Private Endpoint Import - Resource