search

F5Networks / f5-azure-arm-templates-v2

Azure Resource Manager Templates for quickly deploying BIG-IP services in Azure
22 stars 45 forks source link

key vault parent resource not found - failover template #16

Closed JeffGiroux closed 2 years ago

JeffGiroux commented 2 years ago

Describe the bug

During deployment of the failover template, the access template fails at creation of the keyvault/add policy.

error...

{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"ParentResourceNotFound","message":"Can not perform requested operation on nested resource. Parent resource 'giroux-kv3' not found."}]}

Expected behavior

access template should find key vault based on supplied secretID global URL of keyvault. However it seems now it is scoped to resource group instead of subscription scope.

Current behavior

deployment fails because azure keyvault cannot be found

"properties": {
"statusCode": "NotFound",
"statusMessage": "{\"error\":{\"code\":\"ParentResourceNotFound\",\"message\":\"Can not perform requested operation on nested resource. Parent resource 'giroux-kv3' not found.\"}}",
"eventCategory": "Administrative",
"entity": "/subscriptions/xxxx/resourcegroups/girouxha5/providers/Microsoft.KeyVault/vaults/giroux-kv3/accessPolicies/add",
"message": "Microsoft.KeyVault/vaults/accessPolicies/write",
"hierarchy": "e569f29e-b098-4cea-b6f0-48fa8532d64a/xxxx"
},

Notice resourcegroup = girouxha5, but that is my big-ip RG...not the keyvault RG based on the URL I supplyed for secretID.

Upon further digging into the Azure logs, it appears that the keyvault/add is trying to occur in the BIG-IP resource group as opposed to the source resource group of the kevault. More investigation leads to needing a subscription scope deployment but then that messes up the child templates as they all require a 'location' parameter which is dynamically retrieved from resourceGroup...but only if a resourceGroup scope deployment is done.

Possible solution

Azure support ticket is probably needed for better solution. Also maybe investigate a subscription scope deployment, but that will require changes to all child templates to add location as parameter.

Steps to reproduce

  1. deploy failover
  2. keyvault will fail to be found

Screenshots

n/a

Context

n/a

Your Environment

n/a

JeffGiroux commented 2 years ago

workaround

You must have the key vault in the same resource group as the deployment for now until template is fixed.

  1. create resource group az group create -n $resourceGroupName -l $region

  2. Create key vault in same RG az keyvault create --name $resourceGroupName --resource-group $resourceGroupName --location $region az keyvault secret set --vault-name $resourceGroupName --name my-bigip-password --value "Password123"

Once I did this, the access child templated completed.

mikeshimkus commented 2 years ago

Created issue ESECLDTPLT-3135 for this.

shyawnkarim commented 2 years ago

Closing.

This issue was resolved with Release 2.4.0.0.