azurerm_key_vault network_acls default_action is not working

[DaleyKD]

Is there an existing issue for this?

• [x] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.2.4

AzureRM Provider Version

3.14.0

Affected Resource(s)/Data Source(s)

azurerm_key_vault

Terraform Configuration Files

provider "azurerm" {
  environment     = var.azure_cloud
  tenant_id       = var.azure_tenant_id
  subscription_id = var.azure_subscription_id
  features {}
}

resource "azurerm_key_vault" "vault" {
  name                        = var.name
  location                    = var.location
  resource_group_name         = var.resource_group_name
  enabled_for_disk_encryption = true
  tenant_id                   = var.azure_tenant_id
  soft_delete_retention_days  = var.soft_delete_retention_days
  sku_name                    = "standard"

  network_acls {
    default_action = "Deny"
    bypass         = "AzureServices"
    ip_rules       = []
  }
}

Debug Output/Panic Output

2022-07-21T11:50:21.144-0500 [INFO]  Terraform version: 1.2.4
2022-07-21T11:50:21.147-0500 [INFO]  Go runtime version: go1.18.1
2022-07-21T11:50:21.147-0500 [INFO]  CLI args: []string{"C:\\ProgramData\\chocolatey\\lib\\terraform\\tools\\terraform.exe", "apply"}
2022-07-21T11:50:21.159-0500 [INFO]  CLI command args: []string{"apply"}
2022-07-21T11:50:21.673-0500 [INFO]  backend/local: starting Apply operation
2022-07-21T11:50:23.961-0500 [INFO]  provider: configuring client automatic mTLS
2022-07-21T11:50:24.052-0500 [INFO]  provider.terraform-provider-azuread_v2.26.1_x5.exe: configuring server automatic mTLS: timestamp=2022-07-21T11:50:24.049-0500
2022-07-21T11:50:24.060-0500 [INFO]  provider.terraform-provider-azuread_v2.26.1_x5.exe: 2022/07/21 11:50:24 [DEBUG] Registering Resources for "Administrative Units"..: timestamp=2022-07-21T11:50:24.060-0500
2022-07-21T11:50:24.061-0500 [INFO]  provider.terraform-provider-azuread_v2.26.1_x5.exe: 2022/07/21 11:50:24 [DEBUG] Registering Data Sources for "Administrative Units"..: timestamp=2022-07-21T11:50:24.060-0500
2022-07-21T11:50:24.061-0500 [INFO]  provider.terraform-provider-azuread_v2.26.1_x5.exe: 2022/07/21 11:50:24 [DEBUG] Registering Resources for "Applications"..: timestamp=2022-07-21T11:50:24.060-0500
2022-07-21T11:50:24.061-0500 [INFO]  provider.terraform-provider-azuread_v2.26.1_x5.exe: 2022/07/21 11:50:24 [DEBUG] Registering Data Sources for "Applications"..: timestamp=2022-07-21T11:50:24.061-0500
2022-07-21T11:50:24.061-0500 [INFO]  provider.terraform-provider-azuread_v2.26.1_x5.exe: 2022/07/21 11:50:24 [DEBUG] Registering Resources for "App Role Assignments"..: timestamp=2022-07-21T11:50:24.061-0500
2022-07-21T11:50:24.061-0500 [INFO]  provider.terraform-provider-azuread_v2.26.1_x5.exe: 2022/07/21 11:50:24 [DEBUG] Registering Data Sources for "App Role Assignments"..: timestamp=2022-07-21T11:50:24.061-0500
2022-07-21T11:50:24.062-0500 [INFO]  provider.terraform-provider-azuread_v2.26.1_x5.exe: 2022/07/21 11:50:24 [DEBUG] Registering Resources for "ConditionalAccess"..: timestamp=2022-07-21T11:50:24.061-0500
2022-07-21T11:50:24.062-0500 [INFO]  provider.terraform-provider-azuread_v2.26.1_x5.exe: 2022/07/21 11:50:24 [DEBUG] Registering Data Sources for "ConditionalAccess"..: timestamp=2022-07-21T11:50:24.061-0500
