key vault parent resource not found - failover template

Question

key vault parent resource not found - failover template

JeffGiroux opened this issue 2 years ago · comments

Describe the bug

During deployment of the failover template, the access template fails at creation of the keyvault/add policy.

error...

{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"ParentResourceNotFound","message":"Can not perform requested operation on nested resource. Parent resource 'giroux-kv3' not found."}]}

Expected behavior

access template should find key vault based on supplied secretID global URL of keyvault. However it seems now it is scoped to resource group instead of subscription scope.

Current behavior

deployment fails because azure keyvault cannot be found

"properties": {
"statusCode": "NotFound",
"statusMessage": "{\"error\":{\"code\":\"ParentResourceNotFound\",\"message\":\"Can not perform requested operation on nested resource. Parent resource 'giroux-kv3' not found.\"}}",
"eventCategory": "Administrative",
"entity": "/subscriptions/xxxx/resourcegroups/girouxha5/providers/Microsoft.KeyVault/vaults/giroux-kv3/accessPolicies/add",
"message": "Microsoft.KeyVault/vaults/accessPolicies/write",
"hierarchy": "e569f29e-b098-4cea-b6f0-48fa8532d64a/xxxx"
},

Notice resourcegroup = girouxha5, but that is my big-ip RG...not the keyvault RG based on the URL I supplyed for secretID.

Upon further digging into the Azure logs, it appears that the keyvault/add is trying to occur in the BIG-IP resource group as opposed to the source resource group of the kevault. More investigation leads to needing a subscription scope deployment but then that messes up the child templates as they all require a 'location' parameter which is dynamically retrieved from resourceGroup...but only if a resourceGroup scope deployment is done.

Possible solution

Azure support ticket is probably needed for better solution. Also maybe investigate a subscription scope deployment, but that will require changes to all child templates to add location as parameter.

Steps to reproduce

deploy failover
keyvault will fail to be found

Screenshots

n/a

Context

n/a

Your Environment

n/a

Jeff Giroux · Answer 1 · Wed Jul 13 2022 07:17:48 GMT+0800 (China Standard Time)

workaround

You must have the key vault in the same resource group as the deployment for now until template is fixed.

create resource group
az group create -n $resourceGroupName -l $region
Create key vault in same RG
az keyvault create --name $resourceGroupName --resource-group $resourceGroupName --location $region
az keyvault secret set --vault-name $resourceGroupName --name my-bigip-password --value "Password123"

Once I did this, the access child templated completed.

Mike Shimkus · Answer 2 · Wed Jul 13 2022 23:42:29 GMT+0800 (China Standard Time)

Created issue ESECLDTPLT-3135 for this.

Shyawn Karim · Answer 3 · Thu Aug 18 2022 05:23:20 GMT+0800 (China Standard Time)

Closing.

This issue was resolved with Release 2.4.0.0.