Open tschechniker opened 1 year ago
@sinbai no a private keyvault ( a keyvault which is only accessable over it's private endpoint) is currently not supported. You can add a keyvault to use CMK but the Keyvault needs to be public accessable (Otherwise you will see this error: Code="MasterKeyNotAccessibleException" Message="The key vault key is not found to unwrap the encryption key.") If you want to use a private Keyvault with network acl set to bypass AzureServices you have to create the container group using API Version 2022-09-01 and add the identity to the encryption block.
I can confirm this is still an issue in hashicorp/azurerm v3.75.0
. Strange is, that it should actually work since in #22804 @tombuildsstuff merged the update to the 2023-05-01 API-Version for Container Apps which should support the feature.
Nevertheless, deploying the same configuration without CMK works, when i enable CMK i get the following error. Note that the error message is different from the intial "MasterKeyNotAccessibleException".
│ Error: creating Container Group (Subscription: "1234"
│ Resource Group Name: "rg-xxx-lab"
│ Container Group Name: "aci-xxx-lab"): performing ContainerGroupsCreateOrUpdate: containerinstance.ContainerInstanceClient#ContainerGroupsCreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: Code="Failed" Message="The async operation failed."
│
│ with module.workload.module.aci[0].azurerm_container_group.this,
Noteworthy, that currently this also does not work for me using the Azure Portal. It seems that, at least for me, the portal uses an API Version from 2019 per Default resulting in an error with a different message.
Update: Something around Container Instances seems incredibly unreliable. I have made tests in which the same terraform configuration would apply successfully 10+ times then without any change, fail with the above async error for a couple of times and then again work. Since thats about the only error i ever got, its also hard to debug this as you cant tell if an error is related to the configuration or it's just random.
Nevertheless, i narrowed the problem by never getting a succesfull deployment using a Private Premium KeyVault in combination with a RSA-HSM key. Using a Private Standard-KeyVault with an RSA-Key i managed to deploy successfully a couple of times.
Noteworthy that we now have 3 ACI-Instances in our tenant which list in the RG/Subscription, but if you click on them you'll get an 404. Seems like - at least for us - everything around ACI isn't as stable as you might expect.
Is there an existing issue for this?
Community Note
Description
Currenlty the API Version 2021-10-01 is used in the container group resource. The Version 2021-10-01 does not support adding a private Key Vault to the container group. Please update to at least Version 2022-09-01:
https://learn.microsoft.com/azure/container-instances/container-instances-encrypt-data#modify-your-json-deployment-template-1
New or Affected Resource(s)/Data Source(s)
azurerm_container_group
Potential Terraform Configuration
No response
References
https://learn.microsoft.com/azure/container-instances/container-instances-encrypt-data