search

Azure / terraform-azurerm-avm-res-keyvault-vault

Azure Verified Module for Key Vault
https://registry.terraform.io/modules/Azure/avm-res-keyvault-vault/azurerm/latest
MIT License
25 stars 30 forks source link

[AVM Module Issue]: certificate contact change (removes contact) / create loop #169

Closed monty124 closed 1 month ago

monty124 commented 1 month ago

Check for previous/existing GitHub issues

Issue Type?

Bug

(Optional) Module Version

No response

(Optional) Correlation Id

No response

Description

Certificate contacts seem to be requesting destruction and creation on successive terraform plan / apply's

module definition:

module "azure_keyvault" {
  source = "Azure/avm-res-keyvault-vault/azurerm"
  enable_telemetry = false
  name = var.KeyVaultResourceName
  tenant_id = data.azurerm_client_config.existing.tenant_id
  resource_group_name = data.azurerm_resource_group.existing.name
  location = data.azurerm_resource_group.existing.location
  legacy_access_policies_enabled = false
  sku_name = "standard"
  network_acls = {
    ip_rules = var.AllowedIPs
    bypass = "AzureServices"
    default_action = "Allow"
  }
  tags = var.tags
  purge_protection_enabled = true
  soft_delete_retention_days = 90

  role_assignments =  local.RBACUsers    
  wait_for_rbac_before_contact_operations = {
    create = "60s"
  }
  contacts = {
    "contact" ={
    email = var.CertificateContactEmail
    }
  }

}

on apply resource is created successfully however subsequent plans state that the resource is updated removing the contact:

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.azure_keyvault.azurerm_key_vault.this will be updated in-place
  ~ resource "azurerm_key_vault" "this" {
        id                              = "<redacted>"
        name                            = "<redacted>"
        tags                            = {
            <redacted>
        }
        # (13 unchanged attributes hidden)

      - contact {
          - email = "<redacted>" -> null
            name  = null
            # (1 unchanged attribute hidden)
        }

        # (1 unchanged block hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

after applying this the contact is indeed deleted and issuing a plan again you get a request to add a contact:

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # module.azure_keyvault.azurerm_key_vault_certificate_contacts.this[0] will be created
  + resource "azurerm_key_vault_certificate_contacts" "this" {
      + id           = (known after apply)
      + key_vault_id = "<redacted>"

      + contact {
          + email = "<redacted>"
            name  = null
            # (1 unchanged attribute hidden)
        }
    }

apply this and the contact is created again

performing another plan the loop starts again when the expected result should be configuration matches no changes needed

matt-FFFFFF commented 1 month ago

Hi there,

Are you using the latest version of the module?

matt-FFFFFF commented 1 month ago

rr

monty124 commented 1 month ago

Hi @matt-FFFFFF Thanks for the reply!, my apologies I thought I added this to the bug submission, looks like I'm using the latest version. modules.json: "Source":"registry.terraform.io/Azure/avm-res-keyvault-vault/azurerm","Version":"0.9.1","Dir":".terraform/modules/azure_keyvault"

the only other version block i have in my main.tf is this:

terraform {
  required_version = "~> 1.9"
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "=3.98.0"
    }
monty124 commented 1 month ago

It looks like I've found the issue, its an azurerm issue and not the module

I've bumped this to 4.2 and its now working as expected, 

terraform {
  required_version = "~> 1.9"
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "=4.2.0"
    }
  }
> terraform plan
module.azure_keyvault.time_sleep.wait_for_rbac_before_contact_operations[0]: Refreshing state... [id=2024-09-19T03:43:27Z]
....
No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.

note breaking changes for azurerm >=4.0 kids!

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/4.0-upgrade-guide

apologies for any inconvenience @matt-FFFFFF