Unexpected new value in "azurerm_key_vault_certificate" resource

[shubhisethi]

6888 https://github.com/terraform-providers/terraform-provider-azurerm/issues/6888

Terraform (and AzureRM Provider) Version Terraform CLI v. 0.13.3 Azure Provider v. 2.45.1

Affected Resource(s) azurerm_key_vault_certificate

Terraform Configuration Files resource "azurerm_resource_group" "kv-rg" { name = "example-key-vault-resources" location = "centralus" }

data "azurerm_client_config" "current" {}

resource "azurerm_user_assigned_identity" "example_uai" { name = "example-user-assigned-identity" location = azurerm_resource_group.kv-rg.location resource_group_name = azurerm_resource_group.kv-rg.name }

resource "azurerm_key_vault" "example_key_vault" { name = "example-KeyVault" location = azurerm_resource_group.kv-rg.location resource_group_name = azurerm_resource_group.kv-rg.name tenant_id = data.azurerm_client_config.current.tenant_id sku_name = "premium"

access_policy { tenant_id = data.azurerm_client_config.current.tenant_id object_id = data.azurerm_client_config.current.object_id certificate_permissions = [ "get", "list", "import", "delete", "create", "update", "recover", "purge" ]

}

# This access policies is to allow the identity to be granted get and list access to the secret. access_policy { tenant_id = data.azurerm_client_config.current.tenant_id object_id = azurerm_user_assigned_identity.example_uai.principal_id secret_permissions = [ "get", "list" ] } }

# Generating a new certificate resource "azurerm_key_vault_certificate" "kv_cert" { name = "example-generated-cert" key_vault_id = azurerm_key_vault.example_key_vault.id

certificate_policy { issuer_parameters { name = "Self" }

key_properties {
  exportable = true
  key_size   = 2048
  key_type   = "RSA"
  reuse_key  = true
}

lifetime_action {
  action {
    action_type = "AutoRenew"
  }

  trigger {
    days_before_expiry = 30
  }
}

secret_properties {
  content_type = "application/x-pkcs12"
}

x509_certificate_properties {
  # Server Authentication = 1.3.6.1.5.5.7.3.1
  # Client Authentication = 1.3.6.1.5.5.7.3.2
  extended_key_usage = ["1.3.6.1.5.5.7.3.1"]

  key_usage = [
    "cRLSign",
    "dataEncipherment",
    "digitalSignature",
    "keyAgreement",
    "keyCertSign",
    "keyEncipherment",
  ]

  subject            = "CN=example.iac"
  validity_in_months = 12
}

} }

Expected Behavior The certificate should be created in the Keyvault.

Actual Behavior The provider throws this error sporadic:

Error: Provider produced inconsistent result after apply

When applying changes to azurerm_key_vault_secret.blob_accountkey, provider "registry.terraform.io/-/azurerm" produced an unexpected new value for was present, but now absent.

This is a bug in the provider, which should be reported in the provider's own issue tracker.

Steps to Reproduce terraform apply

[aglees]

I think this is another instance of 10371

[BenWyattMilliman]

FYI, I work with @shubhisethi, and we found that this issue was resolved by using v2.44 of the Azure RM provider, which is consistent with what the author of #10371 experienced.

[tombuildsstuff]

Duplicate of #10371 - thanks for the cross-link @aglees @BenWyattMilliman - would you mind subscribing to #10371 for updates @shubhisethi? Thanks!

[ghost]

This has been released in version 2.46.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 2.46.0"
}
# ... other configuration ...

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!