terraform-provider-azurerm: azurerm_key_vault not setting purge protection and error when attempting to purge keys.
Community Note
- Please vote on this issue by adding a đ reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave â+1â or âme tooâ comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform (and AzureRM Provider) Version
I am using azurerm provider 2.41.0 and terraform binary 0.14.3
Affected Resource(s)
azurerm_key_vault
Terraform Configuration Files
resource "azurerm_key_vault" "key_vault" {
location = var.resource-location
name = "${var.agency-name}-${var.department-name}-${var.application-name}-${var.environment}-kv"
resource_group_name = "zus1-${var.agency-name}-${var.application-name}-${var.environment}-v1-rg"
sku_name = var.key-vault-sku-name
tenant_id = data.azurerm_client_config.current_client_config.tenant_id
soft_delete_enabled = false
purge_protection_enabled = false
tags = merge(local.common_tags, map("type", "key-vault"))
}
Debug Output
Error: purging Secret âsql-1-passwordâ (Key Vault âhttps://my-key-vault.vault.azure.net/â): keyvault.BaseClient#PurgeDeletedSecret: Failure responding to request: StatusCode=400 â Original Error: autorest/azure: Service returned an error. Status=400 Code=âNotSupportedâ Message=âOperation "purge" is not enabled for this vault.â
Panic Output
Expected Behaviour
I expect the key vault to be created with enablePurgeProtection: false and a terraform destroy to not error out when removing a key vault.
Actual Behaviour
The key vault is created, but purge protection is null and not false. ⌠âenablePurgeProtectionâ: null, âenableRbacAuthorizationâ: false, âenableSoftDeleteâ: false, âenabledForDeploymentâ: false, âenabledForDiskEncryptionâ: false, âenabledForTemplateDeploymentâ: false, âŚ
A terraform destroy results in the error in debug output.
Steps to Reproduce
terraform destroy
Important Factoids
This was working last week as of Thursday or Friday.
References
This may be related to
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Reactions: 51
- Comments: 24 (4 by maintainers)
@jackofallops
For us this is very consistent since this morning at least. Create environment, then destroy and we get this error. If we simply run destroy again we get a permission error (presumably the policy access was deleted successfully) and running a 3rd and all consecutive times reports the key vault cannot be found. Rerun create again and then destroy and the 409 error comes back.
So to summarise, the first destroy we run always gets a 409 on the key vault secrets now. We are running azurerm 2.47.0 and terraform 0.14.7. But I bumped the versions hoping it would fix it. This morning we were on azurerm 2.44.0 and terraform 0.14.4 with the exact same problem.
@mattduguid Yeah, i tested it with both and the behaviour was still funy. I did some tests just now. And terraform is deploying the KeyVault the right way. The problem was basically that attaching a KeyVault to an Azure Machine Learning workspace, automatically activates Purge Protection on that Keyvault. So Terraform deploys without Purge, then AzureML turns on the purge and then terraform tries to turn purge protection from true to nil, and it canât do that because purge protection canât be deactivated.
Then when destroying the environment, if you have the option âpurge deleted keyvaultsâ set to true. Then AzureML (and maybe other attached services have this behaviour as well) turns on purge protection, terraform tries to purge on delete, and everything fails.
Iâm trying to figure out why AzureML is activating purge protection on the attached key vault.
My previous problem seems to be resolved after upgrading to terraform 0.14.7 and azurerm 2.48.0, but Iâm experiencing the 409 error now as well:
Error: purging Secret "admin-password" (Key Vault "https://...-kv.vault.azure.net/"): keyvault.BaseClient#PurgeDeletedSecret: Failure responding to request: StatusCode=409 -- Original Error: autorest/azure: Service returned an error. Status=409 Code="Conflict" Message="Secret is currently being deleted." InnerError={"code":"ObjectIsBeingDeleted"}
My provider settings are the following:
Setting purge_soft_delete_on_destroy to false solves my issue but this doesnât solve my issue. It seems @jackofallops is on the right track with the comment about a potential bug or inconsistency between the read and purge operations
I am getting the same error on azurerm 2.43.0. Iâm using a module to deploy virtual machines in Azure using GitLab CI and a service principal. I used to store the storage account access key in the module, but Iâve removed that feature. When I try to run the module again it attempts to delete the secret in the key vault (not the key vault itself), I get the following:
Error: purging Secret âsa-access-keyâ (Key Vault âhttps://âŚvault.azure.net/â): keyvault.BaseClient#PurgeDeletedSecret: Failure responding to request: StatusCode=403 â Original Error: autorest/azure: Service returned an error. Status=403 Code=âForbiddenâ Message=âThe user, group or application âappid=xxx;oid=xxx;iss=https://sts.windows.net/xxx/â does not have secrets purge permission on key vault ââŚ;location=westeuropeâ. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287â InnerError={âcodeâ:âForbiddenByPolicyâ}
This is even though I am certain the service principal has the right access to the key vault:
Iâm using the following config:
And for the provider configuration:
Our pipelines are dead in the water due to this bug and our heavy reliance on azure key vault. đŚ
Using hashicorp/azurerm v2.41.0 I am also facing the same issue when destroying secrets for the first time. Getting the below error: keyvault.BaseClient#PurgeDeletedSecret: Failure responding to request: StatusCode=400 â Original Error: autorest/azure: Service returned an error. Status=400 Code=âNotSupportedâ Message=âOperation "purge" is not enabled for this vault.â This deletes secrets but does not delete KeyVault.
When running terraform destroy again after the first attempt, it destroys the key vault, but gives the following error: Message=âThe user, group or application does not have secrets delete permission on key vault.â This deletes the resources but gives the error message.
I gave my service principal the purge permission as documented here and I still get the error posted in the opening notes.
My key vault sp permissions creation code is now
Also, soft delete is enabled.
Edit: When I posted the above I had forgot to enable soft delete. I enabled that in the key vault and when running terraform destroy I now seeâŚ
Which seems like it would be obvious during a destroy that the secret is being deleted.
same problem: using
2.54
The KV was created with
purge_protection_enabled = false/null
(or omit it), then on another run. It says purge protection is enabled AND like @daguito81 notes, this KV is being attached to a ML workspace.Same for me on an apply: Error: purging Certificate â91-certâ (Key Vault âhttps://91-uks.vault.azure.net/â): keyvault.BaseClient#PurgeDeletedCertificate: Failure responding to request: StatusCode=400 â Original Error: autorest/azure: Service returned an error. Status=400 Code=âNotSupportedâ Message=âOperation "purge" is not enabled for this vault.â
Using azurem 2.41.0 and not setting purge_protection_enabled (so should have default of false).
Cert was removed though in above run (not unexpected due to code change) and subsequent attempt re-created it.