Terraform-provider-azurerm: azurerm 1.22 Error checking if key vault "" Exists

Created on 11 Feb 2019  ·  8Comments  ·  Source: terraform-providers/terraform-provider-azurerm

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Affected Resource(s)

  • azurerm 1.22.0

Terraform Configuration Files

resource "azurerm_key_vault_secret" "my_keyvault_secret" {
  name      = "mykeyvaultsecretname"
  value     = "mykeyvaultsecretvalue"
  key_vault_id = "${module.mykeyvaultmodule.key_vault_id}"
}

Debug Output

No difference when I run terraform with TF_LOG=TRACE

Panic Output

Expected Behavior

Terraform should refresh the state of my_keyvault_secret placed in my_keyvault

Actual Behavior


Terraform cannot find the my_keyvault keyvault, therefore cannot retrieve the keyvaultId needed to refresh the resource my_keyvault_secret
Error message:
module.sag.azurerm_key_vault_secret.sag-accesskey: 1 error(s) occurred:
azurerm_key_vault_secret.my-secret: Error checking if key vault "" for Secret "my-secret" in Vault at url "https://some-vault-url.vault.azure.net/" exists: keyVaultId is empty

Steps to Reproduce

  1. terraform plan

Important Factoids

References

  • Note: This has been happening since upgrading to 1.22 , switched provider to 1.21 and issue was solved.
bug regression servickeyvault
Source
picture steve19922
👍17

All 8 comments

I've just faced the same issue. There are some more details about it.
If your KV secret has been created using 1.21 version, it will not have "key_vault_id" attribute in the state (if you create the same secret using 1.22 from scratch, it will have the attribute).

marchenko-devpro picture marchenko-devpro on 11 Feb 2019
👍1

Let's hope there is a workaround to use 1.22 without recreating all KV secrets.

I am thinking one workaround would be to manually replace the attribute in the state.

steve19922 picture steve19922 on 11 Feb 2019

another workaround is providing version in provider

provider "azurerm" {
version = "1.21"
}

pratik141 picture pratik141 on 11 Feb 2019

Another workaround... assuming you've updated your keyvault resource with the new key_vault_id setting...

terraform state show azurerm_key_vault_secret.MY_SECRET
# copy the id
terraform state rm azurerm_key_vault_secret.MY_SECRET
terraform import azurerm_key_vault_secret.MY_SECRET COPIED_ID_FROM_SHOW
MattMencel picture MattMencel on 11 Feb 2019

Sorry about this regression everyone, it was not our intent to force the use of vault_id. I have opened #2874 with a fix, however until that is merged and released @MattMencel's import work around is the best solution until then. However manually editing the state file to add the key_vault_id would also work.

katbyte picture katbyte on 12 Feb 2019

Are you planning to release are bugfix release or have to wait until other task for 1.23 are done?

StefanSchoof picture StefanSchoof on 12 Feb 2019

@StefanSchoof we'll be releasing a bug fix release containing a fix for this

tombuildsstuff picture tombuildsstuff on 12 Feb 2019
👍1

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!

hashibot[bot] picture hashibot[bot] on 30 Mar 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

whytoe picture whytoe  ·  3Comments
rolandjohann picture rolandjohann  ·  3Comments
voyera picture voyera  ·  3Comments
hashibot picture hashibot  ·  3Comments
jansepke picture jansepke  ·  3Comments