azurerm_mssql_database using customer manage key fails if key vault access is removed

[taipignas]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.4.6

AzureRM Provider Version

3.63.0

Affected Resource(s)/Data Source(s)

azurerm_mssql_database, azurerm_mssql_server_transparent_data_encryption

Terraform Configuration Files

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_server_transparent_data_encryption

default config, nothing fancy

Debug Output/Panic Output

Error: retrieving Long Term Retention Policies for Database: (Name "asddb" / Server Name "asdserv" / Resource Group "gr"): sql.LongTermRetentionPoliciesClient#Get: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="LongTermRetentionPolicyNotSupported" Message="Long Term Retention is not supported : Database 'db' does not exist on server 'serv'."

Expected Behaviour

if access is missing but is defined in the configuration, it should be created first and then further procedures processed.

Actual Behaviour

even though the resource has no changes, it throws an error when applying terraform. planning works fine.

Steps to Reproduce

1. create a mssql database resource with cmk and key vault access policy
2. delete the access policy from azure (could be done manually or somtimes its done by terraform recreation). dont change terraform in any way.
3. try to apply terraform again
4. see the error

Sorry i cant provide more details right now

Important Factoids

No response

References

No response

[taipignas]

the workaround for this would be

1. manually create the access policy again
2. manually revalidate key in the sql server resource
3. import access policy to terraform
4. run terraform

[neil-yechenwei]

Thanks for raising this issue. Seems the access policy is required while using CMK. See the note from https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_server_transparent_data_encryption#key_vault_key_id.

[taipignas]

yes, but terraform will not be able to add the access policy if it was removed. no other changes are detected, just access policy was deleted (by terraform recration or manually). terraform should complete successfully with adding a missing policy, but it will fail instead.

sorry maybe i didnt put it well. i mean remove the policy from azure, but keep it in terraform.

[aniketsinha-rc]

Did we find any proper resolution for the above error?