https://pulumi.com logo
Join Slack
Powered by
Hi all! I am trying to upgrade to keyvault `v3` (...
# azure
s
Hi all! I am trying to upgrade to keyvault 
v3
(from 
v2.9
), but I get caught by snag on the 
keys
. There is a constant value 
keyvault.KeyRotationPolicyActionTypeRotate
that has changed in 
v3
. Previously it was defined as 
Rotate
, but in 
v3
it has now become 
rotate
. In azure, the lifetimeActions part looks like this:
Copy code
....
"lifetimeActions": [
    {
      "action": "Rotate",
      "timeAfterCreate": null,
      "timeBeforeExpiry": "P30D"
    },
    {
      "action": "Notify",
      "timeAfterCreate": null,
      "timeBeforeExpiry": "P30D"
    }
  ],
...
Since the constant value changes, it tries to replace the 
keys
- but a rotating key cannot be replaced. It must be deleted and recreated. How come this change was made, when the Azure value of it has not? I can solve it by setting the type to 
keyvault.KeyRotationPolicyType("Rotate")
, but it is annoying that this happens. Annoyingly enough, this does not seem to have any impact.. The keys cannot be updated, and have to be deleted and recreated - it seems. .... This API can only be used for creating the first version of a new key (no subsequent versions can be created, and existing keys cannot be updated)
h
This is most likely a side effect of v3 uses Azure REST API version 2024-11-01. In version 2.x of the Azure Native provider, it used API version 2023-02-01. Azure probably changed the casing on the property between the versions.
Here's the old spec: https://github.com/Azure/azure-rest-api-specs/blob/45924e49834c4e01c0713e6b7ca21f9[…]resource-manager/Microsoft.KeyVault/stable/2023-02-01/keys.json
Copy code
"x-ms-enum": {
            "name": "KeyRotationPolicyActionType",
            "modelAsString": false,
            "values": [
              {
                "value": "Rotate",
                "description": "Rotate the key based on the key policy."
              },
              {
                "value": "Notify",
                "description": "Trigger Event Grid events. Defaults to 30 days before expiry. Key Vault only."
              }
            ]
          }
Here's the new spec: https://github.com/Azure/azure-rest-api-specs/blob/45924e49834c4e01c0713e6b7ca21f9[…]resource-manager/Microsoft.KeyVault/stable/2024-11-01/keys.json
Copy code
"properties": {
        "type": {
          "type": "string",
          "description": "The type of action.",
          "enum": [
            "rotate",
            "notify"
          ],
          "x-ms-enum": {
            "name": "KeyRotationPolicyActionType",
            "modelAsString": false
          }
        }
      }
Your workaround looks fine for the transition. One option, once you've upgraded is to perform a refresh, which should read the property as having the lower case version, then you can update your code to match.
In other instances of Azure changing the case of properties which cause replacements, there's custom maintained migration for specific properties. You can open an issue if you think this would be needed and the team can take a look at adding this property migration in a future release
s
Thank you for explaining! Sadly, it seems I cannot upgrade the keys in place anyways, since: ... This API can only be used for creating the first version of a new key (no subsequent versions can be created, and existing keys cannot be updated) I am thinking to remove the keys from the state file(s) and leave the existing one be for now. Then create new ones with a "-v3" postfixed to the name, and finally let the developers change to the new keys whenever they have time.
Open in Slack
PreviousNext
Powered by