azure
azure copied to clipboard
Published
20 hours ago •
ansible-collections
ansible-collections
ERROR: azure_rm_keyvault fails when enableSoftDelete is False
SUMMARY
Using the enable_soft_delete parameter to the azure_rm_keyvault module for a entirely new key vault results in the following error:
"msg": "Error creating the Key Vault instance: Azure Error: BadRequest\nMessage: The property \"enableSoftDelete\" can be set to false only for creating new vault. Enabling the 'soft delete' functionality is an irreversible action."
ISSUE TYPE
- Bug Report
COMPONENT NAME
azure_rm_keyvaultsecret.py
ANSIBLE VERSION
ansible 2.9.8
config file = None
configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/local/lib/python3.6/dist-packages/ansible
executable location = /usr/local/bin/ansible
python version = 3.6.9 (default, Jul 17 2020, 12:50:27) [GCC 8.4.0]
I have also gotten this error when testing on Ansible v2.9.13.
CONFIGURATION
DEFAULT_VAULT_PASSWORD_FILE(env: ANSIBLE_VAULT_PASSWORD_FILE) = /root/.ansible/.vault_password
HOST_KEY_CHECKING(env: ANSIBLE_HOST_KEY_CHECKING) = False
OS / ENVIRONMENT
New Azure environment containing only a resource group and virtual network.
STEPS TO REPRODUCE
---
- hosts: azure
# NOTE: Make certain prerequisites and azcollection modules
# are installed per the documentation on Ansible Galaxy:
# https://galaxy.ansible.com/azure/azcollection
collections:
- azure.azcollection
gather_facts: no
vars:
client_abbreviation: acme
client_environment: tst
deployment: "{{ client_abbreviation }}{{ client_environment }}"
azure:
location: northcentralus
resource_group: "{{ deployment }}"
storage_account: "{{ deployment }}sadeploy"
keyvaults:
- name: acmetstkvdemo
enable_soft_delete: no
tags:
override: virtualnetwork
access_policy:
- object_id: "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
application_id: "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
certificates:
- get
- list
- delete
- create
- import
- update
- managecontacts
- getissuers
- listissuers
- setissuers
- deleteissuers
- manageissuers
- recover
- purge
keys:
- encrypt
- decrypt
- wrapkey
- unwrapkey
- sign
- verify
- get
- list
- create
- update
- import
- delete
- backup
- restore
- recover
- purge
secrets:
- get
- list
- set
- delete
- backup
- restore
- recover
- purge
tasks:
- name: "{{ azure.keyvaults[0].name }} : Key Vault"
azure_rm_keyvault:
resource_group: "{{ azure.keyvaults[0].resource_group | default(azure.resource_group) }}"
vault_name: "{{ azure.keyvaults[0].name }}"
enabled_for_deployment: "{{ azure.keyvaults[0].enabled_for_deployment | default(false) }}"
enabled_for_disk_encryption: "{{ azure.keyvaults[0].enabled_for_disk_encryption | default(false) }}"
enabled_for_template_deployment: "{{ azure.keyvaults[0].enabled_for_template_deployment | default(false) }}"
enable_soft_delete: "{{ azure.keyvaults[0].enable_soft_delete | default(true) }}"
vault_tenant: "{{ azure.keyvaults[0].vault_tenant | default(lookup('env', 'AZURE_TENANT')) }}"
sku:
family: "{{ (azure.keyvaults[0].sku.family) if (azure.keyvaults[0].sku.family is defined)
else (false) | default(omit, true) }}"
name: "{{ (azure.keyvaults[0].sku.name | lower) if (azure.keyvaults[0].sku.name is defined)
else ('standard') }}"
access_policies: "{{ access_policy }}"
...
EXPECTED RESULTS
Expected results, depending on status of environment:
- Creation of a new key vault when one does not exist.
- Ignoring of the
enable_soft_deleteparameter when the key vault does exist.
In other words, even though the Azure API does not allow for the use of the enableSoftDelete when updating an existing key vault, as an Ansible use, I would expect the key vault module to handle that for me. I would not expect to see an error, either on creation or on subsequent runs.
