╵ Error: retrieving `contact` for KeyVault: keyvault.BaseClient#GetCertificateContacts: Failure sending request: StatusCode=0 -- Original Error: context deadline exceeded │ │ with module.azureKeyVault.azurerm_key_vault.keyvault-dev, │ , in resource "azurerm_key_vault"

[sreejith-3]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

While creating a Azure Key Vault with Private endpoints I am getting the above error which i believe could be a bug

Terraform Version

1.8.3

AzureRM Provider Version

3.103.1

Affected Resource(s)/Data Source(s)

azurerm_key_vault

Terraform Configuration Files

# Configure the Azure provider
provider "azurerm" {
  features {}
}

# Data source to fetch current client configuration
data "azurerm_client_config" "current" {}

# Create the Key Vault
resource "azurerm_key_vault" "keyvault-dev" {
  name                        = "keyvaultname"
  location                    = var.location
  resource_group_name         = var.resource_group_name
  sku_name                    = var.key_vault_sku
  tenant_id                   = var.tenant_id
  purge_protection_enabled    = true
  soft_delete_retention_days  = 7
  enabled_for_disk_encryption = true
  enabled_for_template_deployment = true
  enabled_for_deployment      = true
  enable_rbac_authorization   = true

  timeouts {
    create = "1h"
    update = "1h"
    delete = "1h"
  }
}

# Data source to fetch the existing Virtual Network
data "azurerm_virtual_network" "existing_vnet" {
  name                = "vnetname"
  resource_group_name = var.resource_group_name_vnet
}

# Define a data source for the existing resource group
data "azurerm_resource_group" "dev_neogenomics_rg" {
  name = var.resource_group_name
}

# Data source to fetch the existing Subnet
data "azurerm_subnet" "existing-subnet" {
  name                 = "subnetname"
  virtual_network_name = data.azurerm_virtual_network.existing_vnet.name
  resource_group_name  = var.resource_group_name_vnet
}

# Create a Private Endpoint for the Key Vault
resource "azurerm_private_endpoint" "kv-esp-endpoint" {
  name                = "kv-dev-private-endpoint"
  location            = var.location
  resource_group_name = var.resource_group_name
  subnet_id           = data.azurerm_subnet.existing-subnet.id

  private_service_connection {
    name                           = "kv-dev-privateserviceconnection"
    is_manual_connection           = false
    private_connection_resource_id = azurerm_key_vault.keyvault-dev.id
    subresource_names              = ["vault"]
  }
}

# Create a Private DNS Zone
resource "azurerm_private_dns_zone" "kv-privatedns-zone" {
  name                = "privatelink.esp.vaultcore.azure.net"
  resource_group_name = var.resource_group_name
}

# Link the DNS Zone to the Virtual Network
resource "azurerm_private_dns_zone_virtual_network_link" "kv-dev-network-link" {
  name                  = "kv-dev-dnszone-vnet-link"
  resource_group_name   = var.resource_group_name
  private_dns_zone_name = azurerm_private_dns_zone.kv-dev-privatedns-zone.name
  virtual_network_id    = data.azurerm_virtual_network.existing_vnet.id
}

# Create DNS A record for the Private Endpoint
resource "azurerm_private_dns_a_record" "kv-dns-a-record" {
  name                = "kv-dev-dns-a-record"
  zone_name           = azurerm_private_dns_zone.kv-esp-privatedns-zone.name
  resource_group_name = var.resource_group_name
  ttl                 = 300
  records             = [azurerm_private_endpoint.kv-esp-endpoint.private_service_connection[0].private_ip_address]
}

# Define a custom role
resource "azurerm_role_definition" "custom_role" {
  role_definition_id = "idhere"
  name               = "some_name"
  description        = "KV Secrets Officer, Automation Contrib, Service Bus Data Owner, Logic App Contrib, Log Analytics Contrib, Monitoring Contrib, Workbook Contrib, Api Mgmt Contributor, Logic App Std Developer scoped to Neo-Dev / rg-name"
  scope              = "/subscriptions/${data.azurerm_client_config.current.subscription_id}/resourceGroups/${var.resource_group_name}"