2022-07-21T11:50:24.062-0500 [INFO]  provider.terraform-provider-azuread_v2.26.1_x5.exe: 2022/07/21 11:50:24 [DEBUG] Registering Resources for "Directory Roles"..: timestamp=2022-07-21T11:50:24.061-0500
2022-07-21T11:50:24.062-0500 [INFO]  provider.terraform-provider-azuread_v2.26.1_x5.exe: 2022/07/21 11:50:24 [DEBUG] Registering Data Sources for "Directory Roles"..: timestamp=2022-07-21T11:50:24.061-0500
2022-07-21T11:50:24.062-0500 [INFO]  provider.terraform-provider-azuread_v2.26.1_x5.exe: 2022/07/21 11:50:24 [DEBUG] Registering Resources for "Domains"..: timestamp=2022-07-21T11:50:24.061-0500
2022-07-21T11:50:24.062-0500 [INFO]  provider.terraform-provider-azuread_v2.26.1_x5.exe: 2022/07/21 11:50:24 [DEBUG] Registering Data Sources for "Domains"..: timestamp=2022-07-21T11:50:24.061-0500
2022-07-21T11:50:24.062-0500 [INFO]  provider.terraform-provider-azuread_v2.26.1_x5.exe: 2022/07/21 11:50:24 [DEBUG] Registering Resources for "Groups"..: timestamp=2022-07-21T11:50:24.061-0500
2022-07-21T11:50:24.062-0500 [INFO]  provider.terraform-provider-azuread_v2.26.1_x5.exe: 2022/07/21 11:50:24 [DEBUG] Registering Data Sources for "Groups"..: timestamp=2022-07-21T11:50:24.061-0500
2022-07-21T11:50:24.062-0500 [INFO]  provider.terraform-provider-azuread_v2.26.1_x5.exe: 2022/07/21 11:50:24 [DEBUG] Registering Resources for "Invitations"..: timestamp=2022-07-21T11:50:24.061-0500
2022-07-21T11:50:24.062-0500 [INFO]  provider.terraform-provider-azuread_v2.26.1_x5.exe: 2022/07/21 11:50:24 [DEBUG] Registering Data Sources for "Invitations"..: timestamp=2022-07-21T11:50:24.061-0500
2022-07-21T11:50:24.062-0500 [INFO]  provider.terraform-provider-azuread_v2.26.1_x5.exe: 2022/07/21 11:50:24 [DEBUG] Registering Resources for "Policies"..: timestamp=2022-07-21T11:50:24.061-0500
2022-07-21T11:50:24.063-0500 [INFO]  provider.terraform-provider-azuread_v2.26.1_x5.exe: 2022/07/21 11:50:24 [DEBUG] Registering Data Sources for "Policies"..: timestamp=2022-07-21T11:50:24.061-0500
2022-07-21T11:50:24.063-0500 [INFO]  provider.terraform-provider-azuread_v2.26.1_x5.exe: 2022/07/21 11:50:24 [DEBUG] Registering Resources for "Service Principals"..: timestamp=2022-07-21T11:50:24.061-0500
2022-07-21T11:50:24.063-0500 [INFO]  provider.terraform-provider-azuread_v2.26.1_x5.exe: 2022/07/21 11:50:24 [DEBUG] Registering Data Sources for "Service Principals"..: timestamp=2022-07-21T11:50:24.062-0500
2022-07-21T11:50:24.063-0500 [INFO]  provider.terraform-provider-azuread_v2.26.1_x5.exe: 2022/07/21 11:50:24 [DEBUG] Registering Resources for "Users"..: timestamp=2022-07-21T11:50:24.062-0500
2022-07-21T11:50:24.063-0500 [INFO]  provider.terraform-provider-azuread_v2.26.1_x5.exe: 2022/07/21 11:50:24 [DEBUG] Registering Data Sources for "Users"..: timestamp=2022-07-21T11:50:24.062-0500
2022-07-21T11:50:24.104-0500 [INFO]  provider: configuring client automatic mTLS
2022-07-21T11:50:24.162-0500 [INFO]  provider.terraform-provider-azurerm_v3.14.0_x5.exe: configuring server automatic mTLS: timestamp=2022-07-21T11:50:24.159-0500
2022-07-21T11:50:24.349-0500 [INFO]  provider: configuring client automatic mTLS
2022-07-21T11:50:24.399-0500 [INFO]  provider.terraform-provider-azurerm_v3.14.0_x5.exe: configuring server automatic mTLS: timestamp=2022-07-21T11:50:24.397-0500
2022-07-21T11:50:24.642-0500 [INFO]  backend/local: apply calling Plan
