search

pulumi / pulumi-azure

A Microsoft Azure Pulumi resource package, providing multi-language access to Azure
Apache License 2.0
134 stars 51 forks source link

keyvault certificates broken #1035

Open lkt82 opened 2 years ago

lkt82 commented 2 years ago

Hi

After upgrading to a version higher than 4.36.0 it breaks the creation of keyvault certificates 👎 .

We are relying on this in production so it's not that fun.

This is the error we get when we are creating keyvault certificates

azure:keyvault:Certificate (certmanager-*****):
    error: expected non-nil error with nil state during Create of urn:pulumi:******

Environment Pulumi: 3.24.1 Pulumi.Azure: 4.38.0 Os: Windows

danielrbradley commented 2 years ago

Just to clarify - the migration of existing certificates was okay when upgrading, but the creation of the new certificates is failing?

I've just tested the below code against v4.39.0 and it deploys successfully. Please could you provide code which reproduces this issue?

const current = azure.core.getClientConfig({});

const keyvault = new azure.keyvault.KeyVault("key-vault", {
  resourceGroupName: resourceGroup.name,
  skuName: "standard",
  tenantId: current.then((c) => c.tenantId),
  accessPolicies: [
    {
      tenantId: current.then((current) => current.tenantId),
      objectId: current.then((current) => current.objectId),
      certificatePermissions: [
        "create",
        "delete",
        "deleteissuers",
        "get",
        "getissuers",
        "import",
        "list",
        "listissuers",
        "managecontacts",
        "manageissuers",
        "purge",
        "setissuers",
        "update",
      ],
      keyPermissions: [
        "backup",
        "create",
        "decrypt",
        "delete",
        "encrypt",
        "get",
        "import",
        "list",
        "purge",
        "recover",
        "restore",
        "sign",
        "unwrapKey",
        "update",
        "verify",
        "wrapKey",
      ],
      secretPermissions: [
        "backup",
        "delete",
        "get",
        "list",
        "purge",
        "recover",
        "restore",
        "set",
      ],
    },
  ],
});
new azure.keyvault.Certificate("cert", {
  keyVaultId: keyvault.id,
  certificatePolicy: {
    issuerParameters: {
      name: "Self",
    },
    keyProperties: {
      exportable: true,
      keySize: 2048,
      keyType: "RSA",
      reuseKey: true,
    },
    lifetimeActions: [
      {
        action: {
          actionType: "AutoRenew",
        },
        trigger: {
          daysBeforeExpiry: 30,
        },
      },
    ],
    secretProperties: {
      contentType: "application/x-pkcs12",
    },
    x509CertificateProperties: {
      extendedKeyUsages: ["1.3.6.1.5.5.7.3.1"],
      keyUsages: [
        "cRLSign",
        "dataEncipherment",
        "digitalSignature",
        "keyAgreement",
        "keyCertSign",
        "keyEncipherment",
      ],
      subjectAlternativeNames: {
        dnsNames: ["internal.contoso.com", "domain.hello.world"],
      },
      subject: "CN=hello-world",
      validityInMonths: 12,
    },
  },
});
lkt82 commented 2 years ago

Hi

This happens when we try to create a new environments from scratch. We have not tested any updates as we rolled back to and older provider version when we could not provision a development environment.

it's tangled with a lot of other code, can you use this?

            var certId = new RandomId(GetLogicalName("id"), new RandomIdArgs
            {
                ByteLength = 5,
                Prefix = Name.Replace(".", string.Empty).Replace("*", "wc"),
                Keepers =
                {
                    { "CertId", cert.Id },
                    { "VaultId", args.VaultId },
                    { "CertPem", cert.CertPem },
                    { "PrivateKeyPem", privateKey.PrivateKeyPem }
                }
            }, new()
            {
                Parent = this
            });

            var vaultCertificate = certId.Hex.Apply(c => new Certificate(c, new CertificateArgs
            {
                KeyVaultId = args.VaultId,
                Name = c,
                Tags = AzureContext.Tags,
                KeyVaultCertificate = new CertificateCertificateArgs
                {
                    Contents = pkcs12,
                    Password = string.Empty
                },
                CertificatePolicy = new CertificateCertificatePolicyArgs
                {
                    KeyProperties = new CertificateCertificatePolicyKeyPropertiesArgs
                    {
                        Exportable = true,
                        KeyType = KeyVaultKeyType,
                        KeySize = KeyVaultKeySize,
                        ReuseKey = false
                    },
                    IssuerParameters = new CertificateCertificatePolicyIssuerParametersArgs
                    {
                        Name = "Self"
                    },
                    SecretProperties = new CertificateCertificatePolicySecretPropertiesArgs
                    {
                        ContentType = "application/x-pkcs12"
                    },
                }
            }, new()
            {
                Parent = this,
                DeleteBeforeReplace = true,
                IgnoreChanges = { "certificate.contents" }
            }));