Skip to content

Add automatic recovery of soft-deleted KeyVault secrets and keys #4450

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
marekx wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Add automatic recovery of soft-deleted KeyVault secrets and keys #4450

marekx wants to merge 2 commits into from

Conversation

@marekx
Copy link

@marekx marekx commented Nov 28, 2025
edited
Loading

Problem

When KeyVault secrets or keys are destroyed and then recreated with the same name, Pulumi fails with a conflict error because Azure keeps soft-deleted resources for 7-90 days. This common workflow breaks:

pulumi up      # Creates secret
pulumi destroy # Soft-deletes secret
pulumi up      # ❌ FAILS: "secret already exists in deleted state"

Users must manually purge secrets via Azure Portal or CLI before redeploying, which is error-prone and time-consuming. Also not a viable option when dealing with the industry standard of purge protections for secrets.

Solution

This PR adds custom Create and CanCreate functions for KeyVault secrets and keys that:

  1. Check if a soft-deleted resource exists using Azure's GetDeletedSecret/GetDeletedKey APIs
  2. Automatically recover soft-deleted resources using RecoverDeletedSecret/RecoverDeletedKey
  3. Continue with the normal ARM-based creation flow
  4. Gracefully handle cases where no soft-deleted resource exists

The implementation covers both:

  • Modern azcore SDK (primary implementation)
  • Legacy autorest SDK (for backward compatibility)

Changes

Modified Files

  • provider/pkg/resources/customresources/custom_keyvault.go (+104 lines)

    • Added CanCreate and Create functions for secrets and keys
    • Implemented soft-delete detection and recovery logic

  • provider/pkg/resources/customresources/custom_keyvault_autorest.go (+87 lines)

    • Same implementation for legacy autorest backend

Key Features

  • ✅ Non-breaking: Falls back gracefully if recovery fails or isn't needed
  • ✅ Complete: Covers both secrets and keys in both SDK backends
  • ✅ Well-documented: Links to related GitHub issues in code comments

Testing

Tested with a KeyVault containing 4 secrets / 4Keys:

  1. Before fix: pulumi destroy && pulumi up failed with conflict errors
  2. After fix: pulumi destroy && pulumi up succeeds automatically
  3. Verified graceful handling when no soft-deleted resource exists

Related Issues

Fixes #1174
Fixes #1211
Related to #2374, #3357

marekx and others added 2 commits November 27, 2025 18:06
@marekx @claude
Add automatic recovery of soft-deleted KeyVault secrets and keys
c9edb70 
Implements automatic detection and recovery of soft-deleted secrets and
keys in Azure KeyVault when attempting to create resources with the
same name. This addresses the common workflow issue where:
  pulumi up -> pulumi destroy -> pulumi up
previously failed due to soft-deleted resources blocking recreation.

Changes:
- Add custom CanCreate() to bypass default existence checks
- Add custom Create() that:
  * Checks for soft-deleted secrets/keys using GetDeletedSecret/GetDeletedKey
  * Automatically recovers them using BeginRecoverDeletedSecret/BeginRecoverDeletedKey
  * Falls back to normal creation flow if no soft-deleted resource exists
- Implements recovery for both azcore and autorest backends
- Adds informative logging at appropriate verbosity levels

This allows users to reuse secret/key names immediately after deletion
without manual Azure Portal intervention or waiting for the 7-90 day
retention period.

Fixes pulumi#1174
Fixes pulumi#1211
Related to pulumi#2374, pulumi#3357

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>
@marekx @claude
Fix compilation: use synchronous recovery methods
6a46fe5 
The Azure SDK uses synchronous RecoverDeletedSecret/RecoverDeletedKey
methods, not async pollers. Updated the recovery logic to use the
correct API signatures.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>
@github-actions
Copy link

github-actions bot commented Nov 28, 2025

Hi there 👋 Thank you for submitting a pull request.

Acceptance tests must be run by a maintainer. If a maintainer hasn't picked this up after 7 days, please do reach out to a maintainer via our community Slack.

Maintainers: Please review changes then run tests by adding the comment:

/run-acceptance-tests

@marekx marekx marked this pull request as ready for review December 1, 2025 10:28
@marekx marekx mentioned this pull request Dec 1, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Recovery / Purge of soft-deleted secrets from Key Vault Deleting a key vault secret does not purge it, therefore it's not available for reuse.

1 participant

@marekx