Vaishnav
Vaishnav

Reputation: 721

Azure :: Terraform fails on azure keyvault secrets

I am noticing this wierd error since I moved whole of my code from 1.42.0 provider version to 2.19.0. I am creating several keyvault secrets. Earlier it when I try to execute a plan after appplying once, it used to refresh the state and proceed, but now after updating the provider version, I am noticing the below error.

Error: A resource with the ID "https://mytestingvault.vault.azure.net/secrets/hub-access/060e71ecd1084cb5a6a496f77a2aea5c" already exists - to be managed via Terraform this resource needs to be imported into the State. Please see the resource documentation for "azurerm_key_vault_secret" for more information.

Additionally I have added lifecycle ignore changes to see if it could skip reading the vault secret changes but unfortunately the same error is shown. Only way to get rid of the error is to delete the secret. What am i wrong here?

  lifecycle {
    ignore_changes = [
value,name
    ]
  }

Upvotes: 0

Views: 3666

Answers (3)

AndyB_Dev
AndyB_Dev

Reputation: 229

The Terraform key vault documentation says:

Terraform will automatically recover a soft-deleted Key Vault during Creation if one is found - you can opt out of this using the features block within the Provider block.

You should configure your Terraform to stop recovering the softly deleted Key Vault like this:

provider "azurerm" {
  features {
    key_vault {
        recover_soft_deleted_key_vaults = false
      }
    }
}

If you want Terraform to purge any softly deleted Key Vaults when using terraform destroy use this additional line:

provider "azurerm" {
  features {
    key_vault {
        purge_soft_delete_on_destroy    = true
        recover_soft_deleted_key_vaults = false
      }
    }
}

Upvotes: 1

Vaishnav
Vaishnav

Reputation: 721

The issue was that keyvault even though was deleted, we had to purge it via cli using aws cli purge.

Upvotes: 0

silent
silent

Reputation: 16208

You probably need to read up on the general topic of Terraform state management. This is not specific to your Key Vault secret. Some resource (your secret) exists that was not created by the terraform workspace that you are just executing. TF does not like that. So you either need to import this pre-existing resource into the state of this workspace, or delete it so that it can be re-created (and thereby managed)

Upvotes: 0

Related Questions