0

I am deploying my azure apim terraform code for Azure APIM.

  resource "azurerm_api_management_subscription" "test" {
  api_management_name = upper("${lower(local.apim_name)}")
  resource_group_name = var.resource_group_name
  user_id             = azurerm_api_management_user.test.id
  product_id          = data.azurerm_api_management_product.crm.id
  display_name        = "testCRM"
  state               = "active"
  primary_key         = var.crm_subscription_key
  depends_on = [
    azurerm_api_management_user.test,
    module.api_product_xxx
  ]
}

variable "crm_subscription_key" {
  default     = "somevalue"
  sensitive   = true
}

The intention behind giving manually primary key is, It should not change the existing key. but always it getting changed.

Can anyone provide the solution.

Daniel Mann
  • 57,011
  • 13
  • 100
  • 120
Sudhir Goswami
  • 125
  • 1
  • 9
  • Please add variable definition to the question. How are you assigning the value to the varialbe? – Marko E May 19 '23 at 09:15
  • @MarkoE, I have mentioned the variable assignment code as well – Sudhir Goswami May 19 '23 at 11:49
  • Ok, so are you re-assigning value of the variable at any point? Also, there is not much point of having the variable set to sensitive, because it will be in the state file any way. – Marko E May 19 '23 at 11:51
  • @MarkoE, No I am not assigning the value anywhere else. Actually I need to use the default value only. not the apim generated one. – Sudhir Goswami May 19 '23 at 12:04

1 Answers1

0

Check the following:

Code:

resource "azurerm_api_management_subscription" "example" {
  api_management_name = data.azurerm_api_management.example.name
  resource_group_name = data.azurerm_api_management.example.resource_group_name
  user_id             = data.azurerm_api_management_user.example.id
  product_id          = data.azurerm_api_management_product.example.id
  display_name        = "Parser API"
  state                = "active"
  primary_key          = var.subscription_key
  depends_on = [
    azurerm_api_management_user.xxx,
   
  ]
}

Here while creating the variable subscription_key , mark it sensitive so that it is protected as such and not exposed anywhere.

variable "subscription_key" {
  type = string
  default = "3xxxxxxxxf"
  sensitive = true
}

and this value even can be stored in keyvault to reference as it is secure way and use life cycle to prevent destroy, as everytime when terraform is applied , the key won’t be destroyed and regenerated

lifecycle {
    prevent_destroy = true
  }

Note: But this applies to whole resource

so specify primary_key within the ignore_changes list, which ignore changes only to the primary key and will not try to destroy during changes to configuration.

Code:

resource "azurerm_key_vault" "org" {
  name                       = "kkkkexamplekeyvault"
  location                   = data.azurerm_resource_group.example.location
  resource_group_name        = data.azurerm_resource_group.example.name
  tenant_id                  = data.azurerm_client_config.current.tenant_id
  sku_name                   = "premium"
  soft_delete_retention_days = 7

  access_policy {
    tenant_id = data.azurerm_client_config.current.tenant_id
    object_id = data.azurerm_client_config.current.object_id

    key_permissions = [
      "Get",
      "Create",
      "Delete",
      "List",
      "Recover",
      "Restore",
      "UnwrapKey",
      "WrapKey",
      "List"
    ]

    secret_permissions = [
      "Get",
  "List",
  "Set",
  "Delete",
  "Recover",
  "Restore",
]
  }
}

resource "azurerm_key_vault_secret" "org" {
  name         = "subsckey"
  value        = "xxxx"
  key_vault_id = azurerm_key_vault.org.id
  
}

resource "azurerm_api_management_subscription" "example" {
  api_management_name = azurerm_api_management.example.name
  resource_group_name = data.azurerm_resource_group.example.name
  
  display_name        = "exampleapi"
  state                = "active"
 // primary_key          = var.subscription_key
  primary_key=    azurerm_key_vault_secret.org.value 
lifecycle {
   // prevent_destroy = true
    ignore_changes = [
      primary_key
    ]
  }

  depends_on = [
    azurerm_api_management_user.zxc,
  ]
}

enter image description here

Reference : How to ignore change of an attribute in block -StackOverflow

kavyaS
  • 8,026
  • 1
  • 7
  • 19
  • even using after this code , Its generating new subscription key primary_key= azurerm_key_vault_secret.org.value lifecycle { // prevent_destroy = true ignore_changes = [ primary_key ] } – Sudhir Goswami May 19 '23 at 11:20