Unknown properties key_vault_secret_id in Microsoft.ContainerApps.WebApi.Views.Version20230501.ContainerAppSecretView are not supported

[dhduvall]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

tofu 1.6.2

AzureRM Provider Version

3.98.0

Affected Resource(s)/Data Source(s)

azurerm_container_app

Terraform Configuration Files

terraform {
  backend "local" {
  }
}

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~> 3.98.0"
    }
    azapi = {
      source  = "azure/azapi"
      version = "~> 1.13.0"
    }
    random = {
      source  = "hashicorp/random"
      version = "~> 3.6.1"
    }
  }
}

provider "azurerm" {
  features {}
}

data "azurerm_subscription" "current" {
}

resource "azurerm_resource_group" "rg" {
  location = var.location
  name     = var.rg_name
}

 variable "location" {
   type        = string
   default     = "westus2"
 }

 variable "rg_name" {
   type        = string
   default     = "tester-tester"
 }
resource "random_id" "kv_suffix" {
  byte_length = 4
}

resource "azurerm_key_vault" "key_vault" {
  name                = "a-key-vault-${random_id.kv_suffix.hex}"
  location            = azurerm_resource_group.rg.location
  resource_group_name = azurerm_resource_group.rg.name
  tenant_id           = data.azurerm_subscription.current.tenant_id

  sku_name                  = "standard"
  enable_rbac_authorization = true
  enabled_for_deployment    = true
}

resource "azurerm_key_vault_secret" "extra_secret" {
  name         = "extra-secret"
  value        = "very very secret"
  key_vault_id = azurerm_key_vault.key_vault.id
}

resource "azurerm_container_app_environment" "app_env" {
  name                       = "app-env"
  location                   = azurerm_resource_group.rg.location
  resource_group_name        = azurerm_resource_group.rg.name
}

resource "azurerm_container_app" "app" {
  name                         = "app"
  container_app_environment_id = azurerm_container_app_environment.app_env.id
  resource_group_name          = azurerm_container_app_environment.app_env.resource_group_name

  revision_mode = "Single"

  secret {
    name  = "direct-secret"
    value = "super secret"
  }

  template {
    container {
      name   = "app"
      image  = "alpine:latest"
      cpu    = 0.25
      memory = "0.5Gi"

      env {
        name  = "ENV_VAR"
        value = "environment variable value"
      }
      env {
        name        = "DIRECT_SECRET"
        secret_name = "direct-secret"
      }
    }
  }
}

resource "azapi_resource_action" "extra_secrets" {
  type        = "Microsoft.App/containerApps@2023-05-01"
  resource_id = azurerm_container_app.app.id
  method      = "PATCH"

  body = jsonencode({
    properties = {
      configuration = {
        secrets = setunion(
          [
            for s in azurerm_container_app.app.secret :
            s if !contains(["extra-secret"], s.name)
          ],
          [
            {
              name = "extra-secret"
              keyVaultUrl = "${azurerm_key_vault.key_vault.vault_uri}secrets/extra-secret"
              # identity    = xxx
            },
          ],
        )
      }
    }
  })

  depends_on = [
    azurerm_container_app.app,
    azurerm_key_vault_secret.extra_secret,
  ]
}

Debug Output/Panic Output

https://gist.github.com/dhduvall/cb6c6a98e27709f90e2261d1bd81cee6

Expected Behaviour

A secret named extra-secret should have been added the container app.