2022-07-21T11:50:24.646-0500 [INFO]  provider: configuring client automatic mTLS
2022-07-21T11:50:24.697-0500 [INFO]  provider.terraform-provider-azurerm_v3.14.0_x5.exe: configuring server automatic mTLS: timestamp=2022-07-21T11:50:24.694-0500
2022-07-21T11:50:24.927-0500 [WARN]  ValidateProviderConfig from "provider[\"registry.terraform.io/hashicorp/azurerm\"]" changed the config value, but that value is unused
2022-07-21T11:50:24.928-0500 [INFO]  provider.terraform-provider-azurerm_v3.14.0_x5.exe: Testing if Service Principal / Client Certificate is applicable for Authentication..: timestamp=2022-07-21T11:50:24.928-0500
2022-07-21T11:50:24.928-0500 [INFO]  provider.terraform-provider-azurerm_v3.14.0_x5.exe: Testing if Multi Tenant Service Principal / Client Secret is applicable for Authentication..: timestamp=2022-07-21T11:50:24.928-0500
2022-07-21T11:50:24.929-0500 [INFO]  provider.terraform-provider-azurerm_v3.14.0_x5.exe: Testing if Service Principal / Client Secret is applicable for Authentication..: timestamp=2022-07-21T11:50:24.928-0500
2022-07-21T11:50:24.929-0500 [INFO]  provider.terraform-provider-azurerm_v3.14.0_x5.exe: Testing if OIDC is applicable for Authentication..: timestamp=2022-07-21T11:50:24.928-0500
2022-07-21T11:50:24.929-0500 [INFO]  provider.terraform-provider-azurerm_v3.14.0_x5.exe: Testing if Managed Service Identity is applicable for Authentication..: timestamp=2022-07-21T11:50:24.928-0500
2022-07-21T11:50:24.929-0500 [INFO]  provider.terraform-provider-azurerm_v3.14.0_x5.exe: Testing if Obtaining a Multi-tenant token from the Azure CLI is applicable for Authentication..: timestamp=2022-07-21T11:50:24.928-0500
2022-07-21T11:50:24.929-0500 [INFO]  provider.terraform-provider-azurerm_v3.14.0_x5.exe: Testing if Obtaining a token from the Azure CLI is applicable for Authentication..: timestamp=2022-07-21T11:50:24.928-0500
2022-07-21T11:50:24.929-0500 [INFO]  provider.terraform-provider-azurerm_v3.14.0_x5.exe: Using Obtaining a token from the Azure CLI for Authentication: timestamp=2022-07-21T11:50:24.928-0500
2022-07-21T11:50:28.765-0500 [INFO]  provider.terraform-provider-azurerm_v3.14.0_x5.exe: authenticated object ID cache miss, populating with: "2f77e3de-561f-456f-be66-5f76cc3900a0": timestamp=2022-07-21T11:50:28.765-0500
2022-07-21T11:50:28.765-0500 [INFO]  provider.terraform-provider-azurerm_v3.14.0_x5.exe: Getting OAuth config for endpoint https://login.microsoftonline.com/ with  tenant 513ccc91-e896-420c-883c-4f65d53a3775: timestamp=2022-07-21T11:50:28.765-0500
2022-07-21T11:50:43.412-0500 [INFO]  ReferenceTransformer: reference not found: "var.location"
2022-07-21T11:50:43.412-0500 [INFO]  ReferenceTransformer: reference not found: "var.azure_tenant_id"
2022-07-21T11:50:43.412-0500 [INFO]  ReferenceTransformer: reference not found: "var.resource_group_name"
2022-07-21T11:50:43.416-0500 [WARN]  Provider "registry.terraform.io/hashicorp/azurerm" produced an invalid plan for azurerm_key_vault.vault, but we are tolerating it because it is using the legacy plugin SDK.
    The following problems may be the cause of any confusing errors from downstream operations:
      - .network_acls[0].ip_rules: planned value cty.NullVal(cty.Set(cty.String)) does not match config value cty.SetValEmpty(cty.String)

