Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

azurerm_disk_encryption_set - unable to rotate azurerm_key_vault_key #22893

Merged
merged 16 commits into from
Aug 17, 2023
Merged

azurerm_disk_encryption_set - unable to rotate azurerm_key_vault_key #22893

merged 16 commits into from
Aug 17, 2023

Conversation

WodansSon
Copy link
Collaborator

@WodansSon WodansSon commented Aug 10, 2023
edited
Loading

Notice in the Changes to Outputs that the key_vault_key_url is reflecting that the key has in fact been rotated and is correctly modifying the output (e.g., /3bdd259d0bf14bddafd4631daf4e1527 -> /15851cd417af4e5eab096fa2ee51065d), however due to persisting the versionless key ID in the resource and the state file itself it does not show up as a diff.

Example of Plan output when the Key Vault Key has been Rotated

data.azurerm_client_config.current: Reading...
azurerm_resource_group.repro: Refreshing state... [id=/subscriptions/{subscription}/resourceGroups/repro-disk_encryption_set]
data.azurerm_client_config.current: Read complete after 0s [id={client_config}]
azurerm_key_vault.repro: Refreshing state... [id=/subscriptions/{subscription}/resourceGroups/repro-disk_encryption_set/providers/Microsoft.KeyVault/vaults/reproKeyVault1DES]
azurerm_key_vault_access_policy.service-principal: Refreshing state... [id=/subscriptions/{subscription}/resourceGroups/repro-disk_encryption_set/providers/Microsoft.KeyVault/vaults/reproKeyVault1DES/objectId/{objectId}]
azurerm_key_vault_key.repro: Refreshing state... [id=https://reprokeyvault1des.vault.azure.net/keys/examplekey/1c716d0b46e84ea19a4ddf3e21f72907]
azurerm_disk_encryption_set.repro: Refreshing state... [id=/subscriptions/{subscription}/resourceGroups/repro-disk_encryption_set/providers/Microsoft.Compute/diskEncryptionSets/reproDES]
data.azurerm_disk_encryption_set.existing: Reading...
azurerm_key_vault_access_policy.disk-encryption: Refreshing state... [id=/subscriptions/{subscription}/resourceGroups/repro-disk_encryption_set/providers/Microsoft.KeyVault/vaults/reproKeyVault1DES/objectId/{objectId}]
data.azurerm_disk_encryption_set.existing: Read complete after 0s [id=/subscriptions/{subscription}/resourceGroups/repro-disk_encryption_set/providers/Microsoft.Compute/diskEncryptionSets/reproDES]

Changes to Outputs:
  ~ key_vault_key_url = "https://reprokeyvault1des.vault.azure.net/keys/examplekey/3bdd259d0bf14bddafd4631daf4e1527" -> "https://reprokeyvault1des.vault.azure.net/keys/examplekey/15851cd417af4e5eab096fa2ee51065d"

You can apply this plan to save these new output values to the Terraform state, without changing any real infrastructure.

(Fixes: #22864)

@WodansSon WodansSon changed the title azurerm_disk_encryption_set - Unable to rotate azurerm_key_vault_key azurerm_disk_encryption_set - unable to rotate azurerm_key_vault_key Aug 10, 2023
@WodansSon WodansSon marked this pull request as draft August 10, 2023 09:09
@github-actions github-actions bot added size/XL and removed size/M labels Aug 11, 2023
@WodansSon WodansSon marked this pull request as ready for review August 11, 2023 01:20
@WodansSon
Copy link
Collaborator Author

image

jackofallops
jackofallops requested changes Aug 14, 2023
View reviewed changes
Copy link
Member

@jackofallops jackofallops left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @WodansSon

I think we need a slightly different approach here, and need to maintain the Required property on the key_vault_key_id - I've left some comments below if you can take a look over?

Thanks!

@WodansSon WodansSon marked this pull request as draft August 15, 2023 06:40
@WodansSon WodansSon marked this pull request as ready for review August 15, 2023 09:46
@WodansSon
Copy link
Collaborator Author

image

@WodansSon WodansSon requested a review from jackofallops August 17, 2023 02:53
jackofallops
jackofallops approved these changes Aug 17, 2023
View reviewed changes
Copy link
Member

@jackofallops jackofallops left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the updates @WodansSon - One comment below to address, which I'll push a change for momentarily given the discussed urgency of this one. But otherwise LGTM 👍

@jackofallops
Copy link
Member

Tests look good:

image

@jackofallops jackofallops merged commit 1395f68 into main Aug 17, 2023
@jackofallops jackofallops deleted the b_diskEncryption_rotation branch August 17, 2023 13:25
@github-actions github-actions bot added this to the v3.70.0 milestone Aug 17, 2023
jackofallops added a commit that referenced this pull request Aug 17, 2023
@jackofallops
Update CHANGELOG.md for #22893
51133e8
@github-actions GitHub Actions
Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 17, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@jackofallops jackofallops jackofallops approved these changes

Assignees
No one assigned
Labels
documentation service/key-vault Key Vault service/stream-analytics size/XL
Projects
None yet
Milestone
v3.70.0
Development

Successfully merging this pull request may close these issues.

azurerm_disk_encryption_set - azurerm_key_vault_key stuck to specific version
2 participants
@WodansSon @jackofallops