fix: refactor Key Vault access policies to avoid import issues

EstopaceMA · EstopaceMA · commit 1e32e4ed8e14 · 2025-11-19T10:59:26.000+08:00
diff --git a/infra/modules/keyvault/keyvault.tf b/infra/modules/keyvault/keyvault.tf
@@ -3,6 +3,32 @@
 # ------------------------------------------------------------------------------------------------------
 data "azurerm_client_config" "current" {}
 
+locals {
+  # Build list of access policies dynamically
+  access_policies = concat(
+    [
+      # Access policy for the current Terraform client (local runs)
+      {
+        tenant_id = data.azurerm_client_config.current.tenant_id
+        object_id = data.azurerm_client_config.current.object_id
+        secret_permissions = [
+          "Get", "List", "Set", "Delete", "Purge", "Recover"
+        ]
+      }
+    ],
+    # Conditionally add GitHub Actions access policy if object_id is provided
+    var.github_actions_principal_id != null ? [
+      {
+        tenant_id = data.azurerm_client_config.current.tenant_id
+        object_id = var.github_actions_principal_id
+        secret_permissions = [
+          "Get", "List", "Set", "Delete", "Purge", "Recover"
+        ]
+      }
+    ] : []
+  )
+}
+
 resource "azurerm_key_vault" "kv" {
   name                     = "${var.prefix}-kv"
   location                 = var.location
@@ -13,34 +39,20 @@ resource "azurerm_key_vault" "kv" {
 
   tags = var.tags
 
-  # Access policy for the current Terraform client (local runs)
-  access_policy {
-    tenant_id = data.azurerm_client_config.current.tenant_id
-    object_id = data.azurerm_client_config.current.object_id
-
-    secret_permissions = [
-      "Get", "List", "Set", "Delete", "Purge", "Recover"
-    ]
+  # Apply all access policies (local client + GitHub Actions if provided)
+  dynamic "access_policy" {
+    for_each = local.access_policies
+    content {
+      tenant_id          = access_policy.value.tenant_id
+      object_id          = access_policy.value.object_id
+      secret_permissions = access_policy.value.secret_permissions
+    }
   }
 }
 
-# Access policy for GitHub Actions service principal (CI/CD)
-resource "azurerm_key_vault_access_policy" "github_actions" {
-  count        = var.github_actions_principal_id != null ? 1 : 0
-  key_vault_id = azurerm_key_vault.kv.id
-  tenant_id    = data.azurerm_client_config.current.tenant_id
-  object_id    = var.github_actions_principal_id
-
-  secret_permissions = [
-    "Get", "List", "Set", "Delete", "Purge", "Recover"
-  ]
-}
-
 resource "azurerm_key_vault_secret" "secrets" {
   count        = length(var.secrets)
   name         = var.secrets[count.index].name
   value        = var.secrets[count.index].value
   key_vault_id = azurerm_key_vault.kv.id
-
-  depends_on = [azurerm_key_vault_access_policy.github_actions]
 }