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # azurerm_key_vault.vault will be created
  + resource "azurerm_key_vault" "vault" {
      + access_policy               = (known after apply)
      + enabled_for_disk_encryption = true
      + id                          = (known after apply)
      + location                    = "centralus"
      + name                        = "kdd-test-vault-issue"
      + resource_group_name         = "stg-stratus-centralus-resources"
      + sku_name                    = "standard"
      + soft_delete_retention_days  = 90
      + tenant_id                   = "513ccc91-e896-420c-883c-4f65d53a3775"
      + vault_uri                   = (known after apply)

      + network_acls {
          + bypass         = "AzureServices"
          + default_action = "Deny"
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

2022-07-21T11:50:46.565-0500 [INFO]  backend/local: apply calling Apply
2022-07-21T11:50:46.568-0500 [INFO]  provider: configuring client automatic mTLS
2022-07-21T11:50:46.623-0500 [INFO]  provider.terraform-provider-azurerm_v3.14.0_x5.exe: configuring server automatic mTLS: timestamp=2022-07-21T11:50:46.620-0500
2022-07-21T11:50:46.851-0500 [WARN]  ValidateProviderConfig from "provider[\"registry.terraform.io/hashicorp/azurerm\"]" changed the config value, but that value is unused
2022-07-21T11:50:46.852-0500 [INFO]  provider.terraform-provider-azurerm_v3.14.0_x5.exe: Testing if Service Principal / Client Certificate is applicable for Authentication..: timestamp=2022-07-21T11:50:46.852-0500
2022-07-21T11:50:46.854-0500 [INFO]  provider.terraform-provider-azurerm_v3.14.0_x5.exe: Testing if Multi Tenant Service Principal / Client Secret is applicable for Authentication..: timestamp=2022-07-21T11:50:46.852-0500
2022-07-21T11:50:46.854-0500 [INFO]  provider.terraform-provider-azurerm_v3.14.0_x5.exe: Testing if Service Principal / Client Secret is applicable for Authentication..: timestamp=2022-07-21T11:50:46.852-0500
2022-07-21T11:50:46.855-0500 [INFO]  provider.terraform-provider-azurerm_v3.14.0_x5.exe: Testing if OIDC is applicable for Authentication..: timestamp=2022-07-21T11:50:46.852-0500
2022-07-21T11:50:46.855-0500 [INFO]  provider.terraform-provider-azurerm_v3.14.0_x5.exe: Testing if Managed Service Identity is applicable for Authentication..: timestamp=2022-07-21T11:50:46.852-0500
2022-07-21T11:50:46.856-0500 [INFO]  provider.terraform-provider-azurerm_v3.14.0_x5.exe: Testing if Obtaining a Multi-tenant token from the Azure CLI is applicable for Authentication..: timestamp=2022-07-21T11:50:46.852-0500
2022-07-21T11:50:46.856-0500 [INFO]  provider.terraform-provider-azurerm_v3.14.0_x5.exe: Testing if Obtaining a token from the Azure CLI is applicable for Authentication..: timestamp=2022-07-21T11:50:46.852-0500
2022-07-21T11:50:46.857-0500 [INFO]  provider.terraform-provider-azurerm_v3.14.0_x5.exe: Using Obtaining a token from the Azure CLI for Authentication: timestamp=2022-07-21T11:50:46.852-0500
2022-07-21T11:50:50.765-0500 [INFO]  provider.terraform-provider-azurerm_v3.14.0_x5.exe: authenticated object ID cache miss, populating with: "2f77e3de-561f-456f-be66-5f76cc3900a0": timestamp=2022-07-21T11:50:50.765-0500
2022-07-21T11:50:50.765-0500 [INFO]  provider.terraform-provider-azurerm_v3.14.0_x5.exe: Getting OAuth config for endpoint https://login.microsoftonline.com/ with  tenant 513ccc91-e896-420c-883c-4f65d53a3775: timestamp=2022-07-21T11:50:50.765-0500
2022-07-21T11:51:06.222-0500 [WARN]  Provider "registry.terraform.io/hashicorp/azurerm" produced an invalid plan for azurerm_key_vault.vault, but we are tolerating it because it is using the legacy plugin SDK.
