SecretNotFound error messages with two KeyVaults

[sriharim]

Hi,

Thanks for the module. I am using a latest version of this module.

I have an issue with warning messages regarding SecretNotFound .

I have added two key vaults in hiera.yaml

• name: 'Subscription Key Vault Secrets' lookup_key: azure_key_vault::lookup options: vault_name: "subscription_test" vault_api_version: '2016-10-01' metadata_api_version: '2018-04-02' key_replacement_token: '-' confine_to_keys:
  • "^.*-password$"
  • "^vm-.*"
  • "^svc-.*"
  • "^.*-key$"
    • name: 'Platform Key Vault Secrets' lookup_key: azure_key_vault::lookup options: vault_name: "platform_test" vault_api_version: '2016-10-01' metadata_api_version: '2018-04-02' key_replacement_token: '-' confine_to_keys:
  • "^.*-password$"
  • "^vm-.*"
  • "^svc-.*"
  • "^.*-key$"

Calling secrets from hierdata - choco_password: "%{lookup('chocolatey-password')}"

chocolatey-password password is configured in Platform Key Vault Secrets

• While puppet run, if value is not found in Subscription Key Vault Secret. it is sending below warning message to puppetserver.log 2022-05-27T11:52:05.758+01:00 WARN [qtp742071835-1131] [puppetserver] Puppet {"error":{"code":"SecretNotFound","message":"A secret with (name/id) domain-join-password was not found in this key vault. If you recently deleted this secret you may be able to recover it using the correct recovery command. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125182"}}

Any chance to modify this behaviour, check secrets in both KeyVaults. If not found secrets in both KeyVaults, then need to trigger the warning message.

Thanks, Hari

[TraGicCode]

Hey @sriharim ,

I'm sorry for responding so late to this as i didn't see any notifications for this github issue.

It looks like when a secret is not found in a vault, the code is throwing an exception which is causing it to be logged as a warning as shown in the below permalinks.

Exception thrown https://github.com/TraGicCode/tragiccode-azure_key_vault/blob/f08d3313b53fe3031ce0bb0d13e918601b6b38e1/lib/puppet_x/tragiccode/azure.rb#L30

Log as warning https://github.com/TraGicCode/tragiccode-azure_key_vault/blob/f08d3313b53fe3031ce0bb0d13e918601b6b38e1/lib/puppet/functions/azure_key_vault/lookup.rb#L48-L50

I believe i can fix this by simply checking for 404 not found returned by the azure key vault and not throwing an exception. I will see what i can come up and create a PR.

Would you be available to test this once it's done?

[TraGicCode]

Fixed in #88