Azure Question posted in
The official documentation to get you started can be found here.

Azure – Error with deploying Site Recovery Vault via Terraform

I’m trying to setup a Recovery Services Vault for failover, but I’m getting the below error. I’ve set the timeouts within the TF code to 6 hours but this is looking more like an issue with the app service principal used for the pipeline. Is there anyway to increase the JWT timeout?

│ Error: waiting for site recovery to replicate vm: making Read request on site recovery replicated vm Replication Protected Item (Subscription: "XXX"
│ Resource Group Name: "XXX"
│ Vault Name: "vault-ukwest"
│ Replication Fabric Name: "primary-fabric"
│ Replication Protection Container Name: "primary-protection-container"
│ Replication Protected Item Name: "XXX") : authorizing request: clientCredentialsToken: received HTTP status 401 with response: {"error":"invalid_client","error_description":"AADSTS700024: Client assertion is not within its valid time range. Current time: 2024-12-10T13:39:00.5162383Z, assertion valid from 2024-12-10T12:58:07.0000000Z, expiry time of assertion 2024-12-10T13:08:06.0000000Z. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials . Trace ID: XXX Correlation ID: XXX Timestamp: 2024-12-10 13:39:00Z","error_codes":[700024],"timestamp":"2024-12-10 13:39:00Z","trace_id":"XXX","correlation_id":"XXX","error_uri":"https://login.microsoftonline.com/error?code=700024"}
│ 
│   with module.rsv.azurerm_site_recovery_replicated_vm.windowsvm-replication,
│   on modules/rsv/rsv.tf line 236, in resource "azurerm_site_recovery_replicated_vm" "windowsvm-replication":
│  236: resource "azurerm_site_recovery_replicated_vm" "windowsvm-replication" {
│ 
╵

Finishing: Terraform Apply
Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    Managed to fix this issue - it was caused due to the service connection in Azure DevOps being setup as a Federated Workspace which is the way Microsoft are trying to push you when setting up new service connections in ADO. What they don't tell you is that the OpenID token which is used by JWT only last a max of 60 minutes. So for production workloads this can be cumbersome.

    The fix was to create a new service connection using a client secret, however this means secret rotation will be manual again.

    If you're creating RSV via Terraform using ADO CI/CD pipelines you're best off creating your service connection from the beginning as a service principal using secret, RSV will take hours to complete the VM replication.


  2. 0

    Did u think about using self-signed certification for authentication instead of client secret? And after u may configure automatic token refreshing.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search