hashicorp · mbfrahry · Oct 30, 2024 · Oct 29, 2024
@@ -265,21 +265,12 @@ func resourceKeyVaultKey() *pluginsdk.Resource {
 					return false // If old or new values are not strings, don't force new
 				}
 
-				// Parse old and new expiration dates
-				oldDate, err1 := time.Parse(time.RFC3339, oldDateStr)
-				newDate, err2 := time.Parse(time.RFC3339, newDateStr)
-				if err1 != nil || err2 != nil {
-					return false // If there are parsing errors, don't force new
+				// There isn't a way to remove the expiration date from a key so we'll recreate the resource when it's removed from config
+				if oldDateStr != "" && newDateStr == "" {
+					return true
 				}
 
-				// Compare old and new expiration dates
-				if newDate.After(oldDate) {
-					// If the new expiration date is further in the future, allow update
-					return false
-				}
-
-				// If the new expiration date is not further, force recreation
-				return true
+				return false
 			}),
 		),
 	}

@@ -137,6 +137,47 @@ func TestAccKeyVaultKey_complete(t *testing.T) {
 	})
 }
 
+func TestAccKeyVaultKey_updateExpirationDate(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_key_vault_key", "test")
+	r := KeyVaultKeyResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.complete(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+				check.That(data.ResourceName).Key("not_before_date").HasValue("2020-01-01T01:02:03Z"),
+				check.That(data.ResourceName).Key("expiration_date").HasValue("2021-01-01T01:02:03Z"),
+				check.That(data.ResourceName).Key("tags.%").HasValue("1"),
+				check.That(data.ResourceName).Key("tags.hello").HasValue("world"),
+				check.That(data.ResourceName).Key("versionless_id").HasValue(fmt.Sprintf("https://acctestkv-%s.vault.azure.net/keys/key-%s", data.RandomString, data.RandomString)),
+			),
+		},
+		data.ImportStep("key_size", "key_vault_id"),
+		{
+			Config: r.expirationDate(data, "2021-01-01T01:02:03Z"),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep("key_size", "key_vault_id"),
+		{
+			Config: r.expirationDate(data, "2022-01-01T01:02:03Z"),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep("key_size", "key_vault_id"),
+		{
+			Config: r.expirationDate(data, "2021-01-01T01:02:03Z"),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep("key_size", "key_vault_id"),
+	})
+}
+
 func TestAccKeyVaultKey_softDeleteRecovery(t *testing.T) {
 	data := acceptance.BuildTestData(t, "azurerm_key_vault_key", "test")
 	r := KeyVaultKeyResource{}
@@ -643,6 +684,38 @@ resource "azurerm_key_vault_key" "test" {
 `, r.templateStandard(data), data.RandomString)
 }
 
+func (r KeyVaultKeyResource) expirationDate(data acceptance.TestData, expirationDate string) string {
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+
+%s
+
+resource "azurerm_key_vault_key" "test" {
+  name            = "key-%s"
+  key_vault_id    = azurerm_key_vault.test.id
+  key_type        = "RSA"
+  key_size        = 2048
+  not_before_date = "2020-01-01T01:02:03Z"
+  expiration_date = "%s"
+
+  key_opts = [
+    "decrypt",
+    "encrypt",
+    "sign",
+    "unwrapKey",
+    "verify",
+    "wrapKey",
+  ]
+
+  tags = {
+    "hello" = "world"
+  }
+}
+`, r.templateStandard(data), data.RandomString, expirationDate)
+}
+
 func (r KeyVaultKeyResource) basicUpdated(data acceptance.TestData) string {
 	return fmt.Sprintf(`
 provider "azurerm" {

@@ -111,7 +111,9 @@ The following arguments are supported:
 
 ~> **Note:** Once `expiration_date` is set, it's not possible to unset the key even if it is deleted & recreated as underlying Azure API uses the restore of the purged key.
 
-* `expiration_date` - (Optional) Expiration UTC datetime (Y-m-d'T'H:M:S'Z'). When this parameter gets changed on reruns, if newer date is ahead of current date, an update is performed. If the newer date is before the current date, resource will be force created.
+* `expiration_date` - (Optional) Expiration UTC datetime (Y-m-d'T'H:M:S'Z').
+
+~> **Note:** Removing this field from the config forces a new resource to be created.
 
 * `tags` - (Optional) A mapping of tags to assign to the resource.