search

pulumi / pulumi-azure

A Microsoft Azure Pulumi resource package, providing multi-language access to Azure
Apache License 2.0
134 stars 51 forks source link

Certificate renewal logic fails because of the default behavior of Azure Key Vault #1387

Open paf-dev opened 1 year ago

paf-dev commented 1 year ago

What happened?

So, we have a certificate that is stored in the Azure Key Vault. For the certificate we have the following part of CertificateArgs

                    LifetimeActions = new[]
                    {
                        new CertificateCertificatePolicyLifetimeActionArgs
                        {
                            Action = new CertificateCertificatePolicyLifetimeActionActionArgs
                            {
                                ActionType = "AutoRenew",
                            },
                            Trigger = new CertificateCertificatePolicyLifetimeActionTriggerArgs
                            {
                                DaysBeforeExpiry = 10
                            },
                        },
                    }

Now is the time to triger that renewal logic. When we run Pulumi we see the following error

keyvault.BaseClient#ImportCertificate: Failure responding to request: StatusCode=409 -- Original Error: autorest/azure: Service returned an error. Status=409 Code="Conflict" Message="Certificate certmanager-***6110abac26 is currently in a deleted but recoverable state, and its name cannot be reused; in this state, the certificate can only be recovered or purged." InnerError={"code":"ObjectIsDeletedButRecoverable"}

Note: the name of the certificate was edited to hide sensitive data behind ***

The reason for the problem is clear, but doesn't it mean that the Certificate Lifetime Policy doesn't work at all when it collaborates with the Azure Key Vault?

Example

Everything is described in section "what happened"

Output of pulumi about

CLI Version 3.79.0 Go Version go1.21.0 Go Compiler gc

Plugins NAME VERSION azure 5.16.0 azure-native 1.71.0 azuread 5.28.0 azuredevops 2.5.0 dotnet unknown kubernetes 3.21.0 random 4.8.2 tls 4.6.0

Host OS Microsoft Windows 10 Pro Version 10.0.19045 Build 19045 Arch x86_64

This project is written in dotnet: executable='C:\Program Files\dotnet\dotnet.exe' version='6.0.123'

Backend Name pulumi.com

No dependencies found

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

mikhailshilkov commented 1 year ago

@paf-dev Could you please share the entire definition of the resource? (with sensitive info redacted) Thank you!

When we run Pulumi we see the following error

What are you changing in your program at this point?

paf-dev commented 1 year ago

Hello @mikhailshilkov

What are you changing in your program at this point?

We added the piece of code that I mentioned in the first message. The part with LifetimeActions. So now, when we run our pipeline, the logic tries to replace the certificate with a new one. But it fails because of the error I mentioned above.

I'm not sure if I understand what the definition of the resource means. Is it the properties of the resource that I can see on the pulumi portal in Resources section? Or is it something different?

paf-dev commented 1 year ago

@mikhailshilkov is there any chance to get some progress with the issue?