Certificate renewal logic fails because of the default behavior of Azure Key Vault

[paf-dev]

What happened?

So, we have a certificate that is stored in the Azure Key Vault. For the certificate we have the following part of CertificateArgs

                    LifetimeActions = new[]
                    {
                        new CertificateCertificatePolicyLifetimeActionArgs
                        {
                            Action = new CertificateCertificatePolicyLifetimeActionActionArgs
                            {
                                ActionType = "AutoRenew",
                            },
                            Trigger = new CertificateCertificatePolicyLifetimeActionTriggerArgs
                            {
                                DaysBeforeExpiry = 10
                            },
                        },
                    }

Now is the time to triger that renewal logic. When we run Pulumi we see the following error

keyvault.BaseClient#ImportCertificate: Failure responding to request: StatusCode=409 -- Original Error: autorest/azure: Service returned an error. Status=409 Code="Conflict" Message="Certificate certmanager-***6110abac26 is currently in a deleted but recoverable state, and its name cannot be reused; in this state, the certificate can only be recovered or purged." InnerError={"code":"ObjectIsDeletedButRecoverable"}

Note: the name of the certificate was edited to hide sensitive data behind ***

The reason for the problem is clear, but doesn't it mean that the Certificate Lifetime Policy doesn't work at all when it collaborates with the Azure Key Vault?

Example

Everything is described in section "what happened"

Output of pulumi about

CLI
Version 3.79.0
Go Version go1.21.0
Go Compiler gc

Plugins
NAME VERSION
azure 5.16.0
azure-native 1.71.0
azuread 5.28.0
azuredevops 2.5.0
dotnet unknown
kubernetes 3.21.0
random 4.8.2
tls 4.6.0

Host
OS Microsoft Windows 10 Pro
Version 10.0.19045 Build 19045
Arch x86_64

This project is written in dotnet: executable='C:\Program Files\dotnet\dotnet.exe' version='6.0.123'

Backend
Name pulumi.com

---

No dependencies found

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[mikhailshilkov]

@paf-dev Could you please share the entire definition of the resource? (with sensitive info redacted) Thank you!

When we run Pulumi we see the following error

What are you changing in your program at this point?

[paf-dev]

Hello @mikhailshilkov

What are you changing in your program at this point?

We added the piece of code that I mentioned in the first message. The part with LifetimeActions . So now, when we run our pipeline, the logic tries to replace the certificate with a new one. But it fails because of the error I mentioned above.

I'm not sure if I understand what the definition of the resource means. Is it the properties of the resource that I can see on the pulumi portal in Resources section? Or is it something different?

[paf-dev]

@mikhailshilkov is there any chance to get some progress with the issue?