Azure Key Vault createMode setup

[vigor-vavan]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.3.6

AzureRM Provider Version

3.51.0

Affected Resource(s)/Data Source(s)

azurerm_key_vault

Terraform Configuration Files

There is no resource property.

Debug Output/Panic Output

Apply excerpt:
...Target="<keyvault name>" AdditionalInfo=[{"info":{"evaluationDetails":{"evaluatedExpressions":[{"expression":"type","expressionKind":"Field","expressionValue":"Microsoft.KeyVault/vaults","operator":"Equals","path":"type","result":"True","targetValue":"Microsoft.KeyVault/vaults"},{"expression":"Microsoft.KeyVault/vaults/createMode","expressionKind":"Field","operator":"NotEquals","path":"properties.createMode","result":"True","targetValue":"recover"},{"expression":"Microsoft.KeyVault/vaults/networkAcls.ipRules[*].value","expressionKind":"Field","operator":"In","path":"properties.networkAcls.ipRules[*].value","result":"True","targetValue":["224.0.0.0/4","127.0.0.0/8","169.254.0.0/16","168.63.129.16/32","255.255.255.255/32","10.0.0.0/8","172.16.0.0/12","192.168.0.0/16"]}]},....

Expected Behaviour

To be able to set key vault property createMode
and to be compliant with build in policy 'Azure Key Vault should have firewall enabled'.

New version of build in policy 'Azure Key Vault should have firewall enabled' is now GA.(version 3.1.0)
All previously created key vaults are now non compliant .

Actual Behaviour

It is not possible to set key vault property createMode with terraform resources.

Steps to Reproduce

Look at the azurerm_key_vault_key resource.
There is no possiblity to set createMode to recover.

Important Factoids

No response

References

No response

[wuxu92]

Hi @vigor-vavan

thanks for your feedback. azurerm provider will set the create_mode as recover when recover from a soft deleted key vault. but GET API of keyvault won't response the create_mode property. maybe the policy should not check this field, or it's a API bug that not response the create_mode property.

could you please share the terraform configuration that cause this error?

[DjordjeTosic]

Hi @wuxu92

@vigor-vavan is on vacation so he can't answer, we work together so i will answer instead of him. On following image you can see terraform configuration that causes this error.

As @vigor-vavan said we can't set "createMode" property of key vault because it doesn't exist in terraform, while it is added in ARM template of key vault by Azure, and that is why policy deny updating of key vault.

[wuxu92]

Hi @DjordjeTosic, thanks for your response. actually terraform azurerm provider will set the CreateMode field as recover if there is a soft deleted keyvault. though it is not exposed as configurable to terraform user.

terraform-provider-azurerm/internal/services/keyvault/key_vault_resource.go

Lines 279 to 287 in a872bf3

	recoverSoftDeletedKeyVault := false
	if !utils.ResponseWasNotFound(softDeletedKeyVault.Response) && !utils.ResponseWasForbidden(softDeletedKeyVault.Response) {
	if !meta.(*clients.Client).Features.KeyVault.RecoverSoftDeletedKeyVaults {
	// this exists but the users opted out so they must import this it out-of-band
	return fmt.Errorf(optedOutOfRecoveringSoftDeletedKeyVaultErrorFmt(id.Name, location))
	}
	recoverSoftDeletedKeyVault = true
	}

terraform-provider-azurerm/internal/services/keyvault/key_vault_resource.go

Lines 341 to 343 in a872bf3

	if recoverSoftDeletedKeyVault {
	parameters.Properties.CreateMode = keyvault.CreateModeRecover
	}

[DjordjeTosic]

Hi @wuxu92, I understand that terraform is setting CreateMode field to Recover when some key vault is deleted and then when you recover, terraform will set value for that property (if soft delete was set on true), but why don't u set it when Key Vault is initially created? It doesn't need to be set to Recover, it can be set to default value, because in this case that property doesn't exist in ARM template of key Vault and that's why policy fails and reports that value for that property is "--".

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.