azure-keyvault-unseal appears to be broken?
onpaws opened this issue ยท 5 comments
I'm trying to stand up my first Vault instance on Azure.
I see there's a Vault Azure autounseal guide using Terraform; seems like a good way to go. (Cool! ๐ )
So I've tried to carefully follow the directions but am experiencing an error.
Expected:
When correct values are pasted into terraform.tfvars, terraform plan should succeed
Actual:
terraform plan has an error
Repro steps:
- Run
az loginand logon to Azure - Now run
az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/MY_SUBSCRIPTION_ID".
Got a bunch of values back - Copy your ssh pubkey, and from the console output the tenant id, client ('app') id, client secret ('password'), and subscription id and pasted them into a file named
terraform.tfvars, copied fromterraform.tfvars.exampleper the instructions. - Run
terraform init, for me it said
* provider.azurerm: version = "~> 1.30"
* provider.random: version = "~> 2.1"
* provider.template: version = "~> 2.1"
- Run
terraform plan, for me it fails.
$ terraform plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.
data.azurerm_client_config.current: Refreshing state...
------------------------------------------------------------------------
Error: "access_policy.0.object_id" is an invalid UUUID: uuid: UUID string too short:
on main.tf line 20, in resource "azurerm_key_vault" "vault":
20: resource "azurerm_key_vault" "vault" {
The corresponding line looks like this:
object_id = data.azurerm_client_config.current.service_principal_object_id
What's a UUUID? (with 3 'U's. Only seen the kind with 2 'U's before)
Not sure what to do next, any hints appreciated!
macOS 10.14.5
$ terraform -v
Terraform v0.12.2
- provider.azurerm v1.30.1
- provider.random v2.1.2
- provider.template v2.1.2
Hi Pat (@onpaws),
When I wrote this, it was before Terraform v0.12, so these Terraform files were written for 0.11.x.
Please try the 0.12upgrade command and then try again.
$ terraform 0.12upgrade
...
Would you like to upgrade the module in the current directory?
Only 'yes' will be accepted to confirm.
Enter a value: yes
$ terraform plan
I was still running Terraform v0.11.14, and just upgraded to v0.12.2 which you have. The terraform plan threw a bunch of errors, but after running the 0.12upgrade command, everything successfully executed.
Just updated the Terraform files for v0.12 and above --> #153
No need to run terraform 0.12upgrade command. I'm closing this, but re-open this if the problem persists.
Thanks Yoko! Nice to have this up-to-date, I'm sure future users will appreciate it.
In the end, what worked for me was to manually export environment variables with the tenant id, client id, client secret, and subscription id.
Curiously I could see the values in terraform.tfvars were being read, b/c the SSH public key saved there was consumed (I know b/c I can SSH into the server successfully).
But for whatever reason I had to also set the Azure vars using shell env vars. Without doing this the script would complain about the UUID.
All good now, thanks again Yoko :)
Thanks for the update, Pat! I'll add the info as a troubleshooting tip in the guide just in case someone else runs into a similar situation.