Open sergiomcalzada opened 1 year ago
Thanks @sergiomcalzada for raising this issue, may I know if you were trying to link a certificate from the key value which exists in different subs than the signalr service? I see that you mentioned that the certificate seems added successfully to the signalR service in azure portal but terraform crashed when it was trying to set the resource back to state?
Hi @xiaxyi Yes, the key vault and the signar service are in different subscriptions. Indeed the "azurerm_signalr_service_custom_certificate" is created by terraform but it fails to read back the secret (or something) and it is not added to the state-file and the end result is a panic. Indeed I can see how it makes a request to get the keyvault by name but with the wrong subscription_id. I suppose, from the code, that as the parameter for the certificate has the key vault name try to find it to get back some more info assuming the subscription_id from the signalR service. Maybe an optional parameter to specify the key_vault_id (or key_vault_subscription_id) when it is hosted in a different subscription can fix it.
Yes, manually or even with the CLI we can link the certificate.
Hi,
any update on this one?
Thanks @sergiomcalzada for the update, I checked the provider code, indeed, we need to add a nil check for the key vault pointer when getting the key vault. However, your issue seems cannot be resolved by fixing the crash issue here since we still return an error if anything goes wrong fetching the key vault.
we are getting the key vault by based_url as below code:
keyVaultIdRaw, err := keyVaultClient.KeyVaultIDFromBaseUrl(ctx, resourcesClient, vaultBasedUri)
if err != nil {
return fmt.Errorf("getting key vault base uri from %s: %+v", id, err)
}
vaultId, err := commonids.ParseKeyVaultID(*keyVaultIdRaw)
if err != nil {
return fmt.Errorf("parsing key vault %s: %+v", vaultId, err)
}
I assume there might be some permission or other issue when getting the cert from the key valut during the creation as we also use the cert id (looks like: "id": "https://xiaxintestkeyvault.vault.azure.net/certificates/xiaxintestcert/9a12b1c19xxxf5044",) to locate the cert, instead of the name:
keyVaultCertificateId, err := keyVaultParse.ParseOptionallyVersionedNestedItemID(metadata.ResourceData.Get("custom_certificate_id").(string))
if err != nil {
return fmt.Errorf("parsing custom certificate id error: %+v", err)
}
keyVaultUri := keyVaultCertificateId.KeyVaultBaseUrl
keyVaultSecretName := keyVaultCertificateId.Name
Hi,
I totally understand that is not only fixing the null pointer, the kv and cert should be resolved in a different way.
Any ETA for fixing it?
Thanks @sergiomcalzada for the update, the terraform provider is trying to locate the key vault by its base URL, not just the name, the kv cannot be found by the endpoint you provided, would you mind trying to do the same operation by azure api to see if the kv can be connected?
Hi @xiaxyi
I have tested with the portal and it works properly so the az API should work too. We will test this week it and will confirm that also works
Kind regards, Sergio
Hi,
any news on this topic?
It's impossible to create a custom domain on SignalR with Terraform.
Regarding the permission, it's done by the managed identity
Is there an existing issue for this?
Community Note
Terraform Version
1.4.6
AzureRM Provider Version
3.71.0
Affected Resource(s)/Data Source(s)
azurerm_signalr_service_custom_certificate
Terraform Configuration Files
Debug Output/Panic Output
Expected Behaviour
Custom certificate is added to the signalr service in azure and the command don't fails
Actual Behaviour
The custom certificate is added to the signalr service in azure but terraform crash with a panic
Steps to Reproduce
Use a certificate that is hosted in a KeyVault that is not located in the same subscription
Important Factoids
No response
References
No response