hashicorp / terraform-provider-azurerm

Terraform provider for Azure Resource Manager
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs
Mozilla Public License 2.0
4.6k stars 4.64k forks source link

azurerm_mssql_database using customer manage key fails if key vault access is removed #22358

Open taipignas opened 1 year ago

taipignas commented 1 year ago

Is there an existing issue for this?

Community Note

Terraform Version

1.4.6

AzureRM Provider Version

3.63.0

Affected Resource(s)/Data Source(s)

azurerm_mssql_database, azurerm_mssql_server_transparent_data_encryption

Terraform Configuration Files

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_server_transparent_data_encryption

default config, nothing fancy

Debug Output/Panic Output

Error: retrieving Long Term Retention Policies for Database: (Name "asddb" / Server Name "asdserv" / Resource Group "gr"): sql.LongTermRetentionPoliciesClient#Get: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="LongTermRetentionPolicyNotSupported" Message="Long Term Retention is not supported : Database 'db' does not exist on server 'serv'."

Expected Behaviour

if access is missing but is defined in the configuration, it should be created first and then further procedures processed.

Actual Behaviour

even though the resource has no changes, it throws an error when applying terraform. planning works fine.

Steps to Reproduce

  1. create a mssql database resource with cmk and key vault access policy
  2. delete the access policy from azure (could be done manually or somtimes its done by terraform recreation). dont change terraform in any way.
  3. try to apply terraform again
  4. see the error

Sorry i cant provide more details right now

Important Factoids

No response

References

No response

taipignas commented 1 year ago

the workaround for this would be

  1. manually create the access policy again
  2. manually revalidate key in the sql server resource
  3. import access policy to terraform
  4. run terraform
neil-yechenwei commented 1 year ago

Thanks for raising this issue. Seems the access policy is required while using CMK. See the note from https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_server_transparent_data_encryption#key_vault_key_id.

taipignas commented 1 year ago

yes, but terraform will not be able to add the access policy if it was removed. no other changes are detected, just access policy was deleted (by terraform recration or manually). terraform should complete successfully with adding a missing policy, but it will fail instead.

sorry maybe i didnt put it well. i mean remove the policy from azure, but keep it in terraform.

aniketsinha-rc commented 1 month ago

Did we find any proper resolution for the above error?