Reputation: 721
Azure :: Terraform fails on azure keyvault secrets
I am noticing this wierd error since I moved whole of my code from 1.42.0 provider version to 2.19.0. I am creating several keyvault secrets. Earlier it when I try to execute a plan after appplying once, it used to refresh the state and proceed, but now after updating the provider version, I am noticing the below error.
Error: A resource with the ID "https://mytestingvault.vault.azure.net/secrets/hub-access/060e71ecd1084cb5a6a496f77a2aea5c" already exists - to be managed via Terraform this resource needs to be imported into the State. Please see the resource documentation for "azurerm_key_vault_secret" for more information.
Additionally I have added lifecycle ignore changes to see if it could skip reading the vault secret changes but unfortunately the same error is shown. Only way to get rid of the error is to delete the secret. What am i wrong here?
lifecycle {
ignore_changes = [
value,name
]
}
Upvotes: 0
Views: 3666
Answers (3)
Reputation: 229
The Terraform key vault documentation says:
Terraform will automatically recover a soft-deleted Key Vault during Creation if one is found - you can opt out of this using the features block within the Provider block.
You should configure your Terraform to stop recovering the softly deleted Key Vault like this:
provider "azurerm" {
features {
key_vault {
recover_soft_deleted_key_vaults = false
}
}
}
If you want Terraform to purge any softly deleted Key Vaults when using terraform destroy use this additional line:
provider "azurerm" {
features {
key_vault {
purge_soft_delete_on_destroy = true
recover_soft_deleted_key_vaults = false
}
}
}
Upvotes: 1
Reputation: 721
The issue was that keyvault even though was deleted, we had to purge it via cli using aws cli purge.
Upvotes: 0
Reputation: 16208
You probably need to read up on the general topic of Terraform state management. This is not specific to your Key Vault secret. Some resource (your secret) exists that was not created by the terraform workspace that you are just executing. TF does not like that. So you either need to import this pre-existing resource into the state of this workspace, or delete it so that it can be re-created (and thereby managed)
Upvotes: 0
Related Questions
- Terraform create a azure key vault
- Terraform azurerm_key_vault - Access policy raising errors
- Azure Terraform Unable to Set secret in KeyVault during deployment
- Problems with Azure Key Vault Access Policies when running Terraform Apply
- Terraform key vault access policy
- Azure Disk Encryption - via Terraform with Key vault - VmExtensionProvisioningError
- Terraform Populate secrets from central key vault
- Terraform azure - keyvault key generation - access denied
- Azure terraform reports Missing resource instance key
- Terraform azure keyVault SetSecret - Forbidden Access denied