Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Import Azure-native.keyvault.AccessPolicy #3282

Open
welkin18fe opened this issue May 13, 2024 · 1 comment · May be fixed by #3295
Open

Import Azure-native.keyvault.AccessPolicy #3282

welkin18fe opened this issue May 13, 2024 · 1 comment · May be fixed by #3295
Assignees
@danielrbradley
Labels
impact/panic This bug represents a panic or unexpected crash kind/bug Some behavior is incorrect or out of spec p1 Bugs severe enough to be the next item assigned to an engineer

Comments

@welkin18fe
Copy link

What happened?

Hello, I'm trying to import multiple access policies using the import command available azure-native.keyvault.AccessPolicy, but it seems that something is missing. I tried with the object id like the Azure provider and principal name in case something is missing in the doc, but no luck.

Example

I removed the names and ids to simplify.

Using :
pulumi import azure-native:keyvault:AccessPolicy myresource1 /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}/accessPolicy

panic: interface conversion: interface {} is nil, not resource.PropertyMap
    goroutine 77 [running]:
    github.com/pulumi/pulumi/sdk/v3/go/common/resource.PropertyValue.ObjectValue(...)
        /home/runner/go/pkg/mod/github.com/pulumi/pulumi/sdk/v3@v3.107.0/go/common/resource/properties.go:451
    github.com/pulumi/pulumi-azure-native/v2/provider/pkg/resources/customresources.(*accessPolicyClient).read(0xc0006fe168, {0xb1e20e0, 0xc0006a7560}, {0xc0001641e0?, 0x0?}, 0xc0007caa90?)
        /home/runner/work/pulumi-azure-native/pulumi-azure-native/provider/pkg/resources/customresources/custom_keyvault_accesspolicy.go:100 +0x5fc
    github.com/pulumi/pulumi-azure-native/v2/provider/pkg/provider.(*azureNativeProvider).Read(0xc000961c00, {0xb1e20e0, 0xc0006a7560}, 0xc0002be480)
        /home/runner/work/pulumi-azure-native/pulumi-azure-native/provider/pkg/provider/provider.go:1068 +0x34a
    github.com/pulumi/pulumi/sdk/v3/proto/go._ResourceProvider_Read_Handler.func1({0xb1e20e0, 0xc0006a7560}, {0x1f85fc0?, 0xc0002be480})
        /home/runner/go/pkg/mod/github.com/pulumi/pulumi/sdk/v3@v3.107.0/proto/go/provider_grpc.pb.go:611 +0x75
    github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc.OpenTracingServerInterceptor.func1({0xb1e20e0, 0xc0006a72c0}, {0x1f85fc0, 0xc0002be480}, 0xc000efe280, 0xc000ed4360)
        /home/runner/go/pkg/mod/github.com/grpc-ecosystem/grpc-opentracing@v0.0.0-20180507213350-8e809c8a8645/go/otgrpc/server.go:57 +0x3d0
    github.com/pulumi/pulumi/sdk/v3/proto/go._ResourceProvider_Read_Handler({0x208dd40?, 0xc000961c00}, {0xb1e20e0, 0xc0006a72c0}, 0xc000956200, 0xc000eff4c0)
        /home/runner/go/pkg/mod/github.com/pulumi/pulumi/sdk/v3@v3.107.0/proto/go/provider_grpc.pb.go:613 +0x135
    google.golang.org/grpc.(*Server).processUnaryRPC(0xc00079cd20, {0xb1e20e0, 0xc00095b230}, {0xb1f0340, 0xc000aa71e0}, 0xc00023b560, 0xc0009fc4b0, 0xc01d858, 0x0)
        /home/runner/go/pkg/mod/google.golang.org/grpc@v1.59.0/server.go:1343 +0xe03
    google.golang.org/grpc.(*Server).handleStream(0xc00079cd20, {0xb1f0340, 0xc000aa71e0}, 0xc00023b560)
        /home/runner/go/pkg/mod/google.golang.org/grpc@v1.59.0/server.go:1737 +0xc4c
    google.golang.org/grpc.(*Server).serveStreams.func1.1()
        /home/runner/go/pkg/mod/google.golang.org/grpc@v1.59.0/server.go:986 +0x86
    created by google.golang.org/grpc.(*Server).serveStreams.func1 in goroutine 74
        /home/runner/go/pkg/mod/google.golang.org/grpc@v1.59.0/server.go:997 +0x145

