-
Notifications
You must be signed in to change notification settings - Fork 75
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error creating vault key in azure #479
Comments
Hi @jribmartins, Thank you for raising this issue. I was not able to reproduce the issue using the example you provided. Resources created successfully, I just removed
Could it be a situation specific to your environment? |
Hi @turkenf,
I don't have other keyvault or other keyvaultkey with the name "atestcbs3" on my subscription |
@jribmartins could you please try after removing |
Hi @turkenf I just tried, I got the same error, I'm generating random names with helm for the |
I am having a similar issue. I create a new vault and new secrets and it is all synced. Then after a few hours, all of the secrets are out of sync and say that the object already exists and needs to be imported. crossplane 1.13.2 |
In our case, after 1 hour, the secrets go ready false. I can reproduce it at will if there are any logs that would be helpful. |
Digging into this a bit, it looks the id contains the version, which is a computed element. Right now, the controller is trying to pull the version information from the object spec, but the value isn't available until after the first Observe, so creation succeeds, but the resource immediately goes to unhealthy after the first reconciliation. The solution is to switch the resources to use IdentifierFromProvider and capture the full resource id in the external-name. This will move control of the key name from the external-name annotation to |
I can reproduce it on my side too
The associated tf state within the pod is empty
As @djeremiah hinted, the main suspect is |
* Roughly follow https://github.com/upbound/upjet/blob/main/docs/add-new-resource-short.md#case-4-random-identifier-substring-from-provider * Fixes crossplane-contrib#479 Signed-off-by: Yury Tsarev <[email protected]>
I created the draft PR with the tentative fix that looks promising
|
Okay, something is super strange, I've noticed the inconsistent API behavior and rechecked the current code with the totally new vault. It also works.
Apparently it breaks during some special condition we need to figure out. |
Something similar was reported in the underlying provider hashicorp/terraform-provider-azurerm#12299 |
Can be reproduced with recreation
similar happens before and after the proposed fix. |
Okay, I understand what is happening. After key vault is getting deleted, the old keys are getting automatically recreated due to default soft deleteion ( also mentioned in https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_key ) In this scenario, after we apply the manifests after deletion, the keys need to be imported with external-name annotation because they already exist in a recreated, previously soft-deleted key vault. The import fails with the current implementation of the provider - the current keyVaultURLIDConf function does not have a randomized Now using the external-name annotation containing unique version string like
it is possible to successfully import the Key:
|
@jribmartins so to summarize, with the current version of provider, the creation of key vault works, but import is not. It means that the reproducer you provided will succeed with the creation of the key:
I just had to add But the external-name handling is not reliable, and the import is broken, so in case of e.g. provider pod restart, you can hit a situation similar to what @jeremypng describes. The #536 should fully solve it - I will polish it early next week, and it will require some additional cycles on extended regression testing given the change substantial blast radius. |
* Fix key vault import * Use special function to keep name + version as part of externalname so it will have a format of `key-name/84faa4674826492e9b16095719740a00` * Fixes crossplane-contrib#479 Co-authored-by: Sergen Yalçın <[email protected]> Signed-off-by: Yury Tsarev <[email protected]>
@swyngaard yes, that's the plan :) We are testing the vault Secrets as well before the merge of #536 👍 |
What happened?
I'm using the official azure provider to create a simple vault with some key.
I got always this:
"A resource with the ID xxx already exists - to be managed via Terraform this resource needs to be imported into the State."
This vault is being created also by me, has no keys, and I random generate names that's why I don't understand the error of the existing key.
How can we reproduce it?
Just apply the file attached, you just need to update tenantId and objectId values
reproduce.yaml.zip
What environment did it happen in?
The text was updated successfully, but these errors were encountered: