fatal error : account storage resources cannot be created when using cmk

[kuma0128]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.10.1

AzureRM Provider Version

4.14.0

Affected Resource(s)/Data Source(s)

azurerm_storage_account

Terraform Configuration Files

resource "azurerm_storage_account" "main" {
  name                = "tfstatestoracc${random_password.storage_account_suffix.result}"
  resource_group_name = var.rg_name
  location                 = var.region
  account_kind             = "StorageV2"
  account_tier             = "Standard"
  account_replication_type = "LRS"
  is_hns_enabled           = false
  https_traffic_only_enabled      = true
  public_network_access_enabled   = true
  allow_nested_items_to_be_public = false
  min_tls_version                 = "TLS1_2"
  blob_properties {
    versioning_enabled = true
    container_delete_retention_policy {
      days = 7
    }
    change_feed_enabled           = true
    change_feed_retention_in_days = 7
  }
  identity {
    type = "SystemAssigned"
  }
  customer_managed_key {
    key_vault_key_id          = azurerm_key_vault_key.main.id
    # user_assigned_identity_id = "/subscriptions/12345678-1234-9876-4563-123456789012/resourceGroups/tmp/providers/Microsoft.ManagedIdentity/userAssignedIdentities/tmp"
  }
  tags = {
    environment = var.environment
  }
  # lifecycle {
  #   ignore_changes = [
  #     customer_managed_key.0.user_assigned_identity_id,
  #   ]
  # }
}

Debug Output/Panic Output

https://gist.github.com/kuma0128/accfb42a750ed119cf57695d7892c606

Expected Behaviour

When created manually, it’s possible to set the CMK for the account storage with the identity type set to "SystemAssigned". However, when attempting to apply the configuration using Terraform, it complains that "user_assigned_identity_id" is required, and the apply action fails. Looking at the JSON of the manually created resource, "user_assigned_identity_id" is an empty string. This suggests that requiring "user_assigned_identity_id" itself is incorrect. The mandatory field should be "key_vault_key_id," not "user_assigned_identity_id."

Actual Behaviour

The key_vault_key_id should be a required parameter, while user_assigned_identity_id should be optional. In this way, it would be possible to assign a CMK when using a SystemAssigned identity via terraform apply.

Steps to Reproduce

1. terraform apply

Important Factoids

Running in a Azure japnaeast

References

No response