Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Key Vault: support for soft delete #1805

Closed
wants to merge 1 commit into from

Conversation

janboll
Copy link

@janboll janboll commented Aug 21, 2018

Adding the features from closed #1517

@janboll
Copy link
Author

janboll commented Aug 21, 2018

Created a new PR due to my git clumsiness 👎

@leewilson86
Copy link
Contributor

leewilson86 commented Jan 4, 2019

@tombuildsstuff Are the changes in this PR due to be released as part of 1.21.0? Or will it be released in a later version?

We have hit a scenario where the soft-delete and purge-protection features are becoming critical for us.

Our workaround at the moment is by firing Azure PowerShell/Azure CLI commands to apply soft-delete and purge-protection which is messy in my opinion, and it also adds dependencies for developers to have either Azure Powershell or Azure CLI installed on their machines in order to run the TF for Key Vault.

We have considered having PowerShell scripts accessed as an Azure Function to apply soft-protection and purge-protection but this makes maintaining our IaC more complex than it needs to be.

Setting the following:

enabled_for_soft_delete = true
enabled_for_purge_protection = true

... is way better than something like this:

resource "null_resource" "akv-protection" {
    provisioner "local-exec" {
        command = "az keyvault update --name MyKeyVault --enable-soft-delete true --enable-purge-protection true --subscription ********"
    }
}

This PR would really benefit us, and we would really like to see it released as part of this 1.21.0 or an upcoming version not in the too distant future.

@leewilson86
Copy link
Contributor

@tombuildsstuff @katbyte is there any update on when this PR will be released? Is it still targetted for v1.21.0 as per the milestones?

Thanks

@katbyte katbyte modified the milestones: 1.21.0, 2.0.0 Jan 11, 2019
@tombuildsstuff
Copy link
Contributor

hey @janboll

Sorry for the delayed comment here - we've discussed internally why this is blocked but I've just realised we haven't commented to explain why here 🤦‍♂️.

This PR's complicated due to the purge_on_delete flag: whilst it's possible to retrieve the value of this field in the delete if the Terraform Configuration is present (e.g. if someone's running terraform destroy) it's not present (and thus will always return the default value for a bool [false]) if somebody's removed the Terraform Configuration for the resource (for example if the resource has been deleted in the local file, but exists in Azure, so a terraform plan will show this requiring deletion).

Our current thinking is that it could be possible for Terraform to enable purge protection on the Resource, but that running terraform destroy should actually completely destroy (e.g. purge) this resource. This would allow accidental deletions outside of Terraform to be recoverable, but allows Terraform to fulfil its promise of actually destroying the infrastructure when you run terraform destroy (e.g. so that the Resource Group can also be deleted). Whilst we have precedent for Resources in Terraform which exist and do soft deletions, these apply only to the keys (e.g. in AWS the aws_kms_key resource) - which are top-level resources whereas in Azure the presence of the Key Vault and the Resource Group makes this more complicated, since this will prevent them from being destroyed.

Thinking some more about this, originally I thought that this may need to go in 2.0 (since it was a breaking behavioural change, which is why this has been blocked) - but on reflection I believe if we lookup the state of the resource in the delete and purge it if soft-delete is enabled we should be able to ship this in a 1.x release - what do you think?

Thanks!

@tombuildsstuff tombuildsstuff removed their assignment Feb 26, 2019
@tombuildsstuff tombuildsstuff changed the title Key vault add soft delete Key Vault: support for soft delete Feb 26, 2019
@tombuildsstuff
Copy link
Contributor

hey @janboll

Just to give an update here - we'll be taking a look at the work required for 2.0 in the not-too-distant future; however since this is blocked on that (since this'll need to be rolled out as a part of 2.0). Rather than leaving this PR open stagnant I'm going to temporarily close this PR for the moment, but we'll re-open this and take another look when we start work on the 2.0 milestone in the not-too-distant future.

Thanks!

@ghost
Copy link

ghost commented Apr 17, 2019

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!

@ghost ghost locked and limited conversation to collaborators Apr 17, 2019
@ghost ghost removed the waiting-response label Apr 17, 2019
@WodansSon
Copy link
Collaborator

Porting changes to new code base with PR #5344

@ghost
Copy link

ghost commented Feb 24, 2020

This has been released in version 2.0.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 2.0.0"
}
# ... other configuration ...

@ghost ghost unlocked this conversation Feb 24, 2020
@ghost ghost locked and limited conversation to collaborators Feb 24, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants