terraform-provider-azurerm: azurerm_key_vault_certificate timeout / retry configuration on creation is too short
Community Note
- Please vote on this issue by adding a đź‘Ť reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave “+1” or “me too” comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform (and AzureRM Provider) Version
Terraform v1.0.0 on linux_amd64
- provider registry.terraform.io/hashicorp/azurerm v2.56.0
- provider registry.terraform.io/hashicorp/external v2.1.0
- provider registry.terraform.io/hashicorp/http v2.1.0
- provider registry.terraform.io/hashicorp/kubernetes v2.3.2
- provider registry.terraform.io/hashicorp/null v3.1.0
- provider registry.terraform.io/hashicorp/restapi v1.16.0
Affected Resource(s)
azurerm_key_vault_certificate
Terraform Configuration Files
# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp
resource "azurerm_key_vault_certificate" "le-cert" {
for_each = { for le in local.les : le.id => le }
lifecycle {
ignore_changes = [
certificate_policy,
name,
]
}
name = "legal-entity-${each.value.id}"
key_vault_id = "/subscriptions/${var.azure_sub}/resourceGroups/${var.azure_rg}/providers/Microsoft.KeyVault/vaults/${var.azure_kv}"
certificate_policy {
issuer_parameters {
name = "Self"
}
key_properties {
exportable = true
key_size = 2048
key_type = "RSA"
reuse_key = true
}
lifetime_action {
action {
action_type = "AutoRenew"
}
trigger {
days_before_expiry = 30
}
}
secret_properties {
content_type = "application/x-pem-file"
}
x509_certificate_properties {
extended_key_usage = ["1.3.6.1.5.5.7.3.1"]
key_usage = [
"cRLSign",
"dataEncipherment",
"digitalSignature",
"keyAgreement",
"keyCertSign",
"keyEncipherment",
]
subject = "CN=${each.value.subdomain}"
validity_in_months = 12
}
}
}
Debug Output
│ Error: Error waiting for Certificate “legal-entity-214” in Vault “https://mykv.vault.azure.net/” to become available: couldn’t find resource (21 retries) │ │ with azurerm_key_vault_certificate.le-cert[“214”], │ on main.tf line 33, in resource “azurerm_key_vault_certificate” “le-cert”: │ 33: resource “azurerm_key_vault_certificate” “le-cert” { │ ╵
Panic Output
Expected Behaviour
Actual Behaviour
Steps to Reproduce
terraform apply
Important Factoids
here is an extract of the diagnostic logs for one cert creation:
we can see that the CertificateEnroll arrives AFTER all the GET retries done by terraform
OperationName,“id_s”,“TimeGenerated [UTC]”,ResultSignature CertificateEnroll,“https://mykv.vault.azure.net/certificates/legal-entity-214/9667ff50c261492382bf157d7397c934","6/18/2021, 9:26:54.240 AM”, CertificateGet,“https://mykv.vault.azure.net/certificates/legal-entity-214","6/18/2021, 9:26:04.056 AM”,OK CertificateGet,“https://mykv.vault.azure.net/certificates/legal-entity-214","6/18/2021, 9:25:54.004 AM”,OK CertificateGet,“https://mykv.vault.azure.net/certificates/legal-entity-214","6/18/2021, 9:25:43.945 AM”,OK CertificateGet,“https://mykv.vault.azure.net/certificates/legal-entity-214","6/18/2021, 9:25:33.834 AM”,OK CertificateGet,“https://mykv.vault.azure.net/certificates/legal-entity-214","6/18/2021, 9:25:23.742 AM”,OK CertificateGet,“https://mykv.vault.azure.net/certificates/legal-entity-214","6/18/2021, 9:25:13.675 AM”,OK CertificateGet,“https://mykv.vault.azure.net/certificates/legal-entity-214","6/18/2021, 9:25:03.577 AM”,OK CertificateGet,“https://mykv.vault.azure.net/certificates/legal-entity-214","6/18/2021, 9:24:53.468 AM”,OK CertificateGet,“https://mykv.vault.azure.net/certificates/legal-entity-214","6/18/2021, 9:24:43.325 AM”,OK CertificateGet,“https://mykv.vault.azure.net/certificates/legal-entity-214","6/18/2021, 9:24:33.179 AM”,OK CertificateGet,“https://mykv.vault.azure.net/certificates/legal-entity-214","6/18/2021, 9:24:23.019 AM”,OK CertificateGet,“https://mykv.vault.azure.net/certificates/legal-entity-214","6/18/2021, 9:24:12.856 AM”,OK CertificateGet,“https://mykv.vault.azure.net/certificates/legal-entity-214","6/18/2021, 9:24:02.760 AM”,OK CertificateGet,“https://mykv.vault.azure.net/certificates/legal-entity-214","6/18/2021, 9:23:52.632 AM”,OK CertificateGet,“https://mykv.vault.azure.net/certificates/legal-entity-214","6/18/2021, 9:23:42.537 AM”,OK CertificateGet,“https://mykv.vault.azure.net/certificates/legal-entity-214","6/18/2021, 9:23:32.437 AM”,OK CertificateGet,“https://mykv.vault.azure.net/certificates/legal-entity-214","6/18/2021, 9:23:22.358 AM”,OK CertificateGet,“https://mykv.vault.azure.net/certificates/legal-entity-214","6/18/2021, 9:23:12.247 AM”,OK CertificateGet,“https://mykv.vault.azure.net/certificates/legal-entity-214","6/18/2021, 9:23:02.151 AM”,OK CertificateGet,“https://mykv.vault.azure.net/certificates/legal-entity-214","6/18/2021, 9:22:52.054 AM”,OK CertificateGet,“https://mykv.vault.azure.net/certificates/legal-entity-214","6/18/2021, 9:22:37.020 AM”,OK CertificateCreate,“https://mykv.vault.azure.net/certificates/legal-entity-214","6/18/2021, 9:22:36.958 AM”,Accepted CertificateGet,“https://mykv.vault.azure.net/certificates/legal-entity-214","6/18/2021, 9:22:36.161 AM”,“Not Found”
References
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Reactions: 9
- Comments: 16 (3 by maintainers)
@jackofallops - Support told me that they had a hotfix rolling out that was expected to be done by 7/15. Things have been working better for me. That said, if the resource wasn’t correctly honoring timeout values and this fixes it, why not merge it regardless?