Deleting a secret that is referenced by some revision results in a long running update operation timing out

[ruslany]

Please provide us with the following information:

This issue is a: (mark with an x)

• bug report -> please search issues before submitting
• documentation issue or request
• regression (a behavior that used to work and stopped in a new release)

Issue description

Attempt to delete a secret that is referenced by some revision results in a long running update operation to time out.

Steps to reproduce

1. Create an app with a secret and a template that uses an environment variable referencing the secret. Make sure to use activeRevisionsMode: multiple
2. Update the app to remove the secret from the secrets collection and remove the environment variable from the template

Expected behavior The Update API call for step #2 should fail with an error explaining that the secret cannot be removed from the secrets collection because there are revisions that reference it.

Actual behavior The LRO times out after 10 minutes with the error details: "Operation expired"

Additional context

This was originally reported in this issue: Azure/azure-rest-api-specs#19285

[JennyLawrance]

@ruslany @ahmelsayed , is this still an active issue?

[ruslany]

This has been fixed and fix has been deployed.

Now when attempting to delete a secret that is referenced by an active revision the API call with fail with http 400 error and error description similar to this "Container App 'appname' has an active revision referencing a secret you are trying to delete. Please add secrets: 'secretname' or deactivate the revisions: 'revisionname' referencing this secret."

Also when attempting to activate an inactive revision that references a non-existent secret the API call will fail with http 400 error and error description: "Revision 'revision name' you are trying to activate has secrets with references that do not exist. Please add secret for: 'secretname'."

[oshimish]

I received this message after almost every change related to the container app. The same happens when I simply add a value to the unrelated AppConfig, etc.

provider registry.terraform.io/hashicorp/azurerm v3.65.0

azurerm_role_assignment.containerapp_config_owner will be created

• resource "azurerm_role_assignment" "containerapp_config_owner" {
  • id = (known after apply)
  • name = (known after apply)
  • principal_id = "XXX"
  • principal_type = (known after apply)
  • role_definition_id = (known after apply)
  • role_definition_name = " App Configuration Data Owner"
  • scope = "/subscriptions/XXX/resourceGroups/XXX/providers/Microsoft.AppConfiguration/configurationStores/XXX"
  • skip_service_principal_aad_check = (known after apply)
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Error: cannot remove secrets from Container Apps at this time due to a limitation in the Container Apps Service. Please see #395 for more details

[smzeng]

@oshimish could you send your sub and appname and this error to [email protected] so we can investigate further? Thank you!

[smzeng]

@oshimish Sorry for the delay in reply. I have received your email with additional info, thank you for sending it to us. The logs you provided us and this error you are receiving "Error: cannot remove secrets from Container Apps at this time due to a limitation in the Container Apps Service. Please see https://github.com/microsoft/azure-container-apps/issues/395 for more details" is from a check in the terraform code and not from Azure Container Apps team so I cannot provide any additional help on this matter.

You will have to open the issue with terraform directly, I apologize.

[dss010101]

any further updates on this? cant rebuild my container apps using terraform without this being addressed. making it not practical atm imo...