Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for more granular purge_soft_delete_on_destroy #10273

Closed
rpieterick opened this issue Jan 21, 2021 · 2 comments · Fixed by #15800
Closed

Support for more granular purge_soft_delete_on_destroy #10273

rpieterick opened this issue Jan 21, 2021 · 2 comments · Fixed by #15800
Labels
enhancement service/key-vault Key Vault
Milestone
v3.0.0

Comments

@rpieterick
Copy link

rpieterick commented Jan 21, 2021
edited
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Documentation for the purge_soft_delete_on_destroy provider features states that it applies to azurerm_key_vault, azurerm_key_vault_certificate, azurerm_key_vault_key and azurerm_key_vault_secret. We have a use case where we'd like the feature configured differently for azurerm_key_vault versus azurerm_key_vault_certificate, azurerm_key_vault_key and azurerm_key_vault_secret.

I'm setting the purge_soft_delete_on_destroy feature to false to prevent errors when deleting a key vault using an SPN that does not have the subscription level purge permission. However that feature setting causes azurerm_key_vault_certificate replacement to fail when updating an existing certificate even though the SPN has all certificate permissions in the key vault access policy.

Partial output from terraform apply:

Terraform will perform the following actions:

  # module.cert.azurerm_key_vault_certificate.pfx must be replaced
-/+ resource "azurerm_key_vault_certificate" "pfx" {
      ~ certificate_attribute = [
          - {
              - created        = "2021-01-21T19:47:35Z"
              - enabled        = true
              - expires        = "2023-01-21T16:46:31Z"
              - not_before     = "2021-01-21T16:46:31Z"
              - recovery_level = "Recoverable+Purgeable"
              - updated        = "2021-01-21T19:47:35Z"
            },
        ] -> (known after apply)
      ~ certificate_data      = "<cert data>" -> (known after apply)
      ~ id                    = "https://a3qarrrkvt03t.vault.azure.net/certificates/RRRTEST-ACME-NET-INTERNAL/6458eeee0afa4e1dae75645e14d51a26" -> (known after apply)
        key_vault_id          = "/subscriptions/3d66dc2c-7be9-474a-89fe-1a00b0511b0e/resourceGroups/A3QARRRRSG01T/providers/Microsoft.KeyVault/vaults/A3QARRRKVT03T"
        name                  = "RRRTEST-ACME-NET-INTERNAL"
      ~ secret_id             = "https://a3qarrrkvt03t.vault.azure.net/secrets/RRRTEST-ACME-NET-INTERNAL/6458eeee0afa4e1dae75645e14d51a26" -> (known after apply)
        tags                  = {
            "Application"          = "TFE Dev Integration Testing"
            "Application-Code"     = "RRR"
            "Business-Criticality" = "NA"
            "Environment"          = "Quality-Assurance"
            "Owner"                = "rpieterick"
            "Owner-Email"          = "[email protected]"
        }
      ~ thumbprint            = "EB43A3138D5F97C8E57A4AAEFA148A1A1A55C854" -> (known after apply)
      ~ version               = "6458eeee0afa4e1dae75645e14d51a26" -> (known after apply)

      ~ certificate {
          ~ contents = (sensitive value)
            password = (sensitive value)
        }

      ~ certificate_policy {
            issuer_parameters {
                name = "Self"
            }

            key_properties {
                exportable = true
                key_size   = 2048
                key_type   = "RSA"
                reuse_key  = false
            }

            secret_properties {
                content_type = "application/x-pkcs12"
            }

          ~ x509_certificate_properties {
              ~ extended_key_usage = [
                  - "1.3.6.1.5.5.7.3.2",
                  - "1.3.6.1.5.5.7.3.1",
                ] -> (known after apply)
              ~ key_usage          = [
                  - "digitalSignature",
                  - "keyEncipherment",
                ] -> (known after apply)
              ~ subject            = "<subject>" -> (known after apply)
              ~ validity_in_months = 25 -> (known after apply)

              ~ subject_alternative_names {
                  ~ dns_names = [
                      - "rrr-test.acme.net",
                      - "rrrtest.acme.net",
                    ] -> (known after apply)
                  ~ emails    = [] -> (known after apply)
                  ~ upns      = [] -> (known after apply)
                }
            }
        }
    }


module.cert.azurerm_key_vault_certificate.pfx: Destroying... [id=https://a3qarrrkvt03t.vault.azure.net/certificates/RRRTEST-ACME-NET-INTERNAL/6458eeee0afa4e1dae75645e14d51a26]
module.cert.azurerm_key_vault_certificate.pfx: Still destroying... [id=https://a3qarrrkvt03t.vault.azure.net/c...ERNAL/6458eeee0afa4e1dae75645e14d51a26, 10s elapsed]
module.cert.azurerm_key_vault_certificate.pfx: Destruction complete after 12s
module.cert.azurerm_key_vault_certificate.pfx: Creating...

Error: keyvault.BaseClient#ImportCertificate: Failure responding to request: StatusCode=409 -- Original Error: autorest/azure: Service returned an error. Status=409 Code="Conflict" Message="Certificate RRRTEST-ACME-NET-INTERNAL is currently in a deleted but recoverable state, and its name cannot be reused; in this state, the certificate can only be recovered or purged." InnerError={"code":"ObjectIsDeletedButRecoverable"}

  on .terraform/modules/cert/keyvault.tf line 24, in resource "azurerm_key_vault_certificate" "pfx":
  24: resource "azurerm_key_vault_certificate" "pfx" {

New or Affected Resource(s)

  • azurerm_key_vault, azurerm_key_vault_certificate, azurerm_key_vault_key and azurerm_key_vault_secret

Potential Terraform Configuration

provider "azurerm" {
  features {
    key_vault {
      purge_soft_delete_on_destroy = false
    }
    key_vault_certificate {
      purge_soft_delete_on_destroy = true
    }
    key_vault_key {
      purge_soft_delete_on_destroy = true
    }
    key_vault_secret {
      purge_soft_delete_on_destroy = true
    }
  }
}

References
@tombuildsstuff tombuildsstuff mentioned this issue Nov 15, 2021
Closed
@tombuildsstuff tombuildsstuff mentioned this issue Dec 2, 2021
Closed
@opslivia opslivia added this to the v3.0.0 milestone Dec 15, 2021
@tombuildsstuff tombuildsstuff mentioned this issue Mar 11, 2022
Merged
@github-actions
Copy link

This functionality has been released in v3.0.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 24, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement service/key-vault Key Vault
Projects
None yet
Milestone
v3.0.0
Development

Successfully merging a pull request may close this issue.

provider: enabling 3.0 mode hashicorp/terraform-provider-azurerm
3 participants
@tombuildsstuff @rpieterick @opslivia