terraform-provider-azurerm data source `azurerm_key_vault_secret` with keyvault from other subscription causes state to get removed

data source `azurerm_key_vault_secret` with keyvault from other subscription causes state to get removed

Open pearcec opened this issue 3 years ago • 1 comments

Is there an existing issue for this?

[X] I have searched the existing issues

Community Note

Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.2.6

AzureRM Provider Version

2.31.1

Affected Resource(s)/Data Source(s)

data azurerm_key_vault_secret

Terraform Configuration Files

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "3.21.1"
    }
    azuread = {
      source  = "hashicorp/azuread"
      version = "2.19.1"
    }
  }

  required_version = "1.2.6"
}

provider "azurerm" {
  features {}
}

provider "azurerm" {
  alias           = "mgmt"
  tenant_id       = "166550b7-184e-47b5-ba21-9152ebf35e28"
  subscription_id = "97bf3d55-80fa-4fa5-93f8-44387d3149ff"

  features {}
}

data "azurerm_subscription" "current" {}
data "azurerm_client_config" "current" {}

data "azurerm_key_vault_secret" "domain_join_username" {
  name         = "domain-join-username"
  key_vault_id = module.environment_info.management.key_vault.id
  # provider = azurerm.mgmt
}

data "azurerm_key_vault_secret" "domain_join_password" {
  name         = "domain-join-password"
  key_vault_id = module.environment_info.management.key_vault.id
  # provider = azurerm.mgmt
}

module "naming" {
  source                 = "github.com/Azure/terraform-azurerm-naming?ref=0.1.1"
  unique-length          = 8
  unique-include-numbers = false
}

resource "azurerm_resource_group" "rg" {
  name     = module.naming.resource_group.name_unique
  location = "East US"
}

module "environment_info" {
  source = "git::https://github.com/.../.../modules/environment_info"

  providers = {
    azurerm = azurerm
  }
}

resource "azurerm_key_vault" "kv" {
  name                       = module.naming.key_vault.name_unique
  location                   = azurerm_resource_group.rg.location
  resource_group_name        = azurerm_resource_group.rg.name
  tenant_id                  = data.azurerm_client_config.current.tenant_id
  soft_delete_retention_days = 7
  purge_protection_enabled   = false
  sku_name                   = "standard"
}

resource "azurerm_user_assigned_identity" "uai" {
  name                = module.naming.user_assigned_identity.name_unique
  resource_group_name = azurerm_resource_group.rg.name
  location            = azurerm_resource_group.rg.location
}

resource "azurerm_key_vault_access_policy" "access" {
  key_vault_id = azurerm_key_vault.kv.id
  tenant_id    = data.azurerm_client_config.current.tenant_id
  object_id    = azurerm_user_assigned_identity.uai.principal_id

  key_permissions = [
    "Get",
  ]

