Adding existing VNet to Azure KeyVault using Pulumi fails

azure azure-keyvault azure-virtual-network pulumi

I have an existing key vault in Azure for which I am trying to add an existing VNet through Pulumi code. I face the below error:

error: azure:keyvault/keyVault:KeyVault resource 'exampleKeyVault' has a problem: Invalid or unknown key. Examine values at 'KeyVault.NetworkAcls.VirtualNetworkRules'.

This is my code:

example_key_vault = azure.keyvault.KeyVault("exampleKeyVault",
                                            resource_group_name=resourceGroup,
                                            name="keyVaultName",
                                            tenant_id=current.tenant_id,
                                            sku_name="premium",
                                            soft_delete_retention_days=7,
                                            network_acls=pulumi_azure_native.keyvault.NetworkRuleSetArgs(
                                                bypass="AzureServices",
                                                ip_rules=None,
                                                default_action="Deny",
                                                virtual_network_rules=[pulumi_azure_native.keyvault.VirtualNetworkRuleArgs(id="/subscriptions/xxxx/resourceGroups/yyyy/providers/Microsoft.Network/virtualNetworks/zzzz/subnets/mysubnet")],),
                                            access_policies=[azure.keyvault.KeyVaultAccessPolicyArgs(
                                                tenant_id=current.tenant_id,
                                                object_id=current.object_id,
                                                key_permissions=[
                                                    "list",
                                                    "create",
                                                    "get",
                                                    "purge",
                                                    "recover",
                                                    "delete"
                                                ],
                                                secret_permissions=["set",
                                                                    "list",
                                                                    "get",
                                                                    "delete",
                                                                    "purge",
                                                                    "recover"],
                                            )])

You're passing the wrong type to your resource. network_acls doesn't take the type pulumi_azure_native.keyvault.NetworkRuleSetArgs it takes pulumi.azure.KeyVaultNetworkAcls

See here for more information: https://www.pulumi.com/registry/packages/azure/api-docs/keyvault/keyvault/#keyvaultnetworkacls

You'll need something like this:

example_key_vault = azure.keyvault.KeyVault("exampleKeyVault",
                                            resource_group_name=resourceGroup,
                                            name="keyVaultName",
                                            tenant_id=current.tenant_id,
                                            sku_name="premium",
                                            soft_delete_retention_days=7,
                                            network_acls=pulumi.azure.NetworkRuleSetArgs(
                                                bypass="AzureServices",
                                                ip_rules=None,
                                                default_action="Deny",
                                                virtual_network_rules=[pulumi_azure_native.keyvault.VirtualNetworkRuleArgs(id="/subscriptions/xxxx/resourceGroups/yyyy/providers/Microsoft.Network/virtualNetworks/zzzz/subnets/mysubnet")],),
                                            access_policies=[azure.keyvault.KeyVaultAccessPolicyArgs(
                                                tenant_id=current.tenant_id,
                                                object_id=current.object_id,
                                                key_permissions=[
                                                    "list",
                                                    "create",
                                                    "get",
                                                    "purge",
                                                    "recover",
                                                    "delete"
                                                ],
                                                secret_permissions=["set",
                                                                    "list",
                                                                    "get",
                                                                    "delete",
                                                                    "purge",
                                                                    "recover"],
                                            )])

I can also see you're making the same mistake at virtual_network_rules, you need to ensure you're not missing provider types inside the same resource

Related

How to suppress gradle warning about Deprecated Gradle features?
replace javascript alerts with modal
Reference an object in a class by using a string?
When to use a MySQL socket and when to use a host:port?
Django: CONN_MAX_AGE persists connections, but doesn't reuse them with PostgreSQL
Where and How does Hudson/Jenkins store data?
How do I setup IIS to rotate logs?
How to find out the reason(s) why the network interface is dropping packets?
Why is 'multi_accept' 'off' as default in Nginx?
How do I turn off Oracle password expiration?
Kill process with high CPU usage after X time? [closed]
What happens when wifi channels overlap?