terraform-provider-azurerm icon indicating copy to clipboard operation
terraform-provider-azurerm copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Azure KeyVault receives 401 errors after each terraform plan

Open AlexanderDavydov1 opened this issue 2 years ago • 1 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

Community Note

  • Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.5.1

AzureRM Provider Version

3.61.0

Affected Resource(s)/Data Source(s)

azurerm_key_vault

Terraform Configuration Files

terraform {
  required_version = "~> 1.5.1"
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "3.61.0"
    }
    azuread = {
      source  = "hashicorp/azuread"
      version = "2.39.0"
    }
  }
}

provider "azurerm" {
  features {}
  use_oidc = true
}

provider "azuread" {
  use_oidc = true
}

data "azurerm_subscription" "current" {}

data "azurerm_client_config" "current" {}

resource "azurerm_key_vault" "example" {
  name                      = "example-terraform-test"
  location                  = azurerm_resource_group.example.location
  resource_group_name       = azurerm_resource_group.example.name
  sku_name                  = "standard"
  tenant_id                 = data.azurerm_client_config.current.tenant_id
  enable_rbac_authorization = true
}

resource "azurerm_resource_group" "example" {
  name     = "for-test"
  location = "EastUS"
}

resource "azurerm_key_vault_secret" "example" {
  for_each = toset([
    "secret1",
    "secret2",
    "secret3",
    "secret4",
    "secret5",
    "secret6",
    "secret7",
    "secret8",
    "secret9",
    "secret10",
    "secret11",
    "secret12",
    "secret13",
    "secret14",
    "secret15",
    "secret16",
    "secret17",
    "secret18",
    "secret19",
    "secret20"
  ])
  name         = each.value
  value        = "to-be-updated"
  key_vault_id = azurerm_key_vault.example.id

  depends_on = [azurerm_role_assignment.example]
}
resource "azurerm_role_assignment" "example" {
  principal_id         = data.azurerm_client_config.current.object_id
  scope                = azurerm_key_vault.example.id
  role_definition_name = "Key Vault Secrets Officer"
}

Debug Output/Panic Output

Log record from Azure Key Vault after terraform plan:

TenantId: xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx
TimeGenerated [UTC]: 2023-06-23T12:01:18.2011966Z
ResourceId: /SUBSCRIPTIONS/xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx/RESOURCEGROUPS/FOR-TEST/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/EXAMPLE-TERRAFORM-TEST
Category: AuditEvent
ResourceGroup: FOR-TEST
SubscriptionId: xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx
ResourceProvider: MICROSOFT.KEYVAULT
Resource: EXAMPLE-TERRAFORM-TEST
ResourceType: VAULTS
OperationName: Authentication
ResultType: Success
CorrelationId: 460bb20e-7881-4b29-b278-748f6a39355e
requestUri_s: https://example-terraform-test.vault.azure.net/secrets/secret9/?api-version=7.4
DurationMs: 16
CallerIPAddress: xxx.xxx.xxx.xxx
OperationVersion: 7.4
ResultSignature: Unauthorized
clientInfo_s: Go/go1.19.3 (amd64-windows) go-autorest/v14.2.1 tombuildsstuff/kermit/v0.20230530.1150329 keyvault/7.4 HashiCorp Terraform/1.5.1 (+https://www.terraform.io) Terraform Plugin SDK/2.10.1 terraform-provider-azurerm/dev pid-222c6c49-1b0a-5959-a213-6608f9eb8820
httpStatusCode_d: 401
SourceSystem: Azure
tlsVersion_s: TLS1_2
Type: AzureDiagnostics
_ResourceId: /subscriptions/xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx/resourcegroups/for-test/providers/microsoft.keyvault/vaults/example-terraform-test

Expected Behaviour

terraform plan and terraform apply shouldn't generate unexpected 401 errors on the Azure KeyVault side

Actual Behaviour

During the execution of a terraform plan, 401 errors generated by Terraform on the Azure KeyVault side. The number of errors after each Terraform plan equals the number of secrets in the Azure KeyVault.

Steps to Reproduce

  1. terraform plan
  2. terraform apply
  3. terraform plan
  4. Open created Azure Key Vault
  5. Navigate to the Monitoring -> Metrics
  6. Select Total Service Api Results metric
  7. Add filter by Status Code Class = 4xx
  8. Add splitting by Activity type and Status code

Important Factoids

No response

References

No response

AlexanderDavydov1 avatar Jun 23 '23 12:06 AlexanderDavydov1