mark-strasser-nnl/azurerm_keyvault_failure.md Secret

## azurerm_keyvault_failure.md

      
    Raw
  

              azurerm_keyvault_failure.md
            
          
    Copied from example docs:
provider "azurerm" {
  skip_provider_registration = true
  environment                = "usgovernment"
  features {}
}

data "azurerm_client_config" "current" {}

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "USGovVirginia"
}

resource "azurerm_key_vault" "example" {
  name                        = "examplekeyvault89151"
  location                    = azurerm_resource_group.example.location
  resource_group_name         = azurerm_resource_group.example.name
  enabled_for_disk_encryption = true
  tenant_id                   = data.azurerm_client_config.current.tenant_id
  soft_delete_retention_days  = 7
  purge_protection_enabled    = false

  sku_name = "standard"

  access_policy {
    tenant_id = data.azurerm_client_config.current.tenant_id
    object_id = data.azurerm_client_config.current.object_id

    key_permissions = [
      "Get",
    ]

    secret_permissions = [
      "Get",
    ]

    storage_permissions = [
      "Get",
    ]
  }
}
This works in Azure Commercial, but fails in Azure USGovernment.  v2.99 of the azurerm provider worked fine.
│ Error: retrieving `contact` for KeyVault: keyvault.BaseClient#GetCertificateContacts: Failure sending request: StatusCode=0 -- Original Error: context deadline exceeded
│
│   with azurerm_key_vault.example,
│   on main.tf line 15, in resource "azurerm_key_vault" "example":
│   15: resource "azurerm_key_vault" "example" {
│

It also fails with refreshing state:
azurerm_key_vault.example: Refreshing state... [id=/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-resources/providers/Microsoft.KeyVault/vaults/examplekeyvault89151]
2022-04-11T17:37:30.085-0400 [DEBUG] provider.terraform-provider-azurerm_v3.1.0_x5.exe: AzureRM Request:
GET /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-resources/providers/Microsoft.KeyVault/vaults/examplekeyvault89151?api-version=2019-09-01 HTTP/1.1
Host: management.usgovcloudapi.net
User-Agent: Go/go1.18 (amd64-windows) go-autorest/v14.2.1 Azure-SDK-For-Go/v63.0.0 keyvault/2020-04-01-preview HashiCorp Terraform/1.1.8 (+https://www.terraform.io) Terraform Plugin SDK/2.10.1 terraform-provider-azurerm/3.1.0 pid-222c6c49-1b0a-5959-a213-6608f9eb8820
X-Ms-Correlation-Request-Id: eec2f4ab-8362-55f7-2b9f-30c0a9ab9786
Accept-Encoding: gzip: timestamp=2022-04-11T17:37:30.085-0400
2022-04-11T17:37:30.733-0400 [DEBUG] provider.terraform-provider-azurerm_v3.1.0_x5.exe: AzureRM Response for https://management.usgovcloudapi.net/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-resources/providers/Microsoft.KeyVault/vaults/examplekeyvault89151?api-version=2019-09-01:
HTTP/2.0 200 OK
Cache-Control: no-cache
Content-Type: application/json; charset=utf-8
Date: Mon, 11 Apr 2022 21:37:30 GMT
Expires: -1
Pragma: no-cache
Server: Microsoft-IIS/10.0
Strict-Transport-Security: max-age=31536000; includeSubDomains
Vary: Accept-Encoding
X-Aspnet-Version: 4.0.30319
X-Content-Type-Options: nosniff
X-Ms-Client-Request-Id: 3673b530-38cb-4508-b25b-b3c99876e2d7
X-Ms-Correlation-Request-Id: eec2f4ab-8362-55f7-2b9f-30c0a9ab9786
X-Ms-Keyvault-Service-Version: 1.5.322.3
X-Ms-Ratelimit-Remaining-Subscription-Reads: 14997
X-Ms-Request-Id: d6c60a74-7c1e-4fb4-8d24-aa5109bfd4eb
X-Ms-Routing-Request-Id: USGOVARIZONA:20220411T213730Z:6d9dc26a-ccd0-44ec-bd2c-4ed830bc4726
X-Powered-By: ASP.NET

{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-resources/providers/Microsoft.KeyVault/vaults/examplekeyvault89151","name":"examplekeyvault89151","type":"Microsoft.KeyVault/vaults","location":"usgovvirginia","tags":{},"properties":{"sku":{"family":"A","name":"standard"},"tenantId":"00000000-0000-0000-0000-000000000000","accessPolicies":[{"tenantId":"00000000-0000-0000-0000-000000000000","objectId":"1f8d9a5a-c74b-4927-a72d-6cf5d4660052","permissions":{"keys":["Get"],"secrets":["Get"],"certificates":[],"storage":["Get"]}}],"enabledForDeployment":false,"enabledForDiskEncryption":true,"enabledForTemplateDeployment":false,"enableSoftDelete":true,"softDeleteRetentionInDays":7,"enableRbacAuthorization":false,"vaultUri":"https://examplekeyvault89151.vault.usgovcloudapi.net/","provisioningState":"Succeeded"}}: timestamp=2022-04-11T17:37:30.733-0400
2022-04-11T17:42:30.106-0400 [ERROR] vertex "azurerm_key_vault.example" error: retrieving `contact` for KeyVault: keyvault.BaseClient#GetCertificateContacts: Failure sending request: StatusCode=0 -- Original Error: context deadline exceeded
2022-04-11T17:42:30.106-0400 [ERROR] vertex "azurerm_key_vault.example" error: retrieving `contact` for KeyVault: keyvault.BaseClient#GetCertificateContacts: Failure sending request: StatusCode=0 -- Original Error: context deadline exceeded
2022-04-11T17:42:30.106-0400 [ERROR] vertex "azurerm_key_vault.example (expand)" error: retrieving `contact` for KeyVault: keyvault.BaseClient#GetCertificateContacts: Failure sending request: StatusCode=0 -- Original Error: context deadline exceeded
╷
│ Error: retrieving `contact` for KeyVault: keyvault.BaseClient#GetCertificateContacts: Failure sending request: StatusCode=0 -- Original Error: context deadline exceeded
│
│   with azurerm_key_vault.example,
│   on main.tf line 15, in resource "azurerm_key_vault" "example":
│   15: resource "azurerm_key_vault" "example" {
│
╵
2022-04-11T17:42:30.112-0400 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"
2022-04-11T17:42:30.124-0400 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/azurerm/3.1.0/windows_amd64/terraform-provider-azurerm_v3.1.0_x5.exe pid=944
2022-04-11T17:42:30.124-0400 [DEBUG] provider: plugin exited

Terraform versions:
$ terraform version
Terraform v1.1.8
on windows_amd64
+ provider registry.terraform.io/hashicorp/azurerm v3.1.0