Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

azurerm_key_vault_key expiration date update triggers force replace when upgrading azurerm provider to 3.74 or higher #24965

Closed
1 task done
VeselinaElze opened this issue Feb 21, 2024 · 4 comments · Fixed by #25000
Closed
1 task done

azurerm_key_vault_key expiration date update triggers force replace when upgrading azurerm provider to 3.74 or higher #24965

VeselinaElze opened this issue Feb 21, 2024 · 4 comments · Fixed by #25000
Labels
service/key-vault Key Vault v/3.x
Milestone
v3.94.0

Comments

@VeselinaElze
Copy link

VeselinaElze commented Feb 21, 2024
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

Community Note

We have a KeyVault Key.
The expiration date auto updates every time we deploy. It was never a problem, until we had to upgrade the provider version.
After testing different versions, managed to upgrade up to 3.73 without any issues, but upgrading to 3.74 after that triggers force replacement. for the resource.
Not sure how to tackle this as the vault has purge protection, so replacement fails anyway.

Any ideas why the expiration update would cause a force replacement or what I can do about ... well.. working around it?

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.5.7

AzureRM Provider Version

3.74.0

Affected Resource(s)/Data Source(s)

azurerm_key_vault_key

Terraform Configuration Files

resource "azurerm_key_vault_key" "key" {
  depends_on      = [module.keyvault]
  name            = "key"
  key_vault_id    = module.keyvault.id
  key_type        = "RSA-HSM"
  key_size        = 2048
  expiration_date = local.expriration_date

  key_opts = [
    "decrypt",
    "encrypt",
    "sign",
    "unwrapKey",
    "verify",
    "wrapKey",
  ]

  tags = {
            "environment"   = "dev"
            "instance-code" = ""
            "source"        = "terraform"
        }
}

Debug Output/Panic Output

# azurerm_key_vault_key.data-protection-key must be replaced
-/+ resource "azurerm_key_vault_key" "key" {
      + curve                   = (known after apply)
      ~ e                       = "AQAB" -> (known after apply)
      ~ expiration_date         = "2025-02-11T16:06:45Z" # forces replacement -> (known after apply) # forces replacement
      ~ id                      = "[https://[retracted].azure.net/keys/key/457fd121df5a452aaa8e7a5b2a6fc546"](https://[retracted].vault.azure.net/keys/key/457fd121df5a452aaa8e7a5b2a6fc546%22) -> (known after apply)
      ~ n                       = "[retracted] " -> (known after apply)
        name                    = "key"
      ~ public_key_openssh      = <<-EOT
            ssh-rsa [retracted] 
        EOT -> (known after apply)
      ~ public_key_pem          = <<-EOT
            -----BEGIN PUBLIC KEY-----
            [retracted] 
            -----END PUBLIC KEY-----
        EOT -> (known after apply)
      ~ resource_id             = "/subscriptions/***/resourceGroups/[retracted] /providers/Microsoft.KeyVault/vaults/[retracted] /keys/key/versions/457fd121df5a452aaa8e7a5b2a6fc546" -> (known after apply)
      ~ resource_versionless_id = "/subscriptions/***/resourceGroups/[retracted] /providers/Microsoft.KeyVault/vaults/[retracted] /keys/key" -> (known after apply)
        tags                    = {
            "environment"   = "dev"
            "instance-code" = ""
            "source"        = "terraform"
        }
      ~ version                 = "457fd121df5a452aaa8e7a5b2a6fc546" -> (known after apply)
      ~ versionless_id          = "[https://[retracted].vault.azure.net/keys/key"](https://[retracted] .vault.azure.net/keys/key%22) -> (known after apply)
      + x                       = (known after apply)
      + y                       = (known after apply)
        # (4 unchanged attributes hidden)
    }

Expected Behaviour

To update expiration date without recreating the resource

# azurerm_key_vault_key.data-protection-key will be updated in-place
  ~ resource "azurerm_key_vault_key" "key" {
      ~ expiration_date         = "2025-02-11T15:04:42Z" -> (known after apply)
        id                      = "[https://[retracted].vault.azure.net/keys/key/457fd121df5a452aaa8e7a5b2a6fc546"](https://[retracted].vault.azure.net/keys/key/457fd121df5a452aaa8e7a5b2a6fc546%22)
        name                    = "key"
        tags                    = {
            "environment"   = "prod"
            "instance-code" = ""

            "source"        = "terraform"
        }
        # (12 unchanged attributes hidden)
    }

Actual Behaviour

Resource is replaced

Steps to Reproduce

  1. Deploy Key on a lower azurerm provider version
  2. Upgrade to 3.74

Important Factoids

No response

References

No response
@wuxu92
Copy link
Contributor

wuxu92 commented Feb 23, 2024

Hi @VeselinaElze , Has the local.expriration_date been updated during terraform apply? The key vault key resource will be replaced if the expiration_date is changed from a non-empty value to an empty one which was introduced in v3.74.0.

harshavmb added a commit to AmadeusITGroup/terraform-provider-azurerm that referenced this issue Feb 23, 2024
@harshavmb
hashicorp#24965: expiration_date to be updated if newer date is ahead…
b7d918b 
… of current date
@harshavmb harshavmb mentioned this issue Feb 23, 2024
Merged
@harshavmb
Copy link
Contributor

harshavmb commented Feb 23, 2024
edited
Loading

Hi @wuxu92 ,

Even though local.expriration_date changes on each terraform run, it's a valid case to update the parameter if it's ahead of the one specified in state file (azure API does allow the update). Force recreating the key is a bad idea as the key will be used by disk encryption sets encrypting several virtual machine disks.

In our case, several VMs had lost connectivity to their disks when this key was being replaced.

I opened a PR here to update this field if the expiration_date is ahead rather force creating it.

@VeselinaElze
Copy link
Author

Hi @VeselinaElze , Has the local.expriration_date been updated during terraform apply? The key vault key resource will be replaced if the expiration_date is changed from a non-empty value to an empty one which was introduced in v3.74.0.

It's never empty. I know that removing the expiration date is not an option.

    current_time             = timestamp()
    secrets_expriration_date = timeadd(local.current_time, "8544h") # This will set the encription keys to expire in 356 days.

@github-actions github-actions bot added this to the v3.94.0 milestone Feb 27, 2024
@github-actions GitHub Actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 22, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
service/key-vault Key Vault v/3.x
Projects
None yet
Milestone
v3.94.0
3 participants
@wuxu92 @harshavmb @VeselinaElze