {
│ 
╵
╷
│ Error: checking for presence of existing Certificate "wildcard-ingress" in https://abc.vault.azure.net/: keyvault.BaseClient#GetCertificate: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="Caller is not authorized to perform action on resource.\r\nIf role assignments, deny assignments or role definitions were changed recently, please observe propagation time.\r\nCaller: appid=***;oid=98be57ac-c40d-4f91-9360-d14966671234;iss=[https://sts.windows.net/***/\r\nAction:](https://sts.windows.net/***//r/nAction:) 'Microsoft.KeyVault/vaults/certificates/read'\r\nResource: '/subscriptions/***/resourcegroups/rg-bu0001a0008/providers/microsoft.keyvault/vaults/secretsvaultre1/certificates/wildcard-ingress'\r\nAssignment: (not found)\r\nVault: secretsvaultre1;location=westeurope\r\n" InnerError={"code":"ForbiddenByRbac"}
│ 
│   with module.caf.module.keyvault_certificate_requests["wildcard_ingress"].azurerm_key_vault_certificate.csr,
│   on .terraform/modules/caf/modules/security/keyvault_certificate_request/module.tf line 1, in resource "azurerm_key_vault_certificate" "csr":
│    1: resource "azurerm_key_vault_certificate" "csr" {

Steps to Reproduce

Just running terraform apply

Important Factoids

No response

References

No response