Pulumi complains that keyvault name does not comply, while it is accepted just fine by Azure

[ilya-scale]

What happened?

I tried to create a key vault with this name:

kv-some-update-dev (same for kv-some-updatedev)

It failed

error: azure-native:keyvault:Vault resource 'kv-some-updatedev' has a problem: 'vaultName' does not match expression '^[a-zA-Z0-9-]{3,24}$'

Expected Behavior

It should work

Steps to reproduce

const vault = new keyvault.Vault("kv-some-update" + stack, {
    location: config.common.location,
    resourceGroupName: resourceGroup.name,
    properties: {
        tenantId: config.common.tenantId,
        sku: {
            family: keyvault.SkuFamily.A,
            name: keyvault.SkuName.Standard,
        },
        enableRbacAuthorization: true,
    }
});

Output of pulumi about

CLI
Version      3.72.2
Go Version   go1.20.5
Go Compiler  gc

Plugins
NAME          VERSION
azure-native  1.103.0
nodejs        unknown

Host
OS       darwin
Version  13.4
Arch     arm64

Dependencies:
NAME                  VERSION
@pulumi/azure-native  1.103.0
@pulumi/pulumi        3.72.2
@types/js-yaml        4.0.5
@types/node           10.17.60
js-yaml               4.1.0
ts-node               10.9.1

Additional context

There was a similar error before but it seems it was fixed only partially
#1646

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[mikhailshilkov]

Hi @ilya-scale Thank you for filing the issue and sorry for confusion.

What happens here is that Pulumi generates an auto-name by default by appending a random 8-character suffix to the name, e.g. it becomes something like kv-some-updatedev1463cd1f. This name then violates the regex (it's longer than 24 characters).

Two things you can do:

• Reduce the size of your resource name to 16 characters or less
• Set the vaultName explicitly to opt out of auto-naming

[ilya-scale]

Is this intended and a feature? It seems a bit counter-intuitive that this happens by default. At least it does not happen in terraform.

Or is the value that I have sent not connected to the real name of the resource, and corresponds to the id in the terraform that is used for state handling?

Maybe there is also some option to use the name from id by default? It seems that for the secret itself it works this way - I have not specified the name, but it was created correctly

P.S. It would probably be a good idea to include the name somewhere in the error response so that it will be obvious

[mikhailshilkov]

Yes, this is by design. Indeed, the name that you pass is a logical resource name in Pulumi, while the physical name is generated with a suffix by default, so that replacement operations could use create-before-delete semantics, for example. This is different from Terraform. Enhancements are tracked in pulumi/pulumi#1518

P.S. It would probably be a good idea to include the name somewhere in the error response so that it will be obvious

Definitely! Sounds like a great idea.

[ilya-scale]

Thanks a lot for clarification!