    The following problems may be the cause of any confusing errors from downstream operations:
      - .network_acls[0].ip_rules: planned value cty.NullVal(cty.Set(cty.String)) does not match config value cty.SetValEmpty(cty.String)
azurerm_key_vault.vault: Creating...
2022-07-21T11:51:06.224-0500 [INFO]  Starting apply for azurerm_key_vault.vault
azurerm_key_vault.vault: Still creating... [10s elapsed]
azurerm_key_vault.vault: Still creating... [20s elapsed]
azurerm_key_vault.vault: Still creating... [30s elapsed]
azurerm_key_vault.vault: Still creating... [40s elapsed]
azurerm_key_vault.vault: Still creating... [50s elapsed]
azurerm_key_vault.vault: Still creating... [1m0s elapsed]
azurerm_key_vault.vault: Still creating... [1m10s elapsed]
azurerm_key_vault.vault: Still creating... [1m20s elapsed]
azurerm_key_vault.vault: Still creating... [1m30s elapsed]
azurerm_key_vault.vault: Still creating... [1m40s elapsed]
azurerm_key_vault.vault: Still creating... [1m50s elapsed]
azurerm_key_vault.vault: Still creating... [2m0s elapsed]
azurerm_key_vault.vault: Still creating... [2m10s elapsed]
azurerm_key_vault.vault: Still creating... [2m20s elapsed]
azurerm_key_vault.vault: Still creating... [2m30s elapsed]
2022-07-21T11:53:42.801-0500 [WARN]  Provider "provider[\"registry.terraform.io/hashicorp/azurerm\"]" produced an unexpected new value for azurerm_key_vault.vault, but we are tolerating it because it is using the legacy plugin SDK.
    The following problems may be the cause of any confusing errors from downstream operations:
      - .purge_protection_enabled: was null, but now cty.False
      - .enable_rbac_authorization: was null, but now cty.False
      - .enabled_for_template_deployment: was null, but now cty.False
      - .enabled_for_deployment: was null, but now cty.False
azurerm_key_vault.vault: Creation complete after 2m37s [id=/subscriptions/bca1e138-289a-4104-93b1-0454d26a5cb3/resourceGroups/stg-stratus-centralus-resources/providers/Microsoft.KeyVault/vaults/kdd-test-vault-issue]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Expected Behaviour

The Azure Key Vault should be created where, on the Networking tab, one of the radio buttons (specifically "Selected Networks") is selected.

Actual Behaviour

The Azure Key Vault is created. When looking at the Networking tab, no radio button is selected.

If attempting to manually modify the Access Policies, an error is generated:

CODE
BadRequest

MESSAGE

RAW ERROR
Invalid value of properties.networkAcls.defaultAction: "None". Expected one of Allow", "Deny.

Steps to Reproduce

1. terraform apply

Important Factoids

No response

References

No response

[magodo]

@DaleyKD I've used above config and things worked for me:

As is seen my Portal UI looks different from yours. Could you inspect the networkAcls property in the Portal to see what's the value is set to the defaultAction? Alternatively, can you run another terraform plan after your first provisioning, to ensure the config matches the remote state.

For the error of your manual change, do you mean you manually check on the "Selected networks" and press "save"? If so, that looks like a Portal issue.

[DaleyKD]

I'm going to go ahead and close this since it seems like it may have been a hiccup in the Azure Portal UI. However, my UI definitely looks different than yours, and has stayed that way for weeks.

FWIW, terraform plan did match the remote state.

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.