  secret_permissions = [
    "Get",
  ]
}



### Debug Output/Panic Output

```shell
…_key_vault_access_policy [✔] [2.27s]
PS  terraform init

Initializing modules...
Downloading git::https://github.com/StackEng/terraform-foundation-azure-modules.git?ref=1.3.2 for environment_info...
- environment_info in .terraform/modules/environment_info/modules/environment_info
Downloading git::https://github.com/Azure/terraform-azurerm-naming.git?ref=0.1.1 for naming...
- naming in .terraform/modules/naming

Initializing the backend...

Initializing provider plugins...
- Finding hashicorp/azurerm versions matching ">= 3.3.0, 3.21.1"...
- Finding hashicorp/azuread versions matching "2.19.1"...
- Finding hashicorp/random versions matching ">= 2.2.0"...
- Installing hashicorp/azurerm v3.21.1...
- Installed hashicorp/azurerm v3.21.1 (signed by HashiCorp)
- Installing hashicorp/azuread v2.19.1...
- Installed hashicorp/azuread v2.19.1 (signed by HashiCorp)
- Installing hashicorp/random v3.4.3...
- Installed hashicorp/random v3.4.3 (signed by HashiCorp)

Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
…_key_vault_access_policy [✔] [15.98s]
PS  terraform apply -auto-approve

data.azurerm_client_config.current: Reading...
data.azurerm_subscription.current: Reading...
data.azurerm_client_config.current: Read complete after 0s [id=2022-09-15 17:23:51.315532 +0000 UTC]
data.azurerm_subscription.current: Read complete after 0s [id=/subscriptions/736f48c0-585a-4ff4-8bec-1fcc23f025ec]
data.azurerm_key_vault_secret.domain_join_password: Reading...
data.azurerm_key_vault_secret.domain_join_username: Reading...
data.azurerm_key_vault_secret.domain_join_username: Read complete after 0s [id=https://kv-test.vault.azure.net/secrets/domain-join-username/3dab7916ea364383b84000dc21259fd8]
data.azurerm_key_vault_secret.domain_join_password: Read complete after 0s [id=https://kv-test.vault.azure.net/secrets/domain-join-password/3fba475528464ed2a9433f7d32c08306]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following
symbols:
  + create

Terraform will perform the following actions:

  # azurerm_key_vault.kv will be created
  + resource "azurerm_key_vault" "kv" {
      + access_policy                 = (known after apply)
      + id                            = (known after apply)
      + location                      = "eastus"
      + name                          = (known after apply)
      + public_network_access_enabled = true
      + purge_protection_enabled      = false
      + resource_group_name           = (known after apply)
      + sku_name                      = "standard"
      + soft_delete_retention_days    = 7
      + tenant_id                     = "166550b7-184e-47b5-ba21-9152ebf35e28"
      + vault_uri                     = (known after apply)

      + network_acls {
          + bypass                     = (known after apply)
          + default_action             = (known after apply)
          + ip_rules                   = (known after apply)
          + virtual_network_subnet_ids = (known after apply)
        }
    }

  # azurerm_key_vault_access_policy.access will be created
  + resource "azurerm_key_vault_access_policy" "access" {
      + id                 = (known after apply)
      + key_permissions    = [
          + "Get",
        ]
      + key_vault_id       = (known after apply)
      + object_id          = (known after apply)
      + secret_permissions = [
          + "Get",
        ]
      + tenant_id          = "166550b7-184e-47b5-ba21-9152ebf35e28"
    }

  # azurerm_resource_group.rg will be created
  + resource "azurerm_resource_group" "rg" {
      + id       = (known after apply)
      + location = "eastus"
      + name     = (known after apply)
    }

  # azurerm_user_assigned_identity.uai will be created
  + resource "azurerm_user_assigned_identity" "uai" {
      + client_id           = (known after apply)
      + id                  = (known after apply)
      + location            = "eastus"
      + name                = (known after apply)
