0

I am noticing this wierd error since I moved whole of my code from 1.42.0 provider version to 2.19.0. I am creating several keyvault secrets. Earlier it when I try to execute a plan after appplying once, it used to refresh the state and proceed, but now after updating the provider version, I am noticing the below error.

Error: A resource with the ID "https://mytestingvault.vault.azure.net/secrets/hub-access/060e71ecd1084cb5a6a496f77a2aea5c" already exists - to be managed via Terraform this resource needs to be imported into the State. Please see the resource documentation for "azurerm_key_vault_secret" for more information.

Additionally I have added lifecycle ignore changes to see if it could skip reading the vault secret changes but unfortunately the same error is shown. Only way to get rid of the error is to delete the secret. What am i wrong here?

  lifecycle {
    ignore_changes = [
value,name
    ]
  }
Vaishnav
  • 611
  • 1
  • 9
  • 23
  • " Only way to get rid of the error is to delete the secret" - that should not be true. As it says in the error message, you could also import the existing secrets into tf state – silent Aug 12 '21 at 08:21
  • I am still not clear why should I import? Once I create a secret and its value is not changed. I understand probably it has something to do with the vault secret versioning. Any idea why the lifecycle ignore change do not work @silent? – Vaishnav Aug 12 '21 at 08:31

3 Answers3

1

The Terraform key vault documentation says:

Terraform will automatically recover a soft-deleted Key Vault during Creation if one is found - you can opt out of this using the features block within the Provider block.

You should configure your Terraform to stop recovering the softly deleted Key Vault like this:

provider "azurerm" {
  features {
    key_vault {
        recover_soft_deleted_key_vaults = false
      }
    }
}

If you want Terraform to purge any softly deleted Key Vaults when using terraform destroy use this additional line:

provider "azurerm" {
  features {
    key_vault {
        purge_soft_delete_on_destroy    = true
        recover_soft_deleted_key_vaults = false
      }
    }
}
AndyB_Dev
  • 209
  • 2
  • 6
  • Good catch, but I didn't want to modify the TF files yet, so I followed the steps in the below link to purge it manually and got over my block. Thank you. https://stackoverflow.com/a/63789911/3154857 – Gilberto Treviño Feb 10 '23 at 14:38
0

You probably need to read up on the general topic of Terraform state management. This is not specific to your Key Vault secret. Some resource (your secret) exists that was not created by the terraform workspace that you are just executing. TF does not like that. So you either need to import this pre-existing resource into the state of this workspace, or delete it so that it can be re-created (and thereby managed)

silent
  • 14,494
  • 4
  • 46
  • 86
  • I dont pretty understand that. I am storing my backend in azure container and none of the other resources created when running plan again shows this error. How coult it only apply to keyvault secrets only. And by default as long as I am using the same statefile, unless I specify a workspace, my understanding is that it should always refer to the default workspace. Am I wrong here? – Vaishnav Aug 12 '21 at 10:27
0

The issue was that keyvault even though was deleted, we had to purge it via cli using aws cli purge.

Vaishnav
  • 611
  • 1
  • 9
  • 23