Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Key vault + stateful resources #3922

Closed
PoojanumN opened this issue May 7, 2024 · 7 comments · Fixed by #3952
Closed

Key vault + stateful resources #3922

PoojanumN opened this issue May 7, 2024 · 7 comments · Fixed by #3952
Assignees
@tim-allen-ck
Labels
feature story Stories are the smallest unit of work to be done for a project. storysize/S a few hours or half day
Milestone
Release 0.18.0

Comments

@PoojanumN
Copy link

By default the TRE is deployed with purge protection on the keyvault and stateful resource locks. These make sense in a prod environment but hinder development and redeployment in dev. If a keyvault already existed for example, it will need to be imported into terraform state. having this as a switchable option however, aids development and delivery.

Please see information around this issue:

Tim Allen
26 February 2024 at 16:40

Need to remember to update the the action.yml

Kevin O'Connor
26 February 2024 at 16:14
Edited

terraform apply -var="KV_PURGE_PROTECTION_ENABLED=true" -var="STATEFUL_RESOURCES_LOCKED=true"

etc etc

Kevin O'Connor
26 February 2024 at 16:13

Might need to update the variables.tf file to add these to it for switch work

variable "KV_PURGE_PROTECTION_ENABLED" {
description = "Enables or disables Key Vault purge protection"
type = bool
default = false
}

variable "STATEFUL_RESOURCES_LOCKED" {
description = "Determines if stateful resources should be locked"
type = bool
default = false
}
@PoojanumN PoojanumN converted this from a draft issue May 7, 2024
@PoojanumN PoojanumN added the bug Something isn't working label May 7, 2024
@marrobi
Copy link
Member

marrobi commented May 7, 2024

I believe this is covered here -

AzureTRE/config.sample.yaml

Lines 67 to 69 in c8e5ed3

developer_settings:
# Locks will not be added to stateful resources so they can be easily removed
# stateful_resources_locked: false

If it doesn't work as designed, then might need amending.

Also not sure it is a bug, but more of a feature request, that may already exist?

@PoojanumN PoojanumN added feature and removed bug Something isn't working labels May 7, 2024
@PoojanumN
Copy link
Author

@marrobi bug removed and added as Feature. @Danny-Cooke-CK please review the above and close as necessary

@tim-allen-ck
Copy link
Collaborator

I think the key vault purge protection wants adding either as a separate config flag or to the existing one

@tim-allen-ck tim-allen-ck added the story Stories are the smallest unit of work to be done for a project. label May 9, 2024
@tim-allen-ck
Copy link
Collaborator

Confirmed with @marrobi to add another developer setting

@Danny-Cooke-CK
Copy link
Collaborator

I've reviewed this and can see that the functionality is already there for key_vault, although in Imperial we have handled it more centrally.

in our code we have one variable set which covers every keyvault but in the main code it gets set in every terraform provider in each part of the project like the below so on that basis, im closing this ticket.

provider "azurerm" {
features {
key_vault {
# Don't purge on destroy (this would fail due to purge protection being enabled on keyvault)
purge_soft_delete_on_destroy = false
purge_soft_deleted_secrets_on_destroy = false
purge_soft_deleted_certificates_on_destroy = false
purge_soft_deleted_keys_on_destroy = false
# When recreating an environment, recover any previously soft deleted secrets - set to true by default
recover_soft_deleted_key_vaults = true
recover_soft_deleted_secrets = true
recover_soft_deleted_certificates = true
recover_soft_deleted_keys = true
}
}
}

@github-project-automation github-project-automation bot moved this from In Progress to Done in Azure TRE - Engineering May 17, 2024
@marrobi
Copy link
Member

marrobi commented May 17, 2024

@Danny-Cooke-CK I thought you were trying to disable purge protection, not sure the code in the provider does this...

@github-project-automation github-project-automation bot moved this from Done to In Progress in Azure TRE - Engineering May 17, 2024
@Danny-Cooke-CK
Copy link
Collaborator

oh ok. i've made a mistake in assumption here.
will look again

@PoojanumN PoojanumN added the storysize/S a few hours or half day label May 20, 2024
@tim-allen-ck tim-allen-ck added this to the Release 0.18.0 milestone May 23, 2024
@tim-allen-ck tim-allen-ck mentioned this issue May 24, 2024
Merged
@github-project-automation github-project-automation bot moved this from In Progress to Done in Azure TRE - Engineering May 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tim-allen-ck tim-allen-ck

Labels
feature story Stories are the smallest unit of work to be done for a project. storysize/S a few hours or half day
Projects
Azure TRE - Engineering
Archived in project
Milestone
Release 0.18.0
Development

Successfully merging a pull request may close this issue.

Add Key Vault purge protection variable CloudKubed/AzureTRE
4 participants
@marrobi @Danny-Cooke-CK @tim-allen-ck @PoojanumN