      + principal_id        = (known after apply)
      + resource_group_name = (known after apply)
      + tenant_id           = (known after apply)
    }

  # module.naming.random_string.first_letter will be created
  + resource "random_string" "first_letter" {
      + id          = (known after apply)
      + length      = 1
      + lower       = true
      + min_lower   = 0
      + min_numeric = 0
      + min_special = 0
      + min_upper   = 0
      + number      = false
      + numeric     = false
      + result      = (known after apply)
      + special     = false
      + upper       = false
    }

  # module.naming.random_string.main will be created
  + resource "random_string" "main" {
      + id          = (known after apply)
      + length      = 60
      + lower       = true
      + min_lower   = 0
      + min_numeric = 0
      + min_special = 0
      + min_upper   = 0
      + number      = false
      + numeric     = false
      + result      = (known after apply)
      + special     = false
      + upper       = false
    }

Plan: 6 to add, 0 to change, 0 to destroy.
module.naming.random_string.first_letter: Creating...
module.naming.random_string.main: Creating...
module.naming.random_string.first_letter: Creation complete after 0s [id=t]
module.naming.random_string.main: Creation complete after 0s [id=etufxicdxfetvbaagjypzwaejpfnddilnevlaoqxqykniyqlqmioetnrwqmu]
azurerm_resource_group.rg: Creating...
azurerm_resource_group.rg: Creation complete after 0s [id=/subscriptions/736f48c0-585a-4ff4-8bec-1fcc23f025ec/resourceGroups/rg-tetufxic]
azurerm_user_assigned_identity.uai: Creating...
azurerm_key_vault.kv: Creating...
azurerm_user_assigned_identity.uai: Creation complete after 1s [id=/subscriptions/736f48c0-585a-4ff4-8bec-1fcc23f025ec/resourceGroups/rg-tetufxic/providers/Microsoft.ManagedIdentity/userAssignedIdentities/uai-tetufxic]
azurerm_key_vault.kv: Still creating... [10s elapsed]
azurerm_key_vault.kv: Still creating... [20s elapsed]
azurerm_key_vault.kv: Still creating... [30s elapsed]
azurerm_key_vault.kv: Still creating... [40s elapsed]
azurerm_key_vault.kv: Still creating... [50s elapsed]
azurerm_key_vault.kv: Still creating... [1m0s elapsed]
azurerm_key_vault.kv: Still creating... [1m10s elapsed]
azurerm_key_vault.kv: Still creating... [1m20s elapsed]
azurerm_key_vault.kv: Still creating... [1m30s elapsed]
azurerm_key_vault.kv: Still creating... [1m40s elapsed]
azurerm_key_vault.kv: Still creating... [1m50s elapsed]
azurerm_key_vault.kv: Still creating... [2m0s elapsed]
azurerm_key_vault.kv: Still creating... [2m10s elapsed]
azurerm_key_vault.kv: Still creating... [2m20s elapsed]
azurerm_key_vault.kv: Still creating... [2m30s elapsed]
azurerm_key_vault.kv: Creation complete after 2m35s [id=/subscriptions/736f48c0-585a-4ff4-8bec-1fcc23f025ec/resourceGroups/rg-tetufxic/providers/Microsoft.KeyVault/vaults/kv-tetufxic]
azurerm_key_vault_access_policy.access: Creating...
azurerm_key_vault_access_policy.access: Creation complete after 7s [id=/subscriptions/736f48c0-585a-4ff4-8bec-1fcc23f025ec/resourceGroups/rg-tetufxic/providers/Microsoft.KeyVault/vaults/kv-tetufxic/objectId/a1a2e23f-114e-4423-8d39-d0db0892e802]
╷
│ Warning: Attribute Deprecated
│ 
│   with module.naming.random_string.main,
│   on .terraform/modules/naming/main.tf line 14, in resource "random_string" "main":
│   14:   number  = var.unique-include-numbers
│ 
│ **NOTE**: This is deprecated, use `numeric` instead.
│ 
│ (and 5 more similar warnings elsewhere)
╵

Apply complete! Resources: 6 added, 0 changed, 0 destroyed.
…_key_vault_access_policy [✔] [3.27m]
PS  terraform apply -auto-approve

module.naming.random_string.first_letter: Refreshing state... [id=t]
module.naming.random_string.main: Refreshing state... [id=etufxicdxfetvbaagjypzwaejpfnddilnevlaoqxqykniyqlqmioetnrwqmu]
data.azurerm_subscription.current: Reading...
data.azurerm_client_config.current: Reading...
data.azurerm_client_config.current: Read complete after 0s [id=2022-09-15 17:28:18.155496 +0000 UTC]
