Error: retrieving `contact` for KeyVault: keyvault.BaseClient#GetCertificateContacts: Failure sending request: StatusCode=0 -- Original Error: context deadline exceeded

NagaSwamy473 commented 1 week ago

Is there an existing issue for this?

[X] I have searched the existing issues

Community Note

Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.9.3

AzureRM Provider Version

3.69.0

Affected Resource(s)/Data Source(s)

Azure Key Vault

Terraform Configuration Files

resource "azurerm_private_dns_zone" "keyvault" {
  name                = "eg${var.environment}-privatelink.vaultcore.azure.net"
  resource_group_name = data.azurerm_resource_group.global.name

  tags = local.default_tags
}

resource "azurerm_private_dns_zone_virtual_network_link" "keyvault" {
  name                  = "eg${var.environment}-keyvault-private-dns-link"
  resource_group_name   = data.azurerm_resource_group.global.name
  private_dns_zone_name = azurerm_private_dns_zone.keyvault.name
  virtual_network_id    = data.azurerm_virtual_network.vnet.id
}

resource "azurerm_private_dns_zone_virtual_network_link" "vm_keyvault" {
  name                  = "eg${var.environment}-keyvault-private-dns-link"
  resource_group_name   = data.azurerm_resource_group.global.name
  private_dns_zone_name = azurerm_private_dns_zone.keyvault.name
  virtual_network_id    = data.azurerm_virtual_network.vmvnet.id
}

resource "azurerm_private_endpoint" "keyvault" {
  name                = "eg${var.environment}-keyvault-pe"
  location            = var.location
  resource_group_name = data.azurerm_resource_group.global.name
  subnet_id           = "SNET"

  private_dns_zone_group {
    name                 = "privatednskeyvault"
    private_dns_zone_ids = [azurerm_private_dns_zone.keyvault.id]
  }

  private_service_connection {
    name                           = "eq${var.environment}-keyvault-privateserviceconnection"
    private_connection_resource_id = azurerm_key_vault.global.id
    is_manual_connection           = false
    subresource_names              = ["Vault"]
  }

  tags = local.default_tags

  lifecycle {
    ignore_changes = [
      # Ignore changes to private_dns_zone_group because this is managed by Azure Policy
      # private_dns_zone_group
    ]
  }
}

resource "azurerm_key_vault" "global" {
  name                = "eq${var.environment}-keyvault"
  location            = var.location
  resource_group_name = data.azurerm_resource_group.global.name
  tenant_id           = data.azurerm_client_config.current.tenant_id
  #enable_rbac_authorization = true
  public_network_access_enabled = false # Deny all access - except for the private endpoint connections
  sku_name = "standard"

  purge_protection_enabled = true

  tags = local.default_tags
  network_acls {
          bypass                     = "AzureServices"
          default_action             = "Deny"
          #ip_rules                   = []
          #virtual_network_subnet_ids = []
        }
}

 # Give KV secret permissions to the service principal that runs the Terraform apply itself
 resource "azurerm_key_vault_access_policy" "devops_pipeline_all" {
  key_vault_id = azurerm_key_vault.global.id

  tenant_id = data.azurerm_client_config.current.tenant_id
  object_id = data.azurerm_client_config.current.object_id

  secret_permissions = [
    "Get", "List", "Delete", "Purge", "Set", "Backup", "Restore", "Recover"
  ]
}

Debug Output/Panic Output

│ Error: retrieving `contact` for KeyVault: keyvault.BaseClient#GetCertificateContacts: Failure sending request: StatusCode=0 -- Original Error: context deadline exceeded
│ 
│   with azurerm_key_vault.global,
│   on akv.tf line 50, in resource "azurerm_key_vault" "global":
│   50: resource "azurerm_key_vault" "global" {

Expected Behaviour

It should append the changes on AKV resource during 2nd time of pipeline execution.

Actual Behaviour

Getting below error: │ Error: retrieving contact for KeyVault: keyvault.BaseClient#GetCertificateContacts: Failure sending request: StatusCode=0 -- Original Error: context deadline exceeded │ │ with azurerm_key_vault.global, │ on akv.tf line 50, in resource "azurerm_key_vault" "global": │ 50: resource "azurerm_key_vault" "global" {

Steps to Reproduce

Terraform plan and terraform apply

Important Factoids

No response

References

No response

wuxu92 commented 1 week ago

Hi @NagaSwamy473, the issue was caused by public_network_access_enabled being set to false. There are PRs #23823 and #25777 to address this data plane access restriction. Could you try using the latest AzureRM or a version >= v3.104.0 to see if it resolves the issue?

NagaSwamy473 commented 1 week ago

Hi @Xu @.***>,

Tried with terraform provider version as 3.104.0 but still facing the same issue.

Successfully configured the backend "azurerm"! Terraform will automatically use this backend unless the backend configuration changes. Initializing provider plugins...

Finding hashicorp/azurerm versions matching "3.104.0"...
Installing hashicorp/azurerm v3.104.0...
Installed hashicorp/azurerm v3.104.0 (signed by HashiCorp) Terraform has created a lock file .terraform.lock.hcl to record the provider selections it made above. Include this file in your version control repository so that Terraform can guarantee to make the same selections by default when you run "terraform init" in the future.

Regards, Naga Swamy.K From: Xu Wu @.> Sent: Tuesday, October 8, 2024 3:26 PM To: hashicorp/terraform-provider-azurerm @.> Cc: Naga Swamy Kommanaboina @.>; Mention @.> Subject: Re: [hashicorp/terraform-provider-azurerm] Error: retrieving contact for KeyVault: keyvault.BaseClient#GetCertificateContacts: Failure sending request: StatusCode=0 -- Original Error: context deadline exceeded (Issue #27575)

[EXTERNAL EMAIL] Please verify sender address and exercise caution before clicking on any link.

Hi @NagaSwamy473https://github.com/NagaSwamy473, the issue was caused by public_network_access_enabled being set to false. There are PRs #23823https://github.com/hashicorp/terraform-provider-azurerm/pull/23823 and #25777https://github.com/hashicorp/terraform-provider-azurerm/pull/25777 to address this data plane access restriction. Could you try using the latest AzureRM or a version >= v3.104.0 to see if it resolves the issue?

- Reply to this email directly, view it on GitHubhttps://github.com/hashicorp/terraform-provider-azurerm/issues/27575#issuecomment-2399398809, or unsubscribehttps://github.com/notifications/unsubscribe-auth/A7JH2CREXWVXP5PSQKY2GALZ2OT4RAVCNFSM6AAAAABPPXGYJ2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGOJZGM4TQOBQHE. You are receiving this because you were mentioned.Message ID: @.**@.>>

wuxu92 commented 1 week ago

@NagaSwamy473 Is the error message the same as before? The error like Error: retrieving 'contact' for KeyVault should only occur when public_network_access is enabled in v3.104.0 version.

hashicorp / terraform-provider-azurerm