Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provider can only lookup 25 key vault items when adding variables to a linked variable group #388

Closed
booyaa opened this issue May 19, 2021 · 12 comments
Closed

Provider can only lookup 25 key vault items when adding variables to a linked variable group #388

booyaa opened this issue May 19, 2021 · 12 comments
Labels
bug

Comments

@booyaa
Copy link

booyaa commented May 19, 2021
edited
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and Azure DevOps Provider) Version

Terraform v0.15.3
on linux_amd64
+ provider registry.terraform.io/hashicorp/azurerm v2.58.0
+ provider registry.terraform.io/microsoft/azuredevops v0.1.4

Affected Resource(s)

  • azuredevops_variable_group

Terraform Configuration Files

# assumes you have an existing service connection to azure in devops
variable "azuredevops_serviceendpoint_azurerm_endpointazure_id" {
  type    = string
  default = "__CHANGE_ME__"
}

data "azuredevops_project" "project" {
  name = "__CHANGE_ME__"
}

# assumes you have a key vault setup with appropriate permissions, but no secrets set
data "azurerm_key_vault" "tester" {
  name = "__CHANGE_ME__"
  resource_group_name =  "__CHANGE_ME__"
}

locals {
  list_of_secrets = [ for i in range(30) : format("var%02d", I) ]
  
  # change test case range to 25 to demonstrate it working
  test_case = [ for i in range(26): local.list_of_secrets[i] ]
}

# creates 30 secrets
resource "azurerm_key_vault_secret" "multipass" {
  count = length(local.list_of_secrets)
  name         = local.list_of_secrets[count.index]
  value        = count.index
  key_vault_id = data.azurerm_key_vault.tester.id
}

resource "azuredevops_variable_group" "environment" {
  project_id   = data.azuredevops_project.project.id
  name         = "devops-bug"
  description  = "This variable group is maintained via Terraform and Key Vault"
  allow_access = true

  key_vault {
    name                = data.azurerm_key_vault.tester.name
    service_endpoint_id = var.azuredevops_serviceendpoint_azurerm_endpointazure_id
  }

  # creates a subset of variables from key vault
  dynamic "variable" {
    for_each = local.test_case
    iterator = item
    content {
      name = item.value
    }
  }
}

Debug Output

https://gist.github.com/booyaa/9ea7705f43a76e759a0436925145973a

Panic Output

n/a

Expected Behavior

Should create variables in the variable group that correspond to the key vault secrets: var00 .. var25

Actual Behavior

To perform exactly these actions, run the following command to apply:
    terraform apply "tf.plan"
azuredevops_variable_group.environment: Modifying... [id=41]
╷
│ Error: Expanding variable group resource data: Invalid Key Vault variables: ( var25 ) , can not find in Azure Key Vault: ( kv-sw-tester ) 
│ 
│   with azuredevops_variable_group.environment,
│   on main.tf line 55, in resource "azuredevops_variable_group" "environment":
│   55: resource "azuredevops_variable_group" "environment" {
│ 
╵

secrets do exist...

Click to expand az keyvault secret list output 
az keyvault secret list --vault-name REDACTED --output table 
ContentType    Name
-------------  ------
               var00
               var01
               var02
               var03
               var04
               var05
               var06
               var07
               var08
               var09
               var10
               var11
               var12
               var13
               var14
               var15
               var16
               var17
               var18
               var19
               var20
               var21
               var22
               var23
               var24
               var25
               var26
               var27
               var28
               var29

Steps to Reproduce

  1. terraform plan && terraform apply

Important Factoids

  • using azure cli authorisation
  • I've got owner access to the azure subscription and I'm full admin in DevOps.
  • I'm listed in the key vault access policy with full access to key vault secrets (including purge)

References

  • #0000
@xuzhang3 xuzhang3 added the bug label May 20, 2021
@xuzhang3
Copy link
Collaborator

Hi @booyaa Thanks for your feedback, this is a bug. The default secrets response page size is 25 and ADO provider only get the first page.

@jonathansp
Copy link

@xuzhang3 ideally it should paginate, but if we can have a small workaround for now, like increasing the pageSize to 100 on the API call would be good.

@liamrob
Copy link

liamrob commented Jul 28, 2021

ADO doesn't look like they expose an option to map to the maxresults query param in AzureRM apis based on the AzureKeyVaultSecrets datasource.

The Azure api returns a netxtlink prop containing a $skiptoken value, this gets passed back from ADO too so it looks like this needs to be used in the provider to build up the list of secrets using the AzureKeyVaultSecretsWithSkipToken datasource instead of the AzureKeyVaultSecrets

@lisaplapla
Copy link

Any news/ETA on this issue? Until it's fixed is there any way to work around it (beside having var group with less than 25 vars)?

@xuzhang3
Copy link
Collaborator

@lisaplapla Currently, the only workaround is having var group with less than 25. This task has been added to our backlog.

@lisaplapla
Copy link

Hello @xuzhang3 ,
We cannot really split our vargroups and they contain way more than 25 variables. But by using a version prior to 0.1.2 of the provider (which introduces checks against the kv) I got it to work. Not ideal though as it's an old version.

@federicomanco
Copy link

I am also experiencing this issue, follow this and will appreciate to know about a resolution.

@DuncanvR
Copy link

I'd like to clarify that the workaround is not so much limiting the size of variable groups to 25, but the number of secrets in the linked Key Vault. If you have a single Key Vault with 100 secrets, creating 4 different variable groups will still only allow you to access the first 25 secrets. Instead, you'd have to set up 4 different Key Vaults, each with max 25 secrets. Then you can link variable groups to each of the Key Vaults and access all the secrets.

@xuzhang3 xuzhang3 mentioned this issue Jan 20, 2022
Merged
11 tasks
@xuzhang3
Copy link
Collaborator

I submit PR #522 to fix this bug, since KV API does not support filter the secret by name and the pagination size is fixed to 25, current fix will read the top 500 secrets from the KV.

@xuzhang3 xuzhang3 mentioned this issue Feb 9, 2022
Merged
11 tasks
@xuzhang3
Copy link
Collaborator

Released in v0.2.0

@macpak
Copy link

macpak commented Mar 22, 2022

Hi,

Today I've faced the same issue.
In my case, the KV has ~1k secrets and the fix provided doesn't work.
Can we re-open the bug or should I create a new one?

@xuzhang3
Copy link
Collaborator

@macpak I have open new issue #567

@brianfedorcrowe brianfedorcrowe mentioned this issue Mar 23, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@booyaa @jonathansp @macpak @DuncanvR @liamrob @federicomanco @lisaplapla @xuzhang3