azurerm_resource_group.rg: Refreshing state... [id=/subscriptions/736f48c0-585a-4ff4-8bec-1fcc23f025ec/resourceGroups/rg-tetufxic]
azurerm_user_assigned_identity.uai: Refreshing state... [id=/subscriptions/736f48c0-585a-4ff4-8bec-1fcc23f025ec/resourceGroups/rg-tetufxic/providers/Microsoft.ManagedIdentity/userAssignedIdentities/uai-tetufxic]
data.azurerm_subscription.current: Read complete after 0s [id=/subscriptions/736f48c0-585a-4ff4-8bec-1fcc23f025ec]
azurerm_key_vault.kv: Refreshing state... [id=/subscriptions/736f48c0-585a-4ff4-8bec-1fcc23f025ec/resourceGroups/rg-tetufxic/providers/Microsoft.KeyVault/vaults/kv-tetufxic]
data.azurerm_key_vault_secret.domain_join_username: Reading...
data.azurerm_key_vault_secret.domain_join_password: Reading...
azurerm_key_vault_access_policy.access: Refreshing state... [id=/subscriptions/736f48c0-585a-4ff4-8bec-1fcc23f025ec/resourceGroups/rg-tetufxic/providers/Microsoft.KeyVault/vaults/kv-tetufxic/objectId/a1a2e23f-114e-4423-8d39-d0db0892e802]
data.azurerm_key_vault_secret.domain_join_password: Read complete after 0s [id=https://kv-test.vault.azure.net/secrets/domain-join-password/3fba475528464ed2a9433f7d32c08306]
data.azurerm_key_vault_secret.domain_join_username: Read complete after 0s [id=https://kv-test.vault.azure.net/secrets/domain-join-username/3dab7916ea364383b84000dc21259fd8]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following
symbols:
  + create

Terraform will perform the following actions:

  # azurerm_key_vault_access_policy.access will be created
  + resource "azurerm_key_vault_access_policy" "access" {
      + id                 = (known after apply)
      + key_permissions    = [
          + "Get",
        ]
      + key_vault_id       = "/subscriptions/736f48c0-585a-4ff4-8bec-1fcc23f025ec/resourceGroups/rg-tetufxic/providers/Microsoft.KeyVault/vaults/kv-tetufxic"
      + object_id          = "a1a2e23f-114e-4423-8d39-d0db0892e802"
      + secret_permissions = [
          + "Get",
        ]
      + tenant_id          = "166550b7-184e-47b5-ba21-9152ebf35e28"
    }

Plan: 1 to add, 0 to change, 0 to destroy.
azurerm_key_vault_access_policy.access: Creating...
╷
│ Warning: Attribute Deprecated
│ 
│   with module.naming.random_string.main,
│   on .terraform/modules/naming/main.tf line 14, in resource "random_string" "main":
│   14:   number  = var.unique-include-numbers
│ 
│ **NOTE**: This is deprecated, use `numeric` instead.
│ 
│ (and 3 more similar warnings elsewhere)
╵
╷
│ Error: A resource with the ID "/subscriptions/736f48c0-585a-4ff4-8bec-1fcc23f025ec/resourceGroups/rg-tetufxic/providers/Microsoft.KeyVault/vaults/kv-tetufxic/objectId/a1a2e23f-114e-4423-8d39-d0db0892e802" already exists - to be managed via Terraform this resource needs to be imported into the State. Please see the resource documentation for "azurerm_key_vault_access_policy" for more information.
│ 
│   with azurerm_key_vault_access_policy.access,
│   on main.tf line 78, in resource "azurerm_key_vault_access_policy" "access":
│   78: resource "azurerm_key_vault_access_policy" "access" {
│ 
╵
…_key_vault_access_policy [✔] [24.56s]
PS  terraform import azurerm_key_vault_access_policy.access "/subscriptions/736f48c0-585a-4ff4-8bec-1fcc23f025ec/resourceGroups/rg-tetufxic/providers/Microsoft.KeyVault/vaults/kv-tetufxic/objectId/a1a2e23f-114e-4423-8d39-d0db0892e802"     

azurerm_key_vault_access_policy.access: Importing from ID "/subscriptions/736f48c0-585a-4ff4-8bec-1fcc23f025ec/resourceGroups/rg-tetufxic/providers/Microsoft.KeyVault/vaults/kv-tetufxic/objectId/a1a2e23f-114e-4423-8d39-d0db0892e802"...
azurerm_key_vault_access_policy.access: Import prepared!
  Prepared azurerm_key_vault_access_policy for import
azurerm_key_vault_access_policy.access: Refreshing state... [id=/subscriptions/736f48c0-585a-4ff4-8bec-1fcc23f025ec/resourceGroups/rg-tetufxic/providers/Microsoft.KeyVault/vaults/kv-tetufxic/objectId/a1a2e23f-114e-4423-8d39-d0db0892e802]

Import successful!

The resources that were imported are shown above. These resources are now in
