Error: expected "vault_key_reference" to have a host, got data.azurerm_key_vault_secret.github_private_key_key_vault_id.value
Closed this issue · 17 comments
I am getting the below error when i try to deploy the code. I have creatd the required secrets in keyvault and refrenced them using a datasource to be able to access the secrets when azurerm_app_configuration_key is created. Please help
terraform plan
╷
│ Error: expected "vault_key_reference" to have a host, got data.azurerm_key_vault_secret.github_client_secret_key_vault_id.value
│
│ with module.azure-github-runner.module.app_config.azurerm_app_configuration_key.config_secrets["github-client-secret"],
│ on .terraform/modules/azure-github-runner/modules/app-config/main.tf line 81, in resource "azurerm_app_configuration_key" "config_secrets":
│ 81: vault_key_reference = each.value
│
╵
╷
│ Error: expected "vault_key_reference" to have a host, got data.azurerm_key_vault_secret.azure_runner_default_password_key_vault_id.value
│
│ with module.azure-github-runner.module.app_config.azurerm_app_configuration_key.config_secrets["azure-runner-default-password"],
│ on .terraform/modules/azure-github-runner/modules/app-config/main.tf line 81, in resource "azurerm_app_configuration_key" "config_secrets":
│ 81: vault_key_reference = each.value
│
╵
╷
│ Error: expected "vault_key_reference" to have a host, got data.azurerm_key_vault_secret.github_webhook_secret_key_vault_id.value
│
│ with module.azure-github-runner.module.app_config.azurerm_app_configuration_key.config_secrets["github-webhook-secret"],
│ on .terraform/modules/azure-github-runner/modules/app-config/main.tf line 81, in resource "azurerm_app_configuration_key" "config_secrets":
│ 81: vault_key_reference = each.value
│
╵
╷
│ Error: expected "vault_key_reference" to have a host, got data.azurerm_key_vault_secret.github_private_key_key_vault_id.value
│
│ with module.azure-github-runner.module.app_config.azurerm_app_configuration_key.config_secrets["github-private-key"],
│ on .terraform/modules/azure-github-runner/modules/app-config/main.tf line 81, in resource "azurerm_app_configuration_key" "config_secrets":
│ 81: vault_key_reference = each.value
Hi @harsha-chamarthi, do you have a repo where you're attempting to implement this? This appears to be an issue with the data source being referenced that holds those values.
Any code snippets you can share would be helpful in helping you get unblocked.
Is it possible for you to provide like a example of the deployment config? That would be useful for reference
Below is the terraform depoyment config i am using,
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "3.34.0"
}
}
}
provider "azurerm" {
features {
app_configuration {
recover_soft_deleted = false
}
}
}
resource "azurerm_app_configuration" "default" {
name = ****
location = ****
resource_group_name = ****
sku = "standard"
purge_protection_enabled = false
}
module "azure-github-runner" {
source = "github.com/liatrio/terraform-azure-github-runner//?ref=0.1.0"
azure_tenant_id = ****
azure_subscription_id = ****
azure_resource_group_name = ****
azure_subnet_id = ****
name_suffix = ****
github_organization = ****
github_app_id = ****
github_client_id = ****
github_installation_id = ****
azure_gallery_image_id = "/communityGalleries/liatrio-4e8ffc8d-5950-4137-b02c-df028384cdcd/images/ubuntu_gh_runner/versions/latest"
azure_secrets_key_vault_resource_id = ****
azure_runner_default_password_key_vault_id = data.azurerm_key_vault_secret.azure_runner_default_password_key_vault_id.value
github_client_secret_key_vault_id = data.azurerm_key_vault_secret.github_client_secret_key_vault_id.value
github_webhook_secret_key_vault_id = data.azurerm_key_vault_secret.github_webhook_secret_key_vault_id.value
github_private_key_key_vault_id = data.azurerm_key_vault_secret.github_private_key_key_vault_id.value
}
data "azurerm_key_vault_secret" "azure_runner_default_password_key_vault_id" {
name = "azure-runner-default-password"
key_vault_id = ****
}
data "azurerm_key_vault_secret" "github_client_secret_key_vault_id" {
name = "github-client-secret"
key_vault_id = ****
}
data "azurerm_key_vault_secret" "github_webhook_secret_key_vault_id" {
name = "github-webhook-secret"
key_vault_id = ****
}
data "azurerm_key_vault_secret" "github_private_key_key_vault_id" {
name = "github-private-key"
key_vault_id = ****
}
(Note:Removed the actual resource values for security)
The issue you are having is related to what you are referencing from the datasource. In the docs for the for azurerm_app_configuration_key which is the part of the code that is failing, it is looking for the versionless_id
of a keyvault secret although I believe id
works as well. Either way, what you are passing into the module from your datasource is the value
of your keyvault secret which is causing your plan to fail
@rhoofard Thanks for the quick turn around. It works now after i add the id
. Now when i do a terraform apply, it ends with the below error,
module.azure-github-runner.module.github_webhook_event_handler_function_app.data.azurerm_function_app_host_keys.default: Still reading... [20m0s elapsed]
╷
│ Error: making Read request on Function App: (Site Name "func-github-webhook-event-handler-ghr*******" / Resource Group "service-*****"): web.AppsClient#ListHostKeys: Failure sending request: StatusCode=0 -- Original Error: context deadline exceeded
│
│ with module.azure-github-runner.module.github_webhook_event_handler_function_app.data.azurerm_function_app_host_keys.default,
│ on .terraform/modules/azure-github-runner/modules/function-app/main.tf line 65, in data "azurerm_function_app_host_keys" "default":
│ 65: data "azurerm_function_app_host_keys" "default" {
Could it be because of the azurem provider version?
@harsha-chamarthi It seems that it may have just been a timeout while waiting for the function key to be created. Have you tried to execute more than once?
I tried to destroy and recreate, it fails at the same step again. Will increasing the timeout help or is there any workaround?
Is that error the only error you got after the timeout?
I did a terraform apply with refresh=false so that it does not refresh the state again and getting the below error,
terraform apply -refresh=false
╷
│ Error: making Read request on Function App: (Site Name "func-github-webhook-event-handler-****" / Resource Group "****"): web.AppsClient#ListHostKeys: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="BadRequest" Message="Encountered an error (ServiceUnavailable) from host runtime." Details=[{"Message":"Encountered an error (ServiceUnavailable) from host runtime."},{"Code":"BadRequest"},{"ErrorEntity":{"Code":"BadRequest","Message":"Encountered an error (ServiceUnavailable) from host runtime."}}]
│
│ with module.azure-github-runner.module.github_webhook_event_handler_function_app.data.azurerm_function_app_host_keys.default,
│ on .terraform/modules/azure-github-runner/modules/function-app/main.tf line 65, in data "azurerm_function_app_host_keys" "default":
│ 65: data "azurerm_function_app_host_keys" "default" {
@rhoofard On further troubleshooting today, found out that Host Keys in the function app have not been created and data source is trying to read this information which does not exist . Do i need to add something to the config to be able to create this host keys? or am i missing something, please help
Hey @harsha-chamarthi, we've spent some time trying to troubleshoot the issue with the host key. This appears to be an issue with the time needed to generate the host key before timeout so we're looking into a way to skip this on the initial apply. Have you been able to find any workaround in the meantime?
No @mitchell-liatrio. To check if i can create the host key manually, i tried to create the host key manually in the function app from the azure portal and it fails too with the error Failed to create XXX: Encountered an error (InternalServerError) from host runtime
. Found a few articles online, which say the error could be because of missing folder AzureWebJobsStorage
in the storage bucket linked to the function app. But i still keep getting the same Failed to create XXX: Encountered an error (InternalServerError) from host runtime
error when i try to recreate the host key after creating the folder AzureWebJobsStorage
manually. Not sure what is causing this issue or if i am missing anything.
@harsha-chamarthi this may be a networking restriction on your side. @rhoofard is out on PTO but I'll sync up with him once he's back. This seems to be more related to your Azure configuration based on what I'm reading online and since we can deploy it in a greenfield environment without errors.
Thanks For your help.Image pull failed since Inspect image returned null: ghcr.io/liatrio/github-webhook-event-handler:latest
and Managed Identity timed out while starting. Elapsed time = 60.9654307 sec
, found these two errors in the container logs of the function app. Not sure if any additional permissions are required to access the acr image.
You may have to manually create a managed identity to be used for these runners. That may be something we're missing from our docs. I don't have time to look into this this week but maybe next
@mitchell-liatrio any update?
@harsha-chamarthi we recreated the latest issue today and found that it was an issue with the 4-node-18-slim image hosted by Microsoft. This ultimately caused this issue and downgrading the node version resolved it. You should be able to restart the event-handler and this issue should be resolved now 🎉
If this particular issue still persists, please reopen this issue and we can continue troubleshooting.
If there are new issues, please open a new issue with specific details on it so we can tackle it quickly. This one triaged into several issues.