Actual Behaviour

azapi_resource_action.extra_secrets: Creating...
╷
│ Error: Failed to perform action
│
│   with azapi_resource_action.extra_secrets,
│   on ocr-container-app.tf line 59, in resource "azapi_resource_action" "extra_secrets":
│   59: resource "azapi_resource_action" "extra_secrets" {
│
│ performing action  of "Resource: (ResourceId \"/subscriptions/7aa534dc-850e-43ff-a18b-bf8f81964eec/resourceGroups/tester-tester/providers/Microsoft.App/containerApps/app\" / Api Version \"2023-05-01\")": PATCH https://management.azure.com/subscriptions/7aa534dc-850e-43ff-a18b-bf8f81964eec/resourceGroups/tester-tester/providers/Microsoft.App/containerApps/app
│ --------------------------------------------------------------------------------
│ RESPONSE 400: 400 Bad Request
│ ERROR CODE UNAVAILABLE
│ --------------------------------------------------------------------------------
│ {
│   "type": "https://tools.ietf.org/html/rfc7231#section-6.5.1",
│   "title": "One or more validation errors occurred.",
│   "status": 400,
│   "traceId": "00-f949efbc6cd5886588e857b52f029ce0-025b6d3cb0ee8b33-01",
│   "errors": {
│     "$[0]": [
│       "Unknown properties key_vault_secret_id in Microsoft.ContainerApps.WebApi.Views.Version20230501.ContainerAppSecretView are not supported"
│     ]
│   }
│ }
│ --------------------------------------------------------------------------------
│
╵

Steps to Reproduce

No response

Important Factoids

No response

References

Looks like this might have been introduced by #24773. At least, it works with 3.97.0 and not with 3.98.0 or 3.101.0.

[dhduvall]

I did a quick check, and a secret with a key_vault_secret_id also populates the value element in the secret structure when sending it to the Azure API, so whatever the issue is, it appears to be symmetric.

[aristosvo]

Hi @dhduvall 👋

First of all, nice stuff, haven't seen this azapi PATCH being implemented before, learned something new today! 👌

Secondly, can you explain what you expect here to be done? I'm afraid on the provider side it cannot be prevented that these kind of changes and updates happen. My impression is that this is not a provider error, but client-side implementation bug. Because of the extra properties and the usage of the secret object with these extra properties (without filtering) your logic is broken (as too much properties are now send in the PATCH request and the API signals that back).

This could probably be fixed by adding in the necessary filters on the secret object in your logic. If you want I could give you the code for that, but shouldn't be too hard to figure out.

[dhduvall]

First of all, nice stuff, haven't seen this azapi PATCH being implemented before, learned something new today! 👌

Thank you! I got the idea from #21739 (comment) and expanded on it until it did what I needed. (There's another resource to manage the environment variables, too.)

Secondly, can you explain what you expect here to be done? I'm afraid on the provider side it cannot be prevented that these kind of changes and updates happen. My impression is that this is not a provider error, but client-side implementation bug. Because of the extra properties and the usage of the secret object with these extra properties (without filtering) your logic is broken (as too much properties are now send in the PATCH request and the API signals that back).

This could probably be fixed by adding in the necessary filters on the secret object in your logic. If you want I could give you the code for that, but shouldn't be too hard to figure out.

Oh, of course. I feel thick-headed. I ran into a similar problem when I was putting together what I have, but didn't make the connection. I'll follow up when I've gotten it fixed. Thank you!

[dhduvall]

Indeed, that seems to have been the issue, and instantiating a new secret object instead of copying the original works well:

resource "azapi_resource_action" "extra_secrets" {
  type        = "Microsoft.App/containerApps@2023-05-01"
  resource_id = azurerm_container_app.app.id
  method      = "PATCH"

  body = jsonencode({
    properties = {
      configuration = {
        secrets = setunion(
          [
            for s in azurerm_container_app.app.secret :
            {
              name  = s.name
              value = s.value
            }
            if !contains(["extra-secret"], s.name)
          ],
          [
            {
              name = "extra-secret"
              keyVaultUrl = "${azurerm_key_vault.key_vault.vault_uri}secrets/extra-secret"
              # identity    = xxx
            },
          ],
        )
      }
    }
  })

(Well, the extra-secret thing doesn't, because I don't have an identity to pass it, but in my real code I do.)

Now I just need to go actually use the new functionality, and I should be able to drop this whole azapi workaround.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.