your Terraform state and will henceforth be managed by Terraform.

…_key_vault_access_policy [✔] [11.8s]
PS  terraform apply -auto-approve                                                                                                      Executable=/Users/pearcec/.local/share/powershell/Modules/Invoke-Terraform/bin/terraform_1.2.6     
Identifier=terraform
Format=Mach-O thin (x86_64)
CodeDirectory v=20500 size=548309 flags=0x10000(runtime) hashes=17129+2 location=embedded
Signature size=8979
Authority=Developer ID Application: Hashicorp, Inc. (D38WU7D763)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Jul 27, 2022 at 11:19:08 AM
Info.plist=not bound
TeamIdentifier=D38WU7D763
Runtime Version=11.3.0
Sealed Resources=none
Internal requirements count=1 size=172
module.naming.random_string.first_letter: Refreshing state... [id=t]
module.naming.random_string.main: Refreshing state... [id=etufxicdxfetvbaagjypzwaejpfnddilnevlaoqxqykniyqlqmioetnrwqmu]
data.azurerm_subscription.current: Reading...
data.azurerm_client_config.current: Reading...
azurerm_resource_group.rg: Refreshing state... [id=/subscriptions/736f48c0-585a-4ff4-8bec-1fcc23f025ec/resourceGroups/rg-tetufxic]
data.azurerm_client_config.current: Read complete after 0s [id=2022-09-15 17:29:24.105301 +0000 UTC]
data.azurerm_subscription.current: Read complete after 0s [id=/subscriptions/736f48c0-585a-4ff4-8bec-1fcc23f025ec]
azurerm_user_assigned_identity.uai: Refreshing state... [id=/subscriptions/736f48c0-585a-4ff4-8bec-1fcc23f025ec/resourceGroups/rg-tetufxic/providers/Microsoft.ManagedIdentity/userAssignedIdentities/uai-tetufxic]
azurerm_key_vault.kv: Refreshing state... [id=/subscriptions/736f48c0-585a-4ff4-8bec-1fcc23f025ec/resourceGroups/rg-tetufxic/providers/Microsoft.KeyVault/vaults/kv-tetufxic]
azurerm_key_vault_access_policy.access: Refreshing state... [id=/subscriptions/736f48c0-585a-4ff4-8bec-1fcc23f025ec/resourceGroups/rg-tetufxic/providers/Microsoft.KeyVault/vaults/kv-tetufxic/objectId/a1a2e23f-114e-4423-8d39-d0db0892e802]
data.azurerm_key_vault_secret.domain_join_password: Reading...
data.azurerm_key_vault_secret.domain_join_username: Reading...
data.azurerm_key_vault_secret.domain_join_username: Read complete after 0s [id=https://kv-test.vault.azure.net/secrets/domain-join-username/3dab7916ea364383b84000dc21259fd8]
data.azurerm_key_vault_secret.domain_join_password: Read complete after 0s [id=https://kv-test.vault.azure.net/secrets/domain-join-password/3fba475528464ed2a9433f7d32c08306]

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.
╷
│ Warning: Attribute Deprecated
│ 
│   with module.naming.random_string.main,
│   on .terraform/modules/naming/main.tf line 14, in resource "random_string" "main":
│   14:   number  = var.unique-include-numbers
│ 
│ **NOTE**: This is deprecated, use `numeric` instead.
│ 
│ (and 3 more similar warnings elsewhere)
╵

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.
…_key_vault_access_policy [✔] [23.7s]
PS  terraform apply -auto-approve

module.naming.random_string.main: Refreshing state... [id=etufxicdxfetvbaagjypzwaejpfnddilnevlaoqxqykniyqlqmioetnrwqmu]
module.naming.random_string.first_letter: Refreshing state... [id=t]
azurerm_resource_group.rg: Refreshing state... [id=/subscriptions/736f48c0-585a-4ff4-8bec-1fcc23f025ec/resourceGroups/rg-tetufxic]
data.azurerm_client_config.current: Reading...
data.azurerm_subscription.current: Reading...
data.azurerm_client_config.current: Read complete after 0s [id=2022-09-15 17:30:14.830486 +0000 UTC]
data.azurerm_subscription.current: Read complete after 0s [id=/subscriptions/736f48c0-585a-4ff4-8bec-1fcc23f025ec]
azurerm_user_assigned_identity.uai: Refreshing state... [id=/subscriptions/736f48c0-585a-4ff4-8bec-1fcc23f025ec/resourceGroups/rg-tetufxic/providers/Microsoft.ManagedIdentity/userAssignedIdentities/uai-tetufxic]
azurerm_key_vault.kv: Refreshing state... [id=/subscriptions/736f48c0-585a-4ff4-8bec-1fcc23f025ec/resourceGroups/rg-tetufxic/providers/Microsoft.KeyVault/vaults/kv-tetufxic]