  permissions {
    actions = [
      "Microsoft.AlertsManagement/actionRules/*",
      "Microsoft.AlertsManagement/alerts/*",
      "Microsoft.AlertsManagement/alertsSummary/*",
      "Microsoft.AlertsManagement/investigations/*",
      "Microsoft.AlertsManagement/migrateFromSmartDetection/*",
      "Microsoft.AlertsManagement/smartDetectorAlertRules/*",
      "Microsoft.AlertsManagement/smartGroups/*",
      "Microsoft.ApiManagement/service/*",
      "Microsoft.Authorization/*/read",
      "Microsoft.Automation/automationAccounts/*",
      "Microsoft.ClassicCompute/virtualMachines/extensions/*",
      "Microsoft.ClassicStorage/storageAccounts/listKeys/action",
      "Microsoft.ClassicStorage/storageAccounts/read",
      "Microsoft.Compute/virtualMachines/extensions/*",
      "Microsoft.HybridCompute/machines/extensions/write",
      "Microsoft.Insights/ActionGroups/*",
      "Microsoft.Insights/ActivityLogAlerts/*",
      "Microsoft.Insights/alertRules/*",
      "Microsoft.Insights/alertRules/*/read",
      "Microsoft.Insights/components/*",
      "Microsoft.Insights/createNotifications/*",
      "Microsoft.Insights/dataCollectionEndpoints/*",
      "Microsoft.Insights/dataCollectionRuleAssociations/*",
      "Microsoft.Insights/dataCollectionRules/*",
      "Microsoft.Insights/diagnosticSettings/*",
      "Microsoft.Insights/eventtypes/*",
      "Microsoft.Insights/logdefinitions/*",
      "Microsoft.Insights/LogDefinitions/*",
      "Microsoft.Insights/MetricAlerts/*",
      "Microsoft.Insights/metricAlerts/*/read",
      "Microsoft.Insights/MetricDefinitions/*",
      "Microsoft.Insights/metricDefinitions/*/read",
      "Microsoft.Insights/Metrics/*",
      "Microsoft.Insights/notificationStatus/*",
      "Microsoft.Insights/privateLinkScopeOperationStatuses/*",
      "Microsoft.Insights/privateLinkScopes/*",
      "Microsoft.Insights/Register/Action",
      "Microsoft.Insights/scheduledqueryrules/*",
      "Microsoft.Insights/ScheduledQueryRules/*",
      "Microsoft.Insights/webtests/*",
      "Microsoft.Insights/workbooks/*",
      "Microsoft.Insights/workbooks/revisions/read",
      "Microsoft.Insights/workbooks/write",
      "Microsoft.Insights/workbooktemplates/*",
      "Microsoft.Insights/workbooktemplates/delete",
      "Microsoft.Insights/workbooktemplates/read",
      "Microsoft.Insights/workbooktemplates/write",
      "Microsoft.KeyVault/checkNameAvailability/read",
      "Microsoft.KeyVault/checkNameAvailability/read",
      "Microsoft.KeyVault/deletedVaults/read",
      "Microsoft.KeyVault/deletedVaults/read",
      "Microsoft.KeyVault/locations/*/read",
      "Microsoft.KeyVault/operations/read",
      "Microsoft.KeyVault/vaults/*/read",
      "Microsoft.Logic/*",
      "Microsoft.Logic/workflows/disable/action",
      "Microsoft.Logic/workflows/enable/action",
      "Microsoft.Logic/workflows/validate/action",
      "Microsoft.Monitor/investigations/*",
      "Microsoft.OperationalInsights/*",
      "Microsoft.OperationalInsights/workspaces/intelligencepacks/*",
      "Microsoft.OperationalInsights/workspaces/savedSearches/*",
      "Microsoft.OperationalInsights/workspaces/search/action",
      "Microsoft.OperationalInsights/workspaces/sharedKeys/action",
      "Microsoft.OperationalInsights/workspaces/storageinsightconfigs/*",
      "Microsoft.OperationalInsights/workspaces/write",
      "Microsoft.OperationsManagement/*",
      "Microsoft.ResourceHealth/availabilityStatuses/read",
      "Microsoft.Resources/deployments/*",
      "Microsoft.Resources/subscriptions/operationresults/read",
      "Microsoft.Resources/subscriptions/resourcegroups/deployments/*",
      "Microsoft.Resources/subscriptions/resourceGroups/read",
      "Microsoft.ServiceBus/*",
      "Microsoft.Storage/storageAccounts/listKeys/action",
      "Microsoft.Storage/storageAccounts/read",
      "Microsoft.Storage/storageAccounts/write",
      "Microsoft.Storage/storageAccounts/blobServices/containers/delete",
      "Microsoft.Storage/storageAccounts/blobServices/containers/read",
      "Microsoft.Storage/storageAccounts/blobServices/containers/write",
      "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action",
      "Microsoft.Web/*/read",
      "Microsoft.Web/connectionGateways/*",
      "Microsoft.Web/connections/*",
      "Microsoft.Web/customApis/*",
      "Microsoft.Web/serverFarms/join/action",
      "Microsoft.Web/serverFarms/read",
      "Microsoft.Web/ServerFarms/write",
      "Microsoft.Web/sites/config/list/Action",
      "microsoft.web/sites/config/Write",
      "microsoft.web/sites/config/web/appsettings/delete",
      "microsoft.web/sites/config/web/appsettings/write",
      "microsoft.web/sites/deployWorkflowArtifacts/action",
      "microsoft.web/sites/hostruntime/*",
      "microsoft.web/sites/listworkflowsconnections/action",
      "Microsoft.Web/sites/publish/Action",
      "microsoft.web/sites/slots/config/appsettings/write",
      "Microsoft.Web/sites/slots/config/list/Action",
      "microsoft.web/sites/slots/config/web/appsettings/delete",
      "microsoft.web/sites/slots/deployWorkflowArtifacts/action",
      "microsoft.web/sites/slots/listworkflowsconnections/action",
      "Microsoft.Web/sites/slots/publish/Action",
      "microsoft.web/sites/workflows/*",
      "microsoft.web/sites/workflowsconfiguration/*",
      "Microsoft.Web/sites/basicPublishingCredentialsPolicies/write",
      "Microsoft.Web/sites/functions/listSecrets/action",
      "Microsoft.Web/Sites/write",
      "Microsoft.Web/serverFarms/read"
    ]

