New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
azurerm_key_vault - can now be created without subscription level permissions (fixes #6059) #6260
Conversation
This commit fixes issue hashicorp#6509, in which some subscription level rights are required in order to create a key_vault. This occurred due to the provider always looking for a soft deleted key vault prior to checking whether the feature KeyVault.RecoverSoftDeletedKeyVaults was set to true. Thus event setting the value to false did not stop it searching for the soft deletions. The rights it was requiring were to perform action 'Microsoft.KeyVault/locations/deletedVaults/read' over scope '/subscriptions/xxxxxx'
This commit fixes hashicorp#6509 by building on the previous commit to: 1) Remove the (now redundant) error message returned when there's a soft deleted vault of the same name but the user doesn't want to recover it. This is already covered by an error returned by Azure. 2) Fix the acceptance test to look for the error message Azure returns in this instance, rather than the text in the removed error. 3) Fixes the test to add a secret to the soft deleted vault, as Azure will otherwise silently recover the vault anyway (even if the mode is not 'recover') in this case. 4) Fixes the test so that it doesn't purge the vault on destroy.
I'd like to link issue #6059 to this PR. |
This is good hunting, @Jawvig |
@mongrelion I've just promoted it in the Slack channel to see if we can get it into the next release. |
Great! |
This is going to save our bacon! Thankyou @Jawvig! |
Hi @Jawvig , did you manage to get a response on a release for this issue? Thanks (apologies for the incorrect tag @mongrelion) |
If this makes its way into the next release this is going to make our lives at lot easier. Thanks for the effort @Jawvig |
@a30001539 A couple of us have pushed it on the Slack channel. I know @tombuildsstuff has been knee deep in critical AKS fixes for a while, but looks like that's released now today in 2.5.0. Here's hoping a cheeky comment mention will bump it up! It's quite a simple fix. If it wasn't, I wouldn't have had the skills. :-) |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hey @Jawvig - thanks for opening this PR. We've internally discussed it and @jackofallops has reworked it to be a bit more consistent with the rest of the provider (and will shortly dive into how recovery & child items work) - for now i've pulled his changes into this PR so we can unblock key ault creation so hope you don't mind. PR LGTM now
Hi @katbyte I confess I'm confused. The new code seems to ignore the I feel I'm overlooking something here. |
This is to directly fix the linked issue here, unable to create a key vault due to lack of permissions - @jackofallops has been looking into the other issues raised in this PR and will follow up with a PR that fixes the issues around recovering keyvaults & child items within them, but that will not make it into the 2.8. Given the number of upvotes on the linked issue we figured it would be best to fix that issue sooner then later and follow up with the rest in 2.9/2.10. |
I understand it fixes the linked issue. It's just the way it does it is to change the behaviour so that it will silently fail to recover a keyvault if you don't have permissions even when In the original code in this PR, it would still fail if you didn't have permissions and explicitly set And agreed - the effect of the child objects were a separate issue and can be looked at elsewhere. It's just that I noticed when running the tests under different permissions, the test still passed anyway when it shouldn't have done, so I wasn't able to check the change was having any effect until I made those test changes. |
If the keyvault is soft deleted i believe it will then fail to create it after silently failing to recover it when it tries to recreate a vault with the same name? While the error may be different i thinkt he outcome is similar |
Yes, you're right! I hadn't considered that. Okay, I'm convinced. 😀 |
This has been released in version 2.8.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example: provider "azurerm" {
version = "~> 2.8.0"
}
# ... other configuration ... |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks! |
This commit fixes #6509 with the following changes:
RecoverSoftDeletedKeyVaults
flag is set totrue
(fixes #6059 )