azurerm_key_vault_access_policy.access: Refreshing state... [id=/subscriptions/736f48c0-585a-4ff4-8bec-1fcc23f025ec/resourceGroups/rg-tetufxic/providers/Microsoft.KeyVault/vaults/kv-tetufxic/objectId/a1a2e23f-114e-4423-8d39-d0db0892e802]
data.azurerm_key_vault_secret.domain_join_password: Reading...
data.azurerm_key_vault_secret.domain_join_username: Reading...
data.azurerm_key_vault_secret.domain_join_username: Read complete after 0s [id=https://kv-test.vault.azure.net/secrets/domain-join-username/3dab7916ea364383b84000dc21259fd8]
data.azurerm_key_vault_secret.domain_join_password: Read complete after 0s [id=https://kv-test.vault.azure.net/secrets/domain-join-password/3fba475528464ed2a9433f7d32c08306]

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.
╷
│ Warning: Attribute Deprecated
│ 
│   with module.naming.random_string.main,
│   on .terraform/modules/naming/main.tf line 14, in resource "random_string" "main":
│   14:   number  = var.unique-include-numbers
│ 
│ **NOTE**: This is deprecated, use `numeric` instead.
│ 
│ (and 3 more similar warnings elsewhere)
╵

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.
…_key_vault_access_policy [✔] [24.1s]
PS  terraform apply -auto-approve

module.naming.random_string.main: Refreshing state... [id=etufxicdxfetvbaagjypzwaejpfnddilnevlaoqxqykniyqlqmioetnrwqmu]
module.naming.random_string.first_letter: Refreshing state... [id=t]
azurerm_resource_group.rg: Refreshing state... [id=/subscriptions/736f48c0-585a-4ff4-8bec-1fcc23f025ec/resourceGroups/rg-tetufxic]
data.azurerm_client_config.current: Reading...
data.azurerm_subscription.current: Reading...
data.azurerm_client_config.current: Read complete after 0s [id=2022-09-15 17:30:52.700732 +0000 UTC]
data.azurerm_subscription.current: Read complete after 0s [id=/subscriptions/736f48c0-585a-4ff4-8bec-1fcc23f025ec]
azurerm_user_assigned_identity.uai: Refreshing state... [id=/subscriptions/736f48c0-585a-4ff4-8bec-1fcc23f025ec/resourceGroups/rg-tetufxic/providers/Microsoft.ManagedIdentity/userAssignedIdentities/uai-tetufxic]
azurerm_key_vault.kv: Refreshing state... [id=/subscriptions/736f48c0-585a-4ff4-8bec-1fcc23f025ec/resourceGroups/rg-tetufxic/providers/Microsoft.KeyVault/vaults/kv-tetufxic]
data.azurerm_key_vault_secret.domain_join_password: Reading...
data.azurerm_key_vault_secret.domain_join_username: Reading...
azurerm_key_vault_access_policy.access: Refreshing state... [id=/subscriptions/736f48c0-585a-4ff4-8bec-1fcc23f025ec/resourceGroups/rg-tetufxic/providers/Microsoft.KeyVault/vaults/kv-tetufxic/objectId/a1a2e23f-114e-4423-8d39-d0db0892e802]
data.azurerm_key_vault_secret.domain_join_password: Read complete after 1s [id=https://kv-test.vault.azure.net/secrets/domain-join-password/3fba475528464ed2a9433f7d32c08306]
data.azurerm_key_vault_secret.domain_join_username: Read complete after 1s [id=https://kv-test.vault.azure.net/secrets/domain-join-username/3dab7916ea364383b84000dc21259fd8]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following
symbols:
  + create

Terraform will perform the following actions:

  # azurerm_key_vault_access_policy.access will be created
  + resource "azurerm_key_vault_access_policy" "access" {
      + id                 = (known after apply)
      + key_permissions    = [
          + "Get",
        ]
      + key_vault_id       = "/subscriptions/736f48c0-585a-4ff4-8bec-1fcc23f025ec/resourceGroups/rg-tetufxic/providers/Microsoft.KeyVault/vaults/kv-tetufxic"
      + object_id          = "a1a2e23f-114e-4423-8d39-d0db0892e802"
      + secret_permissions = [
          + "Get",
        ]
      + tenant_id          = "166550b7-184e-47b5-ba21-9152ebf35e28"
    }

Plan: 1 to add, 0 to change, 0 to destroy.
azurerm_key_vault_access_policy.access: Creating...
╷
│ Warning: Attribute Deprecated
│ 
│   with module.naming.random_string.main,
│   on .terraform/modules/naming/main.tf line 14, in resource "random_string" "main":
│   14:   number  = var.unique-include-numbers
│ 
│ **NOTE**: This is deprecated, use `numeric` instead.
│ 
│ (and 3 more similar warnings elsewhere)