    data_actions = [
      "Microsoft.KeyVault/vaults/keys/*",
      "Microsoft.KeyVault/vaults/keyrotationpolicies/*",
      "Microsoft.ServiceBus/*",
      "Microsoft.KeyVault/vaults/secrets/*",
      "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
      "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
      "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
      "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action",
      "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action"
    ]

    not_actions = []
    not_data_actions = []
  }

  assignable_scopes = [
    "/subscriptions/${data.azurerm_client_config.current.subscription_id}/resourceGroups/${var.resource_group_name}"
  ]
}

# Assign the custom role to the user or group
resource "azurerm_role_assignment" "kv_role_assignment" {
  scope              = azurerm_key_vault.keyvault-dev.id
  role_definition_id = azurerm_role_definition.custom_role.role_definition_id
  principal_id       = var.object_id
}

Debug Output/Panic Output

Error: retrieving `contact` for KeyVault: keyvault.BaseClient#GetCertificateContacts: Failure sending request: StatusCode=0 -- Original Error: context deadline exceeded
│ 
│   with module.azureKeyVault.azurerm_key_vault.keyvault-dev,
│   on ..\modules\azureKeyVault\main.tf line 10, in resource "azurerm_key_vault" "keyvault-dev":
│   10: resource "azurerm_key_vault" "keyvault-dev" {
│

Expected Behaviour

Builf Key Vault, apim, logic apps, service bus

Actual Behaviour

Error: retrieving contact for KeyVault: keyvault.BaseClient#GetCertificateContacts: Failure sending request: StatusCode=0 -- Original Error: context deadline exceeded │ │ with module.azureKeyVault.azurerm_key_vault.keyvault-dev, │ on ..\modules\azureKeyVault\main.tf line 10, in resource "azurerm_key_vault" "keyvault-dev": │ 10: resource "azurerm_key_vault" "keyvault-dev" { │

Steps to Reproduce

I have renamed important things in there for privacy

Important Factoids

key vault unable to create

References

key vault unable to create

[GravityWolfNotAmused]

I had the same issue, and the only way I could move forward with making a key vault was by going back to version: 2.59.0. It applys in ~2-3 minutes, and destroys in ~10-11 minutes.