Support for Container Group private Key Vault

[tschechniker]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Currenlty the API Version 2021-10-01 is used in the container group resource. The Version 2021-10-01 does not support adding a private Key Vault to the container group. Please update to at least Version 2022-09-01:

https://learn.microsoft.com/azure/container-instances/container-instances-encrypt-data#modify-your-json-deployment-template-1

New or Affected Resource(s)/Data Source(s)

azurerm_container_group

Potential Terraform Configuration

No response

References

https://learn.microsoft.com/azure/container-instances/container-instances-encrypt-data

[sinbai]

@tschechniker thanks for opening this issue. Per doc , it seems that the private key vault is already supported. Do you mean the identity is not supported?

[tschechniker]

@sinbai no a private keyvault ( a keyvault which is only accessable over it's private endpoint) is currently not supported. You can add a keyvault to use CMK but the Keyvault needs to be public accessable (Otherwise you will see this error: Code="MasterKeyNotAccessibleException" Message="The key vault key is not found to unwrap the encryption key.") If you want to use a private Keyvault with network acl set to bypass AzureServices you have to create the container group using API Version 2022-09-01 and add the identity to the encryption block.

[phoehnel]

I can confirm this is still an issue in hashicorp/azurerm v3.75.0. Strange is, that it should actually work since in #22804 @tombuildsstuff merged the update to the 2023-05-01 API-Version for Container Apps which should support the feature.

Nevertheless, deploying the same configuration without CMK works, when i enable CMK i get the following error. Note that the error message is different from the intial "MasterKeyNotAccessibleException".

│ Error: creating Container Group (Subscription: "1234"
│ Resource Group Name: "rg-xxx-lab"
│ Container Group Name: "aci-xxx-lab"): performing ContainerGroupsCreateOrUpdate: containerinstance.ContainerInstanceClient#ContainerGroupsCreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: Code="Failed" Message="The async operation failed."
│ 
│   with module.workload.module.aci[0].azurerm_container_group.this,

Noteworthy, that currently this also does not work for me using the Azure Portal. It seems that, at least for me, the portal uses an API Version from 2019 per Default resulting in an error with a different message.

[phoehnel]

Update: Something around Container Instances seems incredibly unreliable. I have made tests in which the same terraform configuration would apply successfully 10+ times then without any change, fail with the above async error for a couple of times and then again work. Since thats about the only error i ever got, its also hard to debug this as you cant tell if an error is related to the configuration or it's just random.

Nevertheless, i narrowed the problem by never getting a succesfull deployment using a Private Premium KeyVault in combination with a RSA-HSM key. Using a Private Standard-KeyVault with an RSA-Key i managed to deploy successfully a couple of times.

Noteworthy that we now have 3 ACI-Instances in our tenant which list in the RG/Subscription, but if you click on them you'll get an 404. Seems like - at least for us - everything around ACI isn't as stable as you might expect.