╵
╷
│ Error: A resource with the ID "/subscriptions/736f48c0-585a-4ff4-8bec-1fcc23f025ec/resourceGroups/rg-tetufxic/providers/Microsoft.KeyVault/vaults/kv-tetufxic/objectId/a1a2e23f-114e-4423-8d39-d0db0892e802" already exists - to be managed via Terraform this resource needs to be imported into the State. Please see the resource documentation for "azurerm_key_vault_access_policy" for more information.
│ 
│   with azurerm_key_vault_access_policy.access,
│   on main.tf line 78, in resource "azurerm_key_vault_access_policy" "access":
│   78: resource "azurerm_key_vault_access_policy" "access" {
│ 
╵
…_key_vault_access_policy [✔] [35.95s]
PS  terraform import azurerm_key_vault_access_policy.access "/subscriptions/736f48c0-585a-4ff4-8bec-1fcc23f025ec/resourceGroups/rg-tetufxic/providers/Microsoft.KeyVault/vaults/kv-tetufxic/objectId/a1a2e23f-114e-4423-8d39-d0db0892e802"

azurerm_key_vault_access_policy.access: Importing from ID "/subscriptions/736f48c0-585a-4ff4-8bec-1fcc23f025ec/resourceGroups/rg-tetufxic/providers/Microsoft.KeyVault/vaults/kv-tetufxic/objectId/a1a2e23f-114e-4423-8d39-d0db0892e802"...
azurerm_key_vault_access_policy.access: Import prepared!
  Prepared azurerm_key_vault_access_policy for import
azurerm_key_vault_access_policy.access: Refreshing state... [id=/subscriptions/736f48c0-585a-4ff4-8bec-1fcc23f025ec/resourceGroups/rg-tetufxic/providers/Microsoft.KeyVault/vaults/kv-tetufxic/objectId/a1a2e23f-114e-4423-8d39-d0db0892e802]

Import successful!

The resources that were imported are shown above. These resources are now in
your Terraform state and will henceforth be managed by Terraform.

…_key_vault_access_policy [✔] [11.13s]
PS  ((Get-Content -path main.tf -Raw) -replace '# provider = azurerm.mgmt','provider = azurerm.mgmt') | Set-Content -Path main.tf  
…_key_vault_access_policy [✔] [4.42ms]
PS  terraform apply -auto-approve                                                                                                

module.naming.random_string.main: Refreshing state... [id=etufxicdxfetvbaagjypzwaejpfnddilnevlaoqxqykniyqlqmioetnrwqmu]
module.naming.random_string.first_letter: Refreshing state... [id=t]
data.azurerm_client_config.current: Reading...
data.azurerm_client_config.current: Read complete after 0s [id=2022-09-15 17:33:35.879353 +0000 UTC]
azurerm_resource_group.rg: Refreshing state... [id=/subscriptions/736f48c0-585a-4ff4-8bec-1fcc23f025ec/resourceGroups/rg-tetufxic]
data.azurerm_subscription.current: Reading...
data.azurerm_subscription.current: Read complete after 0s [id=/subscriptions/736f48c0-585a-4ff4-8bec-1fcc23f025ec]
azurerm_user_assigned_identity.uai: Refreshing state... [id=/subscriptions/736f48c0-585a-4ff4-8bec-1fcc23f025ec/resourceGroups/rg-tetufxic/providers/Microsoft.ManagedIdentity/userAssignedIdentities/uai-tetufxic]
azurerm_key_vault.kv: Refreshing state... [id=/subscriptions/736f48c0-585a-4ff4-8bec-1fcc23f025ec/resourceGroups/rg-tetufxic/providers/Microsoft.KeyVault/vaults/kv-tetufxic]
data.azurerm_key_vault_secret.domain_join_password: Reading...
data.azurerm_key_vault_secret.domain_join_username: Reading...
azurerm_key_vault_access_policy.access: Refreshing state... [id=/subscriptions/736f48c0-585a-4ff4-8bec-1fcc23f025ec/resourceGroups/rg-tetufxic/providers/Microsoft.KeyVault/vaults/kv-tetufxic/objectId/a1a2e23f-114e-4423-8d39-d0db0892e802]
data.azurerm_key_vault_secret.domain_join_username: Read complete after 1s [id=https://kv-test.vault.azure.net/secrets/domain-join-username/3dab7916ea364383b84000dc21259fd8]
data.azurerm_key_vault_secret.domain_join_password: Read complete after 1s [id=https://kv-test.vault.azure.net/secrets/domain-join-password/3fba475528464ed2a9433f7d32c08306]

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.
╷
│ Warning: Attribute Deprecated
│ 
│   with module.naming.random_string.main,
│   on .terraform/modules/naming/main.tf line 14, in resource "random_string" "main":
│   14:   number  = var.unique-include-numbers
│ 
│ **NOTE**: This is deprecated, use `numeric` instead.