ACTUAL RESULTS
ansible-playbook output:
TASK [acmetstkvdemo : Key Vault] ************************************************************************************************************************************************************
task path: /root/deploy/kv.yml:68
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: root
<127.0.0.1> EXEC /bin/sh -c 'echo ~root && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /root/.ansible/tmp `"&& mkdir /root/.ansible/tmp/ansible-tmp-1600107793.8676393-1789-257390481661248 && echo ansible-tmp-1600107793.8676393-1789-257390481661248="` echo /root/.ansible/tmp/ansible-tmp-1600107793.8676393-1789-257390481661248 `" ) && sleep 0'
Using module file /root/.ansible/collections/ansible_collections/azure/azcollection/plugins/modules/azure_rm_keyvault.py
<127.0.0.1> PUT /root/.ansible/tmp/ansible-local-1782dgag9rfy/tmp5voje51j TO /root/.ansible/tmp/ansible-tmp-1600107793.8676393-1789-257390481661248/AnsiballZ_azure_rm_keyvault.py
<127.0.0.1> EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-tmp-1600107793.8676393-1789-257390481661248/ /root/.ansible/tmp/ansible-tmp-1600107793.8676393-1789-257390481661248/AnsiballZ_azure_rm_keyvault.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '/usr/bin/python3 /root/.ansible/tmp/ansible-tmp-1600107793.8676393-1789-257390481661248/AnsiballZ_azure_rm_keyvault.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c 'rm -f -r /root/.ansible/tmp/ansible-tmp-1600107793.8676393-1789-257390481661248/ > /dev/null 2>&1 && sleep 0'
The full traceback is:
File "/tmp/ansible_azure_rm_keyvault_payload_gdb_x4tm/ansible_azure_rm_keyvault_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_keyvault.py", line 451, in create_update_keyvault
File "/usr/local/lib/python3.6/dist-packages/azure/mgmt/keyvault/v2018_02_14/operations/vaults_operations.py", line 127, in create_or_update
**operation_config
File "/usr/local/lib/python3.6/dist-packages/azure/mgmt/keyvault/v2018_02_14/operations/vaults_operations.py", line 81, in _create_or_update_initial
raise exp
[WARNING]: Azure API profile latest does not define an entry for KeyVaultManagementClient
fatal: [azure]: FAILED! => {
"changed": false,
"invocation": {
"module_args": {
"access_policies": [
{
"application_id": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
"object_id": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
"permissions": {
"certificates": [
"get",
"list",
"delete",
"create",
"import",
"update",
"managecontacts",
"getissuers",
"listissuers",
"setissuers",
"deleteissuers",
"manageissuers",
"recover",
"purge"
],
"keys": [
"encrypt",
"decrypt",
"wrapkey",
"unwrapkey",
"sign",
"verify",
"get",
"list",
"create",
"update",
"import",
"delete",
"backup",
"restore",
"recover",
"purge"
],
"secrets": [
"get",
"list",
"set",
"delete",
"backup",
"restore",
"recover",
"purge"
],
"storage": null
},
"tenant_id": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
}
],
"ad_user": null,
"adfs_authority_url": null,
"api_profile": "latest",
"append_tags": true,
"auth_source": "auto",
"cert_validation_mode": null,
"client_id": null,
"cloud_environment": "AzureCloud",
"enable_soft_delete": false,
"enabled_for_deployment": false,
"enabled_for_disk_encryption": false,
"enabled_for_template_deployment": false,
"location": null,
"password": null,
"profile": null,
"recover_mode": null,
"resource_group": "acmetst",
"secret": null,
"sku": {
"name": "standard"
},
"state": "present",
"subscription_id": null,
"tags": null,
"tenant": null,
"vault_name": "acmetstkvdemo",
"vault_tenant": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
}
},
"msg": "Error creating the Key Vault instance: Azure Error: BadRequest\nMessage: The property \"enableSoftDelete\" can be set to false only for creating new vault. Enabling the 'soft delete' functionality is an irreversible action."
}
@craigforr I'm sorry for not replying to this problem in time. According to the error log, the parameter enable_software_delete is irreversible and cannot be changed once it is set. Please refer to the following documents, thank you! link: https://docs.microsoft.com/en-us/rest/api/keyvault/keyvault/vaults/create-or-update
Property to specify whether the 'soft delete' functionality is enabled for this key vault. If it's not set to any value(true or false) when creating new key vault, it will be set to true by default. Once set to true, it cannot be reverted to false.