Using :

pulumi import azure-native:keyvault:AccessPolicy myresource1 /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}/accessPolicy/objectId/{objectId}

azure-native:keyvault:AccessPolicy (myresource1):
    error: Preview failed: unable to parse key vault access policy id in the form /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}/accessPolicy: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}/accessPolicy/objectId/{objectId}

Using :

pulumi import azure-native:keyvault:AccessPolicy myresource1 /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}/accessPolicy/{objectId}

azure-native:keyvault:AccessPolicy (myresource1):
    error: Preview failed: unable to parse key vault access policy id in the form /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}/accessPolicy: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}/accessPolicy/{objectId}

Output of pulumi about

CLI
Version 3.115.2
Go Version go1.22.2
Go Compiler gc

Plugins
KIND NAME VERSION
resource aws 5.42.0
resource azure 5.43.0
resource azure-native 2.40.0
resource azuread 5.47.2
language dotnet unknown
resource mssql 0.0.8
resource random 4.13.2

Host
OS Microsoft Windows 11 Pro
Version 10.0.22631 Build 22631
Arch x86_64

This project is written in dotnet: executable='C:\Program Files\dotnet\dotnet.exe' version='8.0.204'

Additional context

Is there any workaround available?

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
@welkin18fe welkin18fe added kind/bug Some behavior is incorrect or out of spec needs-triage Needs attention from the triage team labels May 13, 2024
@danielrbradley danielrbradley added p1 Bugs severe enough to be the next item assigned to an engineer impact/panic This bug represents a panic or unexpected crash and removed needs-triage Needs attention from the triage team labels May 15, 2024
@danielrbradley
Copy link
Member

Thanks for reporting this @welkin18fe

It looks like this likely source of this is:

pulumi-azure-native/provider/pkg/resources/customresources/custom_keyvault_accesspolicy.go

Lines 93 to 130 in 425fc2c

// input from path
parsedId, err := parseKeyVaultPathParams(id)
if err != nil {
return nil, false, err
}
// input from body
policyObj := properties[policy].ObjectValue()
objectId := policyObj["objectId"].StringValue()
vaultResult, err := c.client.Get(ctx, parsedId.ResourceGroup, parsedId.VaultName, &armkeyvault.VaultsClientGetOptions{})
if err != nil {
var respErr *azcore.ResponseError
if errors.As(err, &respErr) && respErr.StatusCode == 404 {
return nil, false, nil
}
return nil, false, err
}
for _, ap := range vaultResult.Properties.AccessPolicies {
if *ap.ObjectID == objectId {
ape := map[string]interface{}{
"tenantId": ap.TenantID,
"objectId": ap.ObjectID,
"applicationId": ap.ApplicationID,
"permissions": sdkPermissionsToMap(ap.Permissions),
}
return map[string]interface{}{
resourceGroupName: parsedId.ResourceGroup,
vaultName: vaultResult.Name,
policy: ape,
}, true, nil
}
}
return properties.Mappable(), false, nil
}

I think what we'll need to do is to allow the object id to be included at the end of the id. We'll adapt the parsing of the id to be able to include the object id in the result, then fall back to getting the object Id from the property set if not.

@danielrbradley danielrbradley self-assigned this May 16, 2024
danielrbradley added a commit that referenced this issue May 17, 2024
@danielrbradley
Allow keyvault accesspolicy to have object id in its id
9d51d7a 
Fixes #3282

For import to work, we need to be able to identify which access policy we're addressing and therefore need the object id to be part of the id.

This change makes the object id optional, and prefers to use the object id from the `id` if available, rather than parsing it from the properties.
@danielrbradley danielrbradley linked a pull request May 17, 2024 that will close this issue
Draft
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@danielrbradley danielrbradley

Labels
impact/panic This bug represents a panic or unexpected crash kind/bug Some behavior is incorrect or out of spec p1 Bugs severe enough to be the next item assigned to an engineer
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Allow keyvault accesspolicy to have object id in its id pulumi/pulumi-azure-native
2 participants
@danielrbradley @welkin18fe