I'm running scenario with App Gateway as an alternative to Front Door because of separate issue #114
╷
│ Error: checking for presence of existing Secret "agwcert" (Key Vault "https://kv-sbox-lz-uy2qx.vault.azure.net/"): keyvault.BaseClient#GetSecret: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="Public network access is disabled and request is not from a trusted service nor via an approved private link.\r\nCaller: appid=***;oid=ed2bd1f9-d1ff-43f4-8c04-b9ccc91635df;iss=[https://sts.windows.net/***/\r\nVault:](https://sts.windows.net/***//r/nVault:) kv-sbox-lz-uY2QX;location=australiaeast" InnerError=***"code":"ForbiddenByConnection"***
│
│ with module.applicationGateway.module.appGatewayAddCertificates.azurerm_key_vault_secret.sslCertSecret,
│ on modules/application-gateway/certificate-config/main.tf line 12, in resource "azurerm_key_vault_secret" "sslCertSecret":
│ 12: resource "azurerm_key_vault_secret" "sslCertSecret" ***
│
╵
If you provide your client IP address, the Public IP address of the machine executing the Terraform deployment, it will be added to the Network ACL for the KeyVault used to house the Application Gateway certificate and it will allow you to proceed through the entire deployment.
If you would like to keep the KeyVault fully private, you will need to comment out the Application Gateway module in the [main.tf](https://file+.vscode-resource.vscode-cdn.net/home/neil/code/dbc/dbc.lz/terraform/main.tf) and leave the clientIP value blank in your tfvars file. Follow the [instructions for deploying Application Gateway separately on your jump box](https://file+.vscode-resource.vscode-cdn.net/home/neil/code/dbc/dbc.lz/terraform/modules/06-application-gateway/main.tf).
I'm trying to run Terraform in a GitHub Actions workflow and the Service Principal has owner role with subscription scope. It mentions commenting out the App Gateway module. Do you really mean this? You can't create App GW with SP?