Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

azurerm_key_vault_key not working for azurerm_key_vault_managed_hardware_security_module #13606

Closed
schmaxe opened this issue Oct 4, 2021 · 4 comments
Closed

azurerm_key_vault_key not working for azurerm_key_vault_managed_hardware_security_module #13606

schmaxe opened this issue Oct 4, 2021 · 4 comments
Labels
duplicate question

Comments

@schmaxe
Copy link

schmaxe commented Oct 4, 2021

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Affected Resource(s)

azurerm v2.79.1

Terraform Configuration Files

resource "azurerm_key_vault_key" "key" {
  name         = var.key_name
  key_vault_id = var.key_vault_id
  key_type     = "RSA"
  key_size     = 4096

  // max. Lifespan of 4 years (~35000h)
  expiration_date = timeadd(timestamp(), "35000h") 

  key_opts = [
    "unwrapKey",
    "wrapKey",
  ]
}

terragrunt.hcl (key)
...

dependency "hsm" {
  config_path = "../managedHSM"

  mock_outputs_allowed_terraform_commands = ["validate", "plan"]
  mock_outputs = {
    hsm_id = "/subscriptions/xyz/resourceGroups/xyz/providers/Microsoft.KeyVault/managedHsm/HSM"
  }
} 

inputs = {
  resource_group_name     = dependency.resourcegroup.outputs.name
  resource_group_location = dependency.resourcegroup.outputs.location
  key_name = "hsm-test-key"
  key_vault_id = dependency.hsm.outputs.hsm_id
}

Debug Output


│ Error: ID was missing the vaults element

│ with azurerm_key_vault_key.key,
│ on main.tf line 4, in resource "azurerm_key_vault_key" "key":
│ 4: key_vault_id = var.key_vault_id


ERRO[0018] Hit multiple errors:
Hit multiple errors:
exit status 1

Panic Output

Expected Behaviour

Creation of the Key inside the Managed HSM

Actual Behaviour

Key wont be created because of a key vault id check that it contains ".../vaults/.."
But the Managed HSM ID looks like "..providers/Microsoft.KeyVault/managedHsm/.."

Steps to Reproduce

  • deploy and activate a managed HSM (activation through az command)
  • try to deploy a key inside the managed HSM

Important Factoids

References

#12403 was the same problem but got closed
Newer azurerm version and problem still exists
@tombuildsstuff @katbyte

  • #0000
@tombuildsstuff
Copy link
Contributor

hi @schmaxe

As mentioned in #12403, unfortunately this is a configuration issue and not a bug in Terraform - you need to specify the Resource ID of the Key Vault and not of the Managed HSM - which is what this validation is highlighting, as such you'll need to specify the correct Resource ID here for this to work. Since this is a configuration question rather than a bug in the Azure Provider I'm going to close this issue for the moment, but should you have further configuration questions I'd point you towards the community Discuss forum.

Thanks

@schmaxe
Copy link
Author

schmaxe commented Oct 5, 2021

@tombuildsstuff
Thank you for you answer. I have checked my code once again and used the hsm_uri field.
The hsm_uri looks like: https://hsmXYZ.managedhsm.azure.net/

After using this field as key_vault_id I got the following error:

│ Error: The number of path segments is not divisible by 2 in ""

│ with azurerm_key_vault_key.key,
│ on main.tf line 4, in resource "azurerm_key_vault_key" "key":
│ 4: key_vault_id = var.key_vault_id


ERRO[0032] Hit multiple errors:
Hit multiple errors:
exit status 1

Best regards

@Roshick
Copy link

Roshick commented Oct 6, 2021
edited
Loading

@tombuildsstuff

How is this not a bug or a missing feature?

The azurerm_key_vault_key parses the given key_vault_id here:

terraform-provider-azurerm/internal/services/keyvault/key_vault_key_resource.go

Line 172 in b98361e

keyVaultId, err := parse.VaultID(d.Get("key_vault_id").(string))
and therefore fails because of this part:

terraform-provider-azurerm/internal/services/keyvault/parse/vault.go

Line 60 in b98361e

if resourceId.Name, err = id.PopSegment("vaults"); err != nil {

The resource id of a managed hsm contains "managedHSMs" instead of "vaults", which would be correctly parsed with the managed_hsm parser here:

terraform-provider-azurerm/internal/services/keyvault/parse/managed_hsm.go

Line 60 in b98361e

if resourceId.Name, err = id.PopSegment("managedHSMs"); err != nil {

Hence there is currently no way to create a key within a managed hsm via the provider as there is neither a "azurerm_managed_hsm_key" resource nor an abstraction layer within azurerm_key_vault_key that would differentiate between a key_vault_id and a managed_hsm_id.

@Roshick Roshick mentioned this issue Oct 7, 2021
Closed
@github-actions
Copy link

github-actions bot commented Nov 6, 2021

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 6, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
duplicate question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tombuildsstuff @Roshick @schmaxe