If data source of azurerm_key_vault is referenced in a different subscription, key vaults in the current subscription are not detected/refreshed and will attempt be recreated

[lukecalderon]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.3.5

AzureRM Provider Version

3.33.0

Affected Resource(s)/Data Source(s)

azurerm_key_vault

Terraform Configuration Files

terraform {
  backend "azurerm" {
    tenant_id            = "tenant-id"
    subscription_id      = "tfstate-sub-id" 
    resource_group_name  = "rg-tfstate-sub"
    storage_account_name = "satfstate"
    container_name       = "tfstate"
    key                  = "dev.tfstate"
  }
}

provider "azurerm" {
  skip_provider_registration = false
  features {
    key_vault {
      purge_soft_delete_on_destroy = true
    }
  }

  subscription_id = "target-resource-sub-id"
}


resource "azurerm_key_vault" "fetch" {
  name                = "kv-comp-dev-dhf-uks-001"
  location            = "uksouth"
  resource_group_name = azurerm_resource_group.main.name

  sku_name            = "standard"
  tenant_id           = data.azurerm_client_config.current.tenant_id

  enable_rbac_authorization  = true
}

Debug Output/Panic Output

## Resource Refresh
2022-11-30T22:35:36.8228391Z azurerm_key_vault.fetch: Refreshing state... [id=/subscriptions/target-resource-sub-id/resourceGroups/rg-name/providers/Microsoft.KeyVault/vaults/kv-comp-dev-dhf-uks-001]

## API Call being made (note subscription ID has changed)
2022-11-30T22:35:36.8269896Z 2022-11-30T22:35:36.826Z [DEBUG] provider.terraform-provider-azurerm_v3.33.0_x5: AzureRM Request: 
2022-11-30T22:35:36.8270975Z GET /subscriptions/tfstate-sub-id/resourceGroups/rg-name/providers/Microsoft.KeyVault/vaults/kv-comp-dev-dhf-uks-001?api-version=2021-10-01 HTTP/1.1

## Actual API response
2022-11-30T22:35:36.8463135Z 2022-11-30T22:35:36.845Z [DEBUG] provider.terraform-provider-azurerm_v3.33.0_x5: AzureRM Response for https://management.azure.com/subscriptions/tfstate-sub-id/resourceGroups/rg-name/providers/Microsoft.KeyVault/vaults/kv-comp-dev-dhf-uks-001?api-version=2021-10-01: 
2022-11-30T22:35:36.8465331Z HTTP/2.0 404 Not Found
2022-11-30T22:35:36.8466702Z Content-Length: 127
2022-11-30T22:35:36.8467034Z Cache-Control: no-cache
2022-11-30T22:35:36.8467639Z Content-Type: application/json; charset=utf-8
2022-11-30T22:35:36.8467979Z Date: Wed, 30 Nov 2022 22:35:36 GMT
2022-11-30T22:35:36.8469308Z Expires: -1
2022-11-30T22:35:36.8469576Z Pragma: no-cache
2022-11-30T22:35:36.8471021Z Strict-Transport-Security: max-age=31536000; includeSubDomains
2022-11-30T22:35:36.8472477Z X-Content-Type-Options: nosniff
2022-11-30T22:35:36.8474394Z X-Ms-Correlation-Request-Id: cd063cc1-e462-374a-61fe-868cfdbe8de7
2022-11-30T22:35:36.8475049Z X-Ms-Failure-Cause: gateway
2022-11-30T22:35:36.8475629Z X-Ms-Request-Id: b89189b4-61fe-408d-9a02-299ca7916c07
2022-11-30T22:35:36.8476316Z X-Ms-Routing-Request-Id: UKWEST:20221130T223536Z:b89189b4-61fe-408d-9a02-299ca7916c07

## Cannot find resource group (as it's not in the tfstate-sub, it's in the target-resource-sub)
2022-11-30T22:35:36.8500447Z {"error":{"code":"ResourceGroupNotFound","message":"Resource group 'rg-name' could not be found."}}: timestamp=2022-11-30T22:35:36.846Z

## Then TF removes it from the state file
2022-11-30T22:35:36.8540674Z 2022-11-30T22:35:36.848Z [DEBUG] provider.terraform-provider-azurerm_v3.33.0_x5: Vault: (Name "kv-comp-dev-dhf-uks-001" / Resource Group "rg-name") was not found - removing from state!: timestamp=2022-11-30T22:35:36.848Z

Expected Behaviour

On the terraform refresh, the request URI to Azure to get the resource details should retain the same subscription ID that is stored in the state file, and therefore return the resource.

Actual Behaviour

Terraform substitutes the resource's subscription ID for that of the TF State subscription ID. This returns a 404 as the resource group and resource do not exist in that resource group.

This only happens with key vaults - other resources in the same TF project (e.g. storage accounts, data factory) are all fine.

The only potential thing I can see here is that I have other azurerm_key_vaults referenced as data sources in a third subscription, using a provider alias.

Steps to Reproduce

From an Azure pipeline, the following runs:

- task: TerraformTaskV2@2
              displayName: 'Terraform Init'
              inputs:
                provider: 'azurerm'
                command: 'init'
                commandOptions: ${{ parameters.init_parameters }}
                backendServiceArm: ${{ parameters.service_connection }}
                backendAzureRmResourceGroupName: ${{ parameters.backend_rg }}
                backendAzureRmStorageAccountName: ${{ parameters.backend_sa }}
                backendAzureRmContainerName: ${{ parameters.backend_cont }}
                backendAzureRmKey: '${{ parameters.backend_key }}.tfstate'
                workingDirectory: '$(Pipeline.Workspace)/infra-ci/terraform/${{ parameters.working_dir }}'

            - task: AzureCLI@2
              displayName: 'Terraform Apply'
              inputs:
                azureSubscription: ${{ parameters.service_connection }}
                addSpnToEnvironment: true
                scriptType: pscore
                scriptLocation: inlineScript
                inlineScript: |
                  $env:ARM_CLIENT_ID       ??= $env:servicePrincipalId
                  $env:ARM_CLIENT_SECRET   ??= $env:servicePrincipalKey
                  $env:ARM_TENANT_ID       ??= $env:tenantId
                  $env:ARM_SUBSCRIPTION_ID = '${{ parameters.target_sub }}'

                  # az account set -s ${{ parameters.target_sub }}

                  $env:TF_LOG = 'Debug'

                  terraform apply -var-file="${{ parameters.var_file }}" -auto-approve
                workingDirectory: '$(Pipeline.Workspace)/infra-ci/terraform/${{ parameters.working_dir }}'

Important Factoids

No response

References

No response

[lukecalderon]

Just had time to do further testing - it definitely seems that removing the data looking of another key vault in a different subscription has stopped this issue.

provider "azurerm" {
  alias = azurerm.bootstrap
  skip_provider_registration = false
  features {
    key_vault {
      purge_soft_delete_on_destroy = true
    }
  }

  subscription_id = "tfstate-sub-id"
}

data "azurerm_key_vault" "spn" {
  provider = azurerm.bootstrap

  name                = var.spn_keyvault_name
  resource_group_name = var.spn_keyvault_rg
}

data "azurerm_key_vault_secret" "spn_client_id" {
  key_vault_id = data.azurerm_key_vault.spn.id
  name         = "terraform-spn-clientid"
}

[github-actions]

This functionality has been released in v3.35.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.