terraform-provider-azurerm: Failed to destroy azurerm_key_vault and associated azurerm_key_vault_access_policy (30 minute timeout)
Community Note
- Please vote on this issue by adding a đź‘Ť reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave “+1” or “me too” comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform (and AzureRM Provider) Version
Terraform = 0.12.29 azurerm = 2.48.0
Affected Resource(s)
resource "azurerm_key_vault"resource "azurerm_key_vault_access_policy"
Terraform Configuration Files
resource "azurerm_key_vault" "main" {
name = "keyvaultname"
location = var.location
enabled_for_disk_encryption = true
soft_delete_retention_days = 90
purge_protection_enabled = null
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard"
network_acls {
default_action = "Allow"
bypass = "AzureServices"
}
}
resource "azurerm_key_vault_access_policy" "kv_readers_policy" {
key_vault_id = azurerm_key_vault.main.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azuread_group.key_vault_readers.id
key_permissions = [
"get",
"list"
]
secret_permissions = [
"get",
"list"
]
storage_permissions = [
"get",
"list"
]
certificate_permissions = [
"get",
"getissuers",
"list",
"listissuers"
]
}
Debug Output
Panic Output
Expected Behavior
When destroying a Key Vault the associated Key Vault Access Policies are destroyed as well.
Actual Behavior
When destroying a Key Vault the (de)provisioning process fails after 30 minutes.
Error: failed waiting for Key Vault Access Policy (Object ID: "XXXXXXXXXXXXXXXXXXXXXXXX") to apply: timeout while waiting for state to become 'notfound' (last state: 'found', timeout: 30m0s)
Error: Error updating Access Policy (Object ID "XXXXXXXXXXXXXXXXXXXXXXXX" / Application ID "") for Key Vault "key_vault_name" (Resource Group "resource_group_name"): keyvault.VaultsClient#UpdateAccessPolicy: Failure sending request: StatusCode=0 -- Original Error: context deadline exceeded
Steps to Reproduce
terraform destroy
Important Factoids
This issue appears to be relatively new. The destroy process on the Key Vault and associated Key Vault Access Policies worked with the following Terraform and Azurerm versions…
Terraform = 0.12.29 azurerm = 2.46.0
References
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Reactions: 45
- Comments: 17 (2 by maintainers)
Also suffering from this so would be good to get ETA for sorting this regression
@katbyte given that you’ve just updated the
CHANGELOG.mdfor thev2.50.0release (b74f30fb1ef619b468ac09e3b929953e76833a5b) and there are no PRs against this issue I can safely assume that it won’t hit that milestone. Is there any ETA as to which milestone this guy is going to get resolved in?I experience the same issue but only since azurerm 2.48.0
I tested it with 2.46.1 and 2.47.0 where it destroys the policy just fine but when I try to use 2.48.0 the timeout occurs for the policy.
Everything tested with Terraform 0.13.6 and 0.14.7, creation and deletion was with the same azurerm Version
If you update the permissions according to the changes in https://github.com/terraform-providers/terraform-provider-azurerm/pull/10593, then the example will work with 2.48.0.
Creating the access policy with a version prior to 2.48.0 and then trying to delete it with 2.48.0 and updated permissions will still fail.
@cdobinsky unfortunately it didn’t work for me, with terraform v0.14.6 linux amd64, azurerm v2.49.0.
Also https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy uses non-camelcase, and API also not uses it: https://docs.microsoft.com/en-us/rest/api/keyvault/vaults/update (see: accessPolicies)
Sometimes it works, but mostly not. In the portal I can see that the policy is still there and if I remove it manually while terraform is running it will work otherwise it will continue for 30 min and fail.