Fix cross sub creation failure on keyvault embedded resources #14047
Conversation
|
hey @magodo This code it's used to workaround an issue where the Storage Account has been deleted outside of Terraform, which means that any calls to the Data Plane API return a DNS failure rather than an error. We intentionally use the Key Vault ID rather than the Key Vault Data Plane URI on these nested resources so that we can detect that these nested resources should be deleted when the parent resource requires changes in Terraform. In addition caches and locks within the Azure Provider assume that we're scoped to a Subscription, rather than attempting to manage cross-subscription - as such we intentionally require that users use a provider alias for secondary subscriptions for that purpose. From what I can see in #11059 this is similar to the problem discussed in #13409 (comment), where it appears the Azure SDK for Go (or rather the base library Thanks! |
|
@tombuildsstuff I've tested locally that given a vault and a secret, if I remove the vault via the Also worth mentioning, this PR is not only meant to support the cross subscription issue. But to remove the unnecessary query on the vault resource, which in this case causes intermittent issues, probably due to the |
|
@magodo fwiw this issue highlights the scenario I'm referring too (albeit this is retrying): Azure/azure-sdk-for-go#16371 - the related problem here being that the Azure DNS is cached for extended periods depending on where it's accessed from Since there's no confirmation that this fixes the issue (as we have no reliable repro for this issue) - this needs to be fixed in the base layer of the Azure SDK here unfortunately. |
|
@tombuildsstuff Thanks for providing the issue, that clarifies a lot! Do you think it makes sense that we use a context with small intervals when reading the secret, and gracefully handle the DNSError, e.g. resetting the ID in BTW, there is one confirmation that this PR works in the issue: #11059 (comment). |
|
@magodo if I'm honest based on this comment it sounds like the source of this is an upstream bug in the API which has since been resolved, so I don't think this is something we need to fix in Terraform at all, the Service Team has fixed the broken API? |
|
I've just faced this issue and wanted to chime in to discuss this. We're creating enterprise applications ( We want to create the Key vault secrets in our central Pipeline where we also create the principals. I assumed this would work, as the Key vault data plane is not related to the subscription. It turns out the So, it would work if the additional check (removed in this PR) would be gone, but right now I'm blocked without any real solution. @tombuildsstuff, @magodo, maybe we can look further into this, because the upstream issue described in this comment is not realated to my issue. |
|
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions. |
The existance check on the Keyvault in the Keyvault embedded resources are redundent here.
Even worse, it will cause failures to create a a embedded resource (e.g. a secret) from subB in a Keyvault that is created in the subA, since the Resource list API used will default to assume the scope is subB in the
Readfunction of the embedded resource, which causes issues described in #11059.Also, removing the existance check on the Keyvault also eliminates the potential issues caused by the resource list API as discussed in #13719.
Fixes #11059.