azurerm_mssql_database using customer manage key fails if key vault access is removed

taipignas commented 1 year ago

Is there an existing issue for this?

[X] I have searched the existing issues

Community Note

Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.4.6

AzureRM Provider Version

3.63.0

Affected Resource(s)/Data Source(s)

azurerm_mssql_database, azurerm_mssql_server_transparent_data_encryption

Terraform Configuration Files

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_server_transparent_data_encryption

default config, nothing fancy

Debug Output/Panic Output

Error: retrieving Long Term Retention Policies for Database: (Name "asddb" / Server Name "asdserv" / Resource Group "gr"): sql.LongTermRetentionPoliciesClient#Get: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="LongTermRetentionPolicyNotSupported" Message="Long Term Retention is not supported : Database 'db' does not exist on server 'serv'."

Expected Behaviour

if access is missing but is defined in the configuration, it should be created first and then further procedures processed.

Actual Behaviour

even though the resource has no changes, it throws an error when applying terraform. planning works fine.

Steps to Reproduce

create a mssql database resource with cmk and key vault access policy
delete the access policy from azure (could be done manually or somtimes its done by terraform recreation). dont change terraform in any way.
try to apply terraform again
see the error

Sorry i cant provide more details right now

Important Factoids

No response

References

No response

taipignas commented 1 year ago

the workaround for this would be

manually create the access policy again
manually revalidate key in the sql server resource
import access policy to terraform
run terraform

neil-yechenwei commented 1 year ago

Thanks for raising this issue. Seems the access policy is required while using CMK. See the note from https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_server_transparent_data_encryption#key_vault_key_id.

taipignas commented 1 year ago

yes, but terraform will not be able to add the access policy if it was removed. no other changes are detected, just access policy was deleted (by terraform recration or manually). terraform should complete successfully with adding a missing policy, but it will fail instead.

sorry maybe i didnt put it well. i mean remove the policy from azure, but keep it in terraform.

aniketsinha-rc commented 2 months ago

Did we find any proper resolution for the above error?

brnwn4 commented 2 weeks ago

any solution?

hashicorp / terraform-provider-azurerm