key vault issue gits

keyvault.tf

data "azurerm_client_config" "current" {}
variable "keyVaultLocation" {
  default = "centralus"
}
variable "azTags" {
  default = {
    Owner       = "me"
    Application = "Azure DevOps Terraform Pipelines"
  }
}
resource "azurerm_resource_group" "main" {
  name     = format("%s-rg", var.adoProjectName)
  location = var.keyVaultLocation
  tags     = var.azTags
}

resource "random_pet" "kv-name" {
  length = 3
}

resource "azurerm_key_vault" "keyvault" {
  resource_group_name    = azurerm_resource_group.main.name
  location               = azurerm_resource_group.main.location
  name                   = substr(replace(random_pet.kv-name.id, "-", ""), 0, 24)
  tenant_id              = data.azurerm_client_config.current.tenant_id
  enabled_for_deployment = true
  sku_name               = "standard"

  tags = var.azTags
}

# Grant access to the calling user to manage things inside the Key Vault
resource "azurerm_key_vault_access_policy" "access" {
  key_vault_id = azurerm_key_vault.keyvault.id

  tenant_id = data.azurerm_client_config.current.tenant_id
  object_id = data.azurerm_client_config.current.object_id

  key_permissions = [
    "get",
    "List",
    "Update",
    "Restore",
    "Backup",
    "Recover",
    "Delete",
    "Import",
    "Create",
  ]

  secret_permissions = [
    "get",
    "List",
    "Set",
    "Delete",
    "Recover",
    "Backup",
    "Restore",
  ]
  certificate_permissions = [
    "Get",
    "List",
    "Update",
    "Create",
    "Import",
    "Delete",
    "Recover",
    "Backup",
    "Restore",
    "ManageContacts",
    "DeleteIssuers",
    "SetIssuers",
    "ListIssuers",
    "ManageIssuers",
    "GetIssuers",
  ]
}

resource "azuread_application" "adospn" {
  name = format("%s-app", var.adoProjectName)
}

resource "random_string" "password" {
  length  = 32
  special = true
}

resource "azuread_service_principal" "adospn" {
  application_id = azuread_application.adospn.application_id
}

resource "azuread_service_principal_password" "adospn" {
  service_principal_id = azuread_service_principal.adospn.id
  value                = random_string.password.result
  end_date             = "2021-01-01T00:00:00Z"
}

resource "azurerm_role_assignment" "main" {
  principal_id         = azuread_service_principal.adospn.id
  scope                = azurerm_key_vault.keyvault.id
  role_definition_name = "Contributor"
}

resource "azurerm_key_vault_access_policy" "spnaccess" {
  key_vault_id = azurerm_key_vault.keyvault.id

  tenant_id = azurerm_key_vault.keyvault.tenant_id
  object_id = azuread_service_principal.adospn.object_id

  secret_permissions = [
    "get",
    "List",
  ]
}


resource "azurerm_key_vault_secret" "example" {
  key_vault_id = azurerm_key_vault.keyvault.id
  name         = "kv-secret"
  value        = "szechuan"

}

resource "azuredevops_serviceendpoint_azurerm" "endpointazure" {
  project_id            = azuredevops_project.project.id
  service_endpoint_name = "AzureKeyVaultSE"
  credentials {
    serviceprincipalid  = azuread_service_principal.adospn.application_id
    serviceprincipalkey = random_string.password.result
  }
  azurerm_spn_tenantid      = data.azurerm_client_config.current.tenant_id
  azurerm_subscription_id   = data.azurerm_client_config.current.subscription_id
  azurerm_subscription_name = "Azure KeyVault Stored Subscription"
}

resource "azuredevops_variable_group" "this" {
  project_id   = azuredevops_project.project.id
  name         = "configuration"
  description  = "configuration"
  allow_access = true

  key_vault {
    name                = azurerm_key_vault.keyvault.name
    service_endpoint_id = azuredevops_serviceendpoint_azurerm.endpointazure.id
  }

  variable {
    name    = "kv-secret"
    enabled = true
  }
}