search

pulumi / pulumi-azure-native

Azure Native Provider
Apache License 2.0
125 stars 33 forks source link

AccessPolicy import fails. Invalid resource state is created #3586

Open Karol-Pawlowski-Allegro opened 6 days ago

Karol-Pawlowski-Allegro commented 6 days ago

What happened?

Hey Guys, when creating KeyVault Access Policy in the stack with the following code 

_ = new AccessPolicy(
      $"policy-{SvCdKv.GetResourceName()}-{policy.Key}",
      new AccessPolicyArgs()
      {
          VaultName = SvCdKv.GetResourceName(),
          Policy = policy.Value,
          ResourceGroupName = ResourceGroup.Name
      }, new CustomResourceOptions()
      {
          Parent = SvCdKv
      });

and importing the existing access policy with below 

pulumi import azure-native:keyvault:AccessPolicy \
  policy-depo-spcred-euw-key-dev-6d7a7007-9664-4e29-a203-80324da8641b \
  /subscriptions/6c288f12-751d-4a98-bb2a-537be023beb5/resourceGroups/depo-shared-euw-dev/providers/Microsoft.KeyVault/vaults/depo-svcd-euw-key-dev/accessPolicy/6d7a7007-9664-4e29-a203-80324da8641b \
  --parent urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:keyvault:Vault::depo-spcred-euw-key-dev

I get the resource imported by I get the state updated with following line "policy.objectId": "8a48c337-90bf-4fef-acbb-9aaca225711d" that enforces resources recreation which also fails as it can locate the resource. The only solution I see at the moment is to manually update the stack and remove that line but when we get stacks encrypted and much more access policies to track, the problem will get serious.

Image Provider version: azure-native::default_2_53_0 Pulumi version: 3.66.0-alpha.48eae07

Example

Steps:

  1. AccessPolicy creation in the stack: _ = new AccessPolicy( $"policy-{SvCdKv.GetResourceName()}-{policy.Key}", new AccessPolicyArgs() { VaultName = SvCdKv.GetResourceName(), Policy = policy.Value, ResourceGroupName = ResourceGroup.Name }, new CustomResourceOptions() { Parent = SvCdKv });
  2. Import existing access policy pulumi import azure-native:keyvault:AccessPolicy policy-depo-spcred-euw-key-dev-6d7a7007-9664-4e29-a203-80324da8641b /subscriptions/6c288f12-751d-4a98-bb2a-537be023beb5/resourceGroups/depo-shared-euw-dev/providers/Microsoft.KeyVault/vaults/depo-svcd-euw-key-dev/accessPolicy/6d7a7007-9664-4e29-a203-80324da8641b --parent urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:keyvault:Vault::depo-spcred-euw-key-dev

Output of pulumi about

running 'dotnet build -nologo .'
  Determining projects to restore...

  All projects are up-to-date for restore.

  AllegroPay.IaC.Depo.Shared -> /Users/karol.pawlowski/allegropay/depo-ops-iac-infrastructure/AllegroPay.IaC.Depo.Shared/bin/Debug/net8.0/AllegroPay.IaC.Depo.Shared.dll

Build succeeded.

    0 Warning(s)
    0 Error(s)

Time Elapsed 00:00:00.47

'dotnet build -nologo .' completed successfully
CLI          
Version      3.130.0
Go Version   go1.22.6
Go Compiler  gc

Plugins
KIND      NAME          VERSION
resource  azure-native  2.53.0
resource  azuread       5.47.2
language  dotnet        unknown
resource  mssql         0.0.8
resource  random        4.16.0

Host     
OS       darwin
Version  14.4.1
Arch     arm64

This project is written in dotnet: executable='/usr/local/share/dotnet/dotnet' version='8.0.201'

