Secrets Terraform Recipe fails to deploy without Application resource #52
Description
Steps to reproduce
- Set up a Radius environment with the following configuration:
{
"id": "/planes/radius/local/resourcegroups/dev/providers/Applications.Core/environments/dev",
"location": "global",
"name": "dev",
"properties": {
"compute": { "kind": "kubernetes", "namespace": "dev" },
"provisioningState": "Succeeded",
"recipes": {
"Radius.Security/secrets": {
"default": {
"templateKind": "terraform",
"templatePath": "git::https://github.com/radius-project/resource-types-contrib.git//Security/secrets/recipes/kubernetes/terraform",
"templateVersion": ""
}
}
}
},
"systemData": { "createdAt": "0001-01-01T00:00:00Z", "createdBy": "", "createdByType": "", "lastModifiedAt": "0001-01-01T00:00:00Z", "lastModifiedBy": "", "lastModifiedByType": "" },
"tags": {},
"type": "Applications.Core/environments"
}
- Deploy the following workload definition without an Application resource:
extension radius
extension radiusResources
param environment string
resource testSecret 'Radius.Security/secrets@2025-08-01-preview' = {
name: 'testsecret'
properties: {
environment: environment
data: {
stringData: {
value: 'this is a string'
}
encodedData: {
value: 'dGhpcyBpcyBhIHN0cmluZw=='
encoding: 'base64'
}
}
}
}
- Run
rad deploy secrets-resource.bicepand observe the error.
Observed behavior
Deployment fails with the following error:
Error: {
"code": "DeploymentFailed",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.",
"target": "/planes/radius/local/resourceGroups/dev/providers/Microsoft.Resources/deployments/rad-deploy-69559a4b-e705-429e-a129-7554aa7ab9bc",
"details": [
{
"code": "ResourceDeploymentFailure",
"message": "Failed",
"target": "/planes/radius/local/resourceGroups/dev/providers/Radius.Security/secrets/testsecret",
"details": [
{
"code": "RecipeDeploymentFailed",
"message": "'' is not a valid resource id"
}
]
}
]
}
However, if an Application resource is included and referenced in the secret, the deployment succeeds.
Desired behavior
The deployment should succeed even when the Application resource is not present. The Application property should not be required for the Terraform recipe to work.
Workaround
As a workaround, adding an Application resource and referencing its id in the secret allows the deployment to succeed.
rad Version
CLI Version Information:
RELEASE VERSION BICEP COMMIT
edge 88f5941 0.37.4 88f5941567333e5a63484c2f61e4e62610a3cc0f
Control Plane Information:
STATUS VERSION
Installed edge
Operating system
Mac OS 15.6.1
Additional context
Environment JSON and workload definition are provided above. Issue encountered using the Radius Security/secrets Terraform recipe from the repository.
Terraform Recipe: https://github.com/radius-project/resource-types-contrib.git//Security/secrets/recipes/kubernetes/terraform
Relevant code from the recipe:
main.tf (view on GitHub)
terraform {
required_version = ">= 1.5"
required_providers {
kubernetes = {
source = "hashicorp/kubernetes"
version = ">= 2.37.1"
}
}
}
# Local values for processing secret data
locals {
secret_data = var.context.resource.properties.data
secret_kind = try(var.context.resource.properties.kind, "generic")
secret_name = var.context.resource.name
# Separate data based on encoding
base64_data = {
for k, v in local.secret_data : k => v.value
if try(v.encoding, "") == "base64"
}
string_data = {
for k, v in local.secret_data : base64encode(v.value)
if try(v.encoding, "") != "base64"
}
# Determine Kubernetes secret type
secret_type = (
local.secret_kind == "certificate-pem" ? "kubernetes.io/tls" :
local.secret_kind == "basicAuthentication" ? "kubernetes.io/basic-auth" :
"Opaque"
)
}
resource "kubernetes_secret" "secret" {
# Validation preconditions - these will stop deployment if they fail
lifecycle {
precondition {
condition = (
local.secret_kind != "certificate-pem" ||
(contains(keys(local.secret_data), "tls.crt") &&
contains(keys(local.secret_data), "tls.key"))
)
error_message = "certificate-pem secrets must contain keys tls.crt and tls.key"
}
precondition {
condition = (
local.secret_kind != "basicAuthentication" ||
(contains(keys(local.secret_data), "username") &&
contains(keys(local.secret_data), "password"))
)
error_message = "basicAuthentication secrets must contain keys username and password"
}
precondition {
condition = (
local.secret_kind != "azureWorkloadIdentity" ||
(contains(keys(local.secret_data), "clientId") &&
contains(keys(local.secret_data), "tenantId"))
)
error_message = "azureWorkloadIdentity secrets must contain keys clientId and tenantId"
}
precondition {
condition = (
local.secret_kind != "awsIRSA" ||
contains(keys(local.secret_data), "roleARN")
)
error_message = "awsIRSA secrets must contain key roleARN"
}
}
metadata {
name = local.secret_name
namespace = var.context.runtime.kubernetes.namespace
labels = {
resource = var.context.resource.name
app = var.context.application != null ? var.context.application.name : ""
}
}
type = local.secret_type
data = length(local.string_data) > 0 ? local.string_data : {}
binary_data = length(local.base64_data) > 0 ? local.base64_data : {}
}var.tf (view on GitHub)
variable "context" {
description = "This variable contains Radius recipe context."
type = any
}Would you like to support us?
- Yes, I would like to support you
AB#17115