│ 
│ (and 3 more similar warnings elsewhere)
╵

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.
…_key_vault_access_policy [✔] [25.54s]
PS  terraform apply -auto-approve

module.naming.random_string.main: Refreshing state... [id=etufxicdxfetvbaagjypzwaejpfnddilnevlaoqxqykniyqlqmioetnrwqmu]
module.naming.random_string.first_letter: Refreshing state... [id=t]
data.azurerm_client_config.current: Reading...
data.azurerm_client_config.current: Read complete after 0s [id=2022-09-15 17:34:03.38551 +0000 UTC]
azurerm_resource_group.rg: Refreshing state... [id=/subscriptions/736f48c0-585a-4ff4-8bec-1fcc23f025ec/resourceGroups/rg-tetufxic]
data.azurerm_subscription.current: Reading...
azurerm_user_assigned_identity.uai: Refreshing state... [id=/subscriptions/736f48c0-585a-4ff4-8bec-1fcc23f025ec/resourceGroups/rg-tetufxic/providers/Microsoft.ManagedIdentity/userAssignedIdentities/uai-tetufxic]
azurerm_key_vault.kv: Refreshing state... [id=/subscriptions/736f48c0-585a-4ff4-8bec-1fcc23f025ec/resourceGroups/rg-tetufxic/providers/Microsoft.KeyVault/vaults/kv-tetufxic]
data.azurerm_subscription.current: Read complete after 1s [id=/subscriptions/736f48c0-585a-4ff4-8bec-1fcc23f025ec]
data.azurerm_key_vault_secret.domain_join_username: Reading...
data.azurerm_key_vault_secret.domain_join_password: Reading...
azurerm_key_vault_access_policy.access: Refreshing state... [id=/subscriptions/736f48c0-585a-4ff4-8bec-1fcc23f025ec/resourceGroups/rg-tetufxic/providers/Microsoft.KeyVault/vaults/kv-tetufxic/objectId/a1a2e23f-114e-4423-8d39-d0db0892e802]
data.azurerm_key_vault_secret.domain_join_username: Read complete after 1s [id=https://kv-test.vault.azure.net/secrets/domain-join-username/3dab7916ea364383b84000dc21259fd8]
data.azurerm_key_vault_secret.domain_join_password: Read complete after 1s [id=https://kv-test.vault.azure.net/secrets/domain-join-password/3fba475528464ed2a9433f7d32c08306]

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.
╷
│ Warning: Attribute Deprecated
│ 
│   with module.naming.random_string.main,
│   on .terraform/modules/naming/main.tf line 14, in resource "random_string" "main":
│   14:   number  = var.unique-include-numbers
│ 
│ **NOTE**: This is deprecated, use `numeric` instead.
│ 
│ (and 3 more similar warnings elsewhere)
╵

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Expected Behaviour

The second run should NOT remove the azrurerm.key_vault_access_policy.access state. From what I saw in the error.log the data source for secret is a keyvault another subscription. By the time it gets to looking up the keyvault policy access it then uses the subscription from the data source. Hence when you set the data source provide to azurerm.mgmt you no longer get the problem.

Actual Behaviour

Does it matter where you source a key vault id from another subscription on the main provider?

Steps to Reproduce

See Debug Output.

Important Factoids

No response

References

No response

Sep 15 '22 17:09 pearcec

Just to confirm the issue even using the same subscription. The first apply will add user the policy, the second apply will removed the user. and so on.

Sep 23 '22 10:09 L-u-k-e-GIT

Thanks for opening this issue. This was a problem in the 2.x version of the provider which is no longer actively maintained. If this is still an issue with the 3.x version of the provider please do let us know by opening a new issue, thanks!

Jul 20 '23 16:07 rcskosir

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

May 16 '24 02:05 github-actions[bot]

terraform-provider-azurerm terraform-provider-azurerm copied to clipboard

data source `azurerm_key_vault_secret` with keyvault from other subscription causes state to get removed

Is there an existing issue for this?

Community Note

Terraform Version

AzureRM Provider Version

Affected Resource(s)/Data Source(s)

Terraform Configuration Files

Expected Behaviour

Actual Behaviour

Steps to Reproduce

Important Factoids

References

terraform-provider-azurerm
terraform-provider-azurerm copied to clipboard