Current Stack: organization/AllegroPay.IaC.Depo.Shared.ProjectStack/depo.dev

TYPE                                                URN
pulumi:pulumi:Stack                                 urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::pulumi:pulumi:Stack::AllegroPay.IaC.Depo.Shared.ProjectStack-depo.dev
pulumi:providers:pulumi                             urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::pulumi:providers:pulumi::default
pulumi:providers:azure-native                       urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::pulumi:providers:azure-native::default_2_53_0
allegropay:azure-native:sftpgateway                 urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::allegropay:azure-native:sftpgateway::depo-vodeno-euw-sftp-dev
pulumi:pulumi:StackReference                        urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::pulumi:pulumi:StackReference::PlatformStack
azure-native:resources:ResourceGroup                urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:resources:ResourceGroup::depo-shared-euw-dev
azure-native:resources:ResourceGroup                urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::allegropay:azure-native:sftpgateway$azure-native:resources:ResourceGroup::depo-vodeno-euw-dev
azure-native:keyvault:Vault                         urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:keyvault:Vault::depo-secret-euw-key-dev
azure-native:keyvault:Vault                         urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:keyvault:Vault::depo-svcd-euw-key-dev
azure-native:keyvault:Vault                         urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:keyvault:Vault::depo-spcred-euw-key-dev
azure-native:compute:Disk                           urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:compute:Disk::depo-vodeno-euw-vm-sftp-dev_OsDisk
azure-native:keyvault:Vault                         urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:keyvault:Vault::depo-vodeno-euw-key-dev
azure-native:storage:StorageAccount                 urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::allegropay:azure-native:sftpgateway$azure-native:resources:ResourceGroup$azure-native:storage:StorageAccount::depo0vodeno0euw0sftp0dev
azure-native:servicebus:Namespace                   urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:servicebus:Namespace::depo-shared-euw-bus-1-dev
pulumi:pulumi:StackReference                        urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::pulumi:pulumi:StackReference::NetworkStack
azure-native:operationalinsights:Workspace          urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:operationalinsights:Workspace::depo-shared-euw-log-dev
azure-native:insights:MetricAlert                   urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:insights:MetricAlert::depo-spcred-euw-key-dev-availability
azure-native:insights:MetricAlert                   urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:insights:MetricAlert::depo-vodeno-euw-key-dev-availability
azure-native:insights:MetricAlert                   urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:insights:MetricAlert::depo0vodeno0euw0sftp0dev-storage_warning
azure-native:insights:MetricAlert                   urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:insights:MetricAlert::depo-svcd-euw-key-dev-availability
azure-native:insights:MetricAlert                   urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:insights:MetricAlert::depo-shared-euw-bus-1-dev-concurrent_connections
azure-native:insights:MetricAlert                   urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:insights:MetricAlert::depo-secret-euw-key-dev-availability
azure-native:keyvault:AccessPolicy                  urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:keyvault:Vault$azure-native:keyvault:AccessPolicy::policy-depo-secret-euw-key-dev-af0431c9-7e39-42e1-ab6f-7c600a99ffd0
azure-native:insights:MetricAlert                   urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:insights:MetricAlert::depo-spcred-euw-key-dev-saturation
azure-native:insights:MetricAlert                   urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:insights:MetricAlert::depo-spcred-euw-key-dev-throttling
azure-native:insights:MetricAlert                   urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:insights:MetricAlert::depo-spcred-euw-key-dev-error_codes
azure-native:insights:MetricAlert                   urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:insights:MetricAlert::depo-spcred-euw-key-dev-latency
azure-native:insights:MetricAlert                   urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:insights:MetricAlert::depo-svcd-euw-key-dev-saturation
azure-native:insights:MetricAlert                   urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:insights:MetricAlert::depo-svcd-euw-key-dev-throttling
azure-native:insights:MetricAlert                   urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:insights:MetricAlert::depo-svcd-euw-key-dev-latency
azure-native:insights:MetricAlert                   urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:insights:MetricAlert::depo-svcd-euw-key-dev-error_codes
azure-native:insights:MetricAlert                   urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:insights:MetricAlert::depo0vodeno0euw0sftp0dev-storage_almost_full
azure-native:insights:MetricAlert                   urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:insights:MetricAlert::depo-vodeno-euw-key-dev-saturation
azure-native:servicebus:NamespaceAuthorizationRule  urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:servicebus:Namespace$azure-native:servicebus:NamespaceAuthorizationRule::ListenAndSendAccessKey
azure-native:servicebus:NamespaceAuthorizationRule  urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:servicebus:Namespace$azure-native:servicebus:NamespaceAuthorizationRule::RootManageSharedAccessKey
azure-native:insights:MetricAlert                   urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:insights:MetricAlert::depo-shared-euw-bus-1-dev-entity_size
azure-native:insights:MetricAlert                   urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:insights:MetricAlert::depo-vodeno-euw-key-dev-error_codes
azure-native:insights:MetricAlert                   urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::allegropay:azure-native:sftpgateway$azure-native:resources:ResourceGroup$azure-native:insights:MetricAlert::depo-vodeno-euw-key-dev-latency
azure-native:insights:MetricAlert                   urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:insights:MetricAlert::depo-vodeno-euw-key-dev-throttling
azure-native:insights:MetricAlert                   urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:insights:MetricAlert::depo0vodeno0euw0sftp0dev-max_throughput
azure-native:insights:MetricAlert                   urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:insights:MetricAlert::depo-secret-euw-key-dev-saturation
azure-native:insights:MetricAlert                   urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:insights:MetricAlert::depo-secret-euw-key-dev-error_codes
azure-native:insights:MetricAlert                   urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:insights:MetricAlert::depo-secret-euw-key-dev-throttling
azure-native:insights:MetricAlert                   urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:insights:MetricAlert::depo-secret-euw-key-dev-latency
azure-native:insights:ScheduledQueryRule            urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:insights:ScheduledQueryRule::depo-shared-euw-log-dev-daily_cap_hit
azure-native:network:PrivateEndpoint                urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:network:PrivateEndpoint::depo0vodeno0euw0sftp0dev-blob-pe
azure-native:network:PrivateEndpoint                urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:network:PrivateEndpoint::depo-svcd-euw-key-dev-vault-pe
azure-native:network:PrivateEndpoint                urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:network:PrivateEndpoint::depo-secret-euw-key-dev-vault-pe
azure-native:network:PrivateEndpoint                urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:network:PrivateEndpoint::depo-vodeno-euw-key-dev-vault-pe
azure-native:network:PrivateEndpoint                urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:network:PrivateEndpoint::depo-spcred-euw-key-dev-vault-pe
azure-native:network:NetworkInterface               urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:network:NetworkInterface::depo-vodeno-euw-nic-sftp-dev
azure-native:compute:VirtualMachine                 urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::allegropay:azure-native:sftpgateway$azure-native:resources:ResourceGroup$azure-native:compute:VirtualMachine::depo-vodeno-euw-vm-sftp-dev
azure-native:compute:VirtualMachineExtension        urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::allegropay:azure-native:sftpgateway$azure-native:resources:ResourceGroup$azure-native:compute:VirtualMachine$azure-native:compute:VirtualMachineExtension::depo-vodeno-euw-vm-sftp-dev-MDE
azure-native:insights:Component                     urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:insights:Component::depo-shared-euw-appins-dev
azure-native:network:PrivateDnsZoneGroup            urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:network:PrivateDnsZoneGroup::depo-spcred-euw-key-dev-vault-pe-westeurope-zone-group
azure-native:network:PrivateDnsZoneGroup            urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:network:PrivateDnsZoneGroup::depo-svcd-euw-key-dev-vault-pe-westeurope-zone-group
azure-native:network:PrivateDnsZoneGroup            urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:network:PrivateDnsZoneGroup::depo0vodeno0euw0sftp0dev-blob-pe-westeurope-zone-group
azure-native:network:PrivateDnsZoneGroup            urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:network:PrivateDnsZoneGroup::depo-vodeno-euw-key-dev-vault-pe-westeurope-zone-group
azure-native:network:PrivateDnsZoneGroup            urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:network:PrivateDnsZoneGroup::depo-secret-euw-key-dev-vault-pe-westeurope-zone-group
azure-native:keyvault:AccessPolicy                  urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:keyvault:Vault$azure-native:keyvault:AccessPolicy::policy-depo-secret-euw-key-dev-6d7a7007-9664-4e29-a203-80324da8641b
azure-native:keyvault:AccessPolicy                  urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:keyvault:Vault$azure-native:keyvault:AccessPolicy::policy-depo-secret-euw-key-dev-022f28b0-0180-4c61-bf4c-29045ebc7933
azure-native:keyvault:AccessPolicy                  urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:keyvault:Vault$azure-native:keyvault:AccessPolicy::policy-depo-secret-euw-key-dev-8a48c337-90bf-4fef-acbb-9aaca225711d
azure-native:keyvault:AccessPolicy                  urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:keyvault:Vault$azure-native:keyvault:AccessPolicy::policy-depo-secret-euw-key-dev-c1a2d56b-a773-4565-8881-f15ce4f91673
azure-native:keyvault:AccessPolicy                  urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:keyvault:Vault$azure-native:keyvault:AccessPolicy::policy-depo-svcd-euw-key-dev-6d7a7007-9664-4e29-a203-80324da8641b
azure-native:keyvault:AccessPolicy                  urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:keyvault:Vault$azure-native:keyvault:AccessPolicy::policy-depo-svcd-euw-key-dev-022f28b0-0180-4c61-bf4c-29045ebc7933
azure-native:keyvault:AccessPolicy                  urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:keyvault:Vault$azure-native:keyvault:AccessPolicy::policy-depo-svcd-euw-key-dev-8a48c337-90bf-4fef-acbb-9aaca225711d
azure-native:keyvault:AccessPolicy                  urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:keyvault:Vault$azure-native:keyvault:AccessPolicy::policy-depo-svcd-euw-key-dev-c1a2d56b-a773-4565-8881-f15ce4f91673
azure-native:keyvault:AccessPolicy                  urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:keyvault:Vault$azure-native:keyvault:AccessPolicy::policy-depo-svcd-euw-key-dev-af0431c9-7e39-42e1-ab6f-7c600a99ffd0
azure-native:keyvault:AccessPolicy                  urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:keyvault:Vault$azure-native:keyvault:AccessPolicy::policy-depo-spcred-euw-key-dev-8a48c337-90bf-4fef-acbb-9aaca225711d
azure-native:keyvault:AccessPolicy                  urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:keyvault:Vault$azure-native:keyvault:AccessPolicy::policy-depo-spcred-euw-key-dev-022f28b0-0180-4c61-bf4c-29045ebc7933
azure-native:keyvault:AccessPolicy                  urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:keyvault:Vault$azure-native:keyvault:AccessPolicy::policy-depo-spcred-euw-key-dev-c1a2d56b-a773-4565-8881-f15ce4f91673
azure-native:keyvault:AccessPolicy                  urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:keyvault:Vault$azure-native:keyvault:AccessPolicy::policy-depo-spcred-euw-key-dev-af0431c9-7e39-42e1-ab6f-7c600a99ffd0
azure-native:keyvault:AccessPolicy                  urn:pulumi:depo.dev::AllegroPay.IaC.Depo.Shared.ProjectStack::azure-native:keyvault:Vault$azure-native:keyvault:AccessPolicy::policy-depo-spcred-euw-key-dev-6d7a7007-9664-4e29-a203-80324da8641b

Found no pending operations associated with depo.dev

Backend        
Name           polpc13463
URL            azblob://pulumi-state-container
User           karol.pawlowski
Organizations  
Token type     personal

Dependencies:
NAME                  VERSION
AllegroPay.IaC.Azure  0.0.72

Pulumi locates its logs in /var/folders/2w/f66lyqtd663fc60h0s7chl5r0000gp/T/ by default

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

justinvp commented 2 days ago

Thanks for the issue @Karol-Pawlowski-Allegro. This looks specific to Azure Native, so I'm going to transfer the issue to the https://github.com/pulumi/pulumi-azure-native repo and someone will take a look.

thomas11 commented 1 day ago

Hi @Karol-Pawlowski-Allegro, to arrive at a correct Pulumi state, you should pulumi import the resource before defining it in code. Otherwise, it already exists in your stack when the import command adds it again. Alternatively, define it in code and use the import resource option. Let me know if that helps.

thomas11 commented 1 day ago

Oh, I just remembered #3333 - @danielrbradley I imagine that would be a problem for import as well until it's fixed in 3.0?