Open duzitong opened 3 weeks ago
Hi @duzitong, is this an occasional issue or a persistent one? Also, what type of authentication is being used in this run?
When the creation takes longer than 10 minutes, this issue always occurs. Because the first-time creation fails, the resource is tainted. A recreation often takes shorter time (about 6 minutes), the creation will succeed.
I'm using OIDC auth by setting the token to ARM_OIDC_TOKEN_FILE_PATH env. I added a job in background to refresh token in the file. This token can be used to create super long running resources.
Can you check whether time is synced on your terraform controller? If the time on controller is having a big drift, token will become invalid.
Time is synced. As the error message shows, the token lifetime is 10 minutes. The creation fails after 10 minutes. I'm using Azure DevOps pipelines to run terraform apply. The service connection is created with federated identity. So, the token is short-lived.
I added a job to refresh the oidc token every 5 minutes in the ARM_OIDC_TOKEN_FILE_PATH. But azurerm provider doesn't pick the latest token from the file.
@duzitong I suspect the issue might be with the authentication from the OIDC environment. Retrieving contact
is a data-plane API and requires a callback to obtain the actual token for data-plane operations, if I remember correctly. I'll review the code later. Just out of curiosity, do you encounter this error when creating other long-running resources that take more than 10 minutes, or is it only with the key vault?
I didn't create any other long running resources by AzureRM provider. But I have created one resource by azapi provider by refreshing token in ARM_OIDC_TOKEN_FILE_PATH over 2 hours. The creation succeeds but terraform crashed when persisting the state.
Posted the issue: https://github.com/hashicorp/terraform/issues/35632
Appears to be duplicate of #15894. In general it's for all supported auth types not just ARM_OIDC_TOKEN_FILE_PATH
.
OIDC token for GitHub Actions is actually perfectly handled. Although refreshing OIDC token from the file can solve the issue, handling token refreshing in the file is still an overhead.
It's better to implement similar mechanism for Azure DevOps.
Is there an existing issue for this?
Community Note
Terraform Version
1.9.5
AzureRM Provider Version
3.116.0
Affected Resource(s)/Data Source(s)
azurerm_key_vault
Terraform Configuration Files
Debug Output/Panic Output
Expected Behaviour
Key vault can be created
Actual Behaviour
Creation failed after 10 minutes.
Steps to Reproduce
terraform init terraform apply
Important Factoids
No response
References
No response