key vault parent resource not found - failover template
JeffGiroux opened this issue · comments
Describe the bug
During deployment of the failover template, the access template fails at creation of the keyvault/add policy.
error...
{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"ParentResourceNotFound","message":"Can not perform requested operation on nested resource. Parent resource 'giroux-kv3' not found."}]}
Expected behavior
access template should find key vault based on supplied secretID global URL of keyvault. However it seems now it is scoped to resource group instead of subscription scope.
Current behavior
deployment fails because azure keyvault cannot be found
"properties": {
"statusCode": "NotFound",
"statusMessage": "{\"error\":{\"code\":\"ParentResourceNotFound\",\"message\":\"Can not perform requested operation on nested resource. Parent resource 'giroux-kv3' not found.\"}}",
"eventCategory": "Administrative",
"entity": "/subscriptions/xxxx/resourcegroups/girouxha5/providers/Microsoft.KeyVault/vaults/giroux-kv3/accessPolicies/add",
"message": "Microsoft.KeyVault/vaults/accessPolicies/write",
"hierarchy": "e569f29e-b098-4cea-b6f0-48fa8532d64a/xxxx"
},
Notice resourcegroup = girouxha5, but that is my big-ip RG...not the keyvault RG based on the URL I supplyed for secretID.
Upon further digging into the Azure logs, it appears that the keyvault/add is trying to occur in the BIG-IP resource group as opposed to the source resource group of the kevault. More investigation leads to needing a subscription scope deployment but then that messes up the child templates as they all require a 'location' parameter which is dynamically retrieved from resourceGroup...but only if a resourceGroup scope deployment is done.
Possible solution
Azure support ticket is probably needed for better solution. Also maybe investigate a subscription scope deployment, but that will require changes to all child templates to add location as parameter.
Steps to reproduce
- deploy failover
- keyvault will fail to be found
Screenshots
n/a
Context
n/a
Your Environment
n/a
workaround
You must have the key vault in the same resource group as the deployment for now until template is fixed.
-
create resource group
az group create -n $resourceGroupName -l $region -
Create key vault in same RG
az keyvault create --name $resourceGroupName --resource-group $resourceGroupName --location $region
az keyvault secret set --vault-name $resourceGroupName --name my-bigip-password --value "Password123"
Once I did this, the access child templated completed.
Created issue ESECLDTPLT-3135 for this.
Closing.
This issue was resolved with Release 2.4.0.0.