Fix: resolve duplicate Key Vault role assignment conflict in the workload zone (#998)

nnoaman · web-flow · commit 5378bd48e39d · 2026-01-15T16:03:31.000+02:00
diff --git a/deploy/terraform/terraform-units/modules/sap_landscape/key_vault_sap_landscape.tf b/deploy/terraform/terraform-units/modules/sap_landscape/key_vault_sap_landscape.tf
@@ -100,7 +100,7 @@ resource "azurerm_management_lock" "key_vault" {
 
 resource "azurerm_role_assignment" "role_assignment_msi" {
   provider                             = azurerm.deployer
-  count                                = var.key_vault.enable_rbac_authorization && var.options.assign_permissions ? 1 : 0
+  count                                = var.key_vault.user.exists && var.key_vault.enable_rbac_authorization && var.options.assign_permissions ? 1 : 0
   scope                                = var.key_vault.user.exists ? (
                                            data.azurerm_key_vault.kv_user[0].id) : (
                                            azurerm_key_vault.kv_user[0].id
@@ -132,7 +132,7 @@ resource "azurerm_role_assignment" "role_assignment_vault_ssi" {
 
 resource "azurerm_role_assignment" "role_assignment_msi_officer" {
   provider                             = azurerm.deployer
-  count                                = var.key_vault.enable_rbac_authorization && var.options.assign_permissions ? 1 : 0
+  count                                = var.key_vault.user.exists && var.key_vault.enable_rbac_authorization && var.options.assign_permissions ? 1 : 0
   scope                                = var.key_vault.user.exists ? (
                                            data.azurerm_key_vault.kv_user[0].id) : (
                                            azurerm_key_vault.kv_user[0].id
