Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Azure Secrets #7

Open
erichrockman opened this issue May 19, 2021 · 0 comments
Open

Azure Secrets #7

erichrockman opened this issue May 19, 2021 · 0 comments
Labels
help wanted Extra attention is needed

Comments

@erichrockman
Copy link

Testing the use of azure key vault secrets and running into a few issues. These are the scenarios I am testing:

  1. KeyVault not found
  2. Secret disabled
  3. Secret not found
  4. Secret deleted
  5. Secret present but not active (activation start > date)
  6. Secret expired (date > expiration date)

I have all my kv values in base.tfvars and refrence them in variables.tf

fwCommonUserName = "<%= azure_secret("fwCommonUserName") %>"

variable "fwCommonUserName" {
description = "The common firewall username."
}

It appears that the plugin is putting the message in the value when there is a problem. It would be more helpful to return the value as null so that one can use tf input variable validation to determine if one should go on without the secret.

My results:

  1. when doing ts up I get the message "WARN: Vault not found " on stdout and tf tries to replace the resource

module.spokeNetwork["sharedServices"].module.spokeNetworkInstance["web"].azurerm_windows_virtual_machine.vm_spoke_instance must be replaced

-/+ resource "azurerm_windows_virtual_machine" "vm_spoke_instance" {
~ admin_password = (sensitive value)
~ admin_username = "vmadmin" -> "WARN: Vault not found " # forces replacement

  1. similar to 1. but the message is "WARN: Operation get is not allowed on a disabled secret." and it tries to replace the resource

module.fwPaloAltoTransitCommon01.azurerm_linux_virtual_machine.vm_firewall must be replaced

-/+ resource "azurerm_linux_virtual_machine" "vm_firewall" {
~ admin_username = "vmadmin" -> "Operation get is not allowed on a disabled secret." # forces replacement

  1. similar to 1. and 2. but the message is "WARN: A secret with (name/id) fwCommonUserNames was not found in this key vault. If you recently deleted this secret you may be able to recover it using the correct recovery command. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125182" and it tries to replace the resource

module.fwPaloAltoTransitCommon01.azurerm_linux_virtual_machine.vm_firewall must be replaced

-/+ resource "azurerm_linux_virtual_machine" "vm_firewall" {
~ admin_username = "vmadmin" -> "A secret with (name/id) fwCommonUserNames was not found in this key vault. If you recently deleted this secret you may be able to recover it using the correct recovery command. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125182" # forces replacement

  1. same message as 3. and it tries to replace the resource
    5 and 6. the start and expiration dates are ignored. the resource gets created/modified as usual.
@tongueroo tongueroo added the help wanted Extra attention is needed label Jan 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tongueroo @erichrockman