azurerm_key_vault - fix two kv in different sub issue

[teowa]

resolves #19509

background

Assume we have

• kv1 in subscription1
• kv2 in subscription2
• a resource or data source (e.g. azurerm_key_vault_secret or azurerm_storage_account) in subscription1 depends on the kv2

the config is like:

provider "azurerm" {
  features {}
  alias           = "sub1"
  subscription_id = "11111111-1111-1111-1111-111111111111"
}
data "azurerm_client_config" "current" {}

resource "azurerm_resource_group" "test" {
  provider = azurerm.sub1
  name     = "wt-test-resources"
  location = "West Europe"
}

resource "azurerm_key_vault" "kv1" {
  provider                    = azurerm.sub1
  name                        = "wtttmplekeyvault1"
  location                    = azurerm_resource_group.test.location
  resource_group_name         = azurerm_resource_group.test.name
  enabled_for_disk_encryption = true
  tenant_id                   = data.azurerm_client_config.current.tenant_id
  soft_delete_retention_days  = 7
  purge_protection_enabled    = false

  sku_name   = "standard"
  # intentionally let the datasource refresh before this kv, and this kv will be removed from state.
  depends_on = [data.azurerm_key_vault_secret.test]
}

data "azurerm_key_vault_secret" "test" {
  provider     = azurerm.sub1
  key_vault_id = azurerm_key_vault.kv2.id
  name         = azurerm_key_vault_secret.test.name
}

####

provider "azurerm" {
  features {}
  alias           = "sub2"
  subscription_id = "22222222-2222-2222-2222-222222222222"
}

resource "azurerm_resource_group" "test2" {
  provider = azurerm.sub2
  name     = "wt-test-resources2"
  location = "West Europe"
}

resource "azurerm_key_vault" "kv2" {
  provider                   = azurerm.sub2
  name                       = "wtttmplekeyvault2"
  location                   = azurerm_resource_group.test2.location
  resource_group_name        = azurerm_resource_group.test2.name
  tenant_id                  = data.azurerm_client_config.current.tenant_id
  sku_name                   = "standard"
  soft_delete_retention_days = 7

  access_policy {
    tenant_id = data.azurerm_client_config.current.tenant_id
    object_id = data.azurerm_client_config.current.object_id
    secret_permissions = [
      "Set",
      "Get",
      "Delete",
      "Purge",
      "Recover",
      "List"
    ]
  }
}

resource "azurerm_key_vault_secret" "test" {
  provider     = azurerm.sub2
  name         = "test"
  value        = "szechuan"
  key_vault_id = azurerm_key_vault.kv2.id
}

Replace two real subscription ids the above config, and run terraform apply -auto-approve twice.

During the refresh step before the second apply, data.azurerm_key_vault_secret.test calls the BaseUriForKeyVault function, which will modify the subscription_id of KeyVaultsClient within the provider scope. After that the KeyVaultsClient cannot reach azurerm_key_vault.kv1, and the azurerm_key_vault.kv1 will be removed from state.

But later apply will try to recreate the kv1 in another thread in sub1, returns the resource already exists error.

[katbyte]

LGTM ⛈️

[github-actions]

This functionality has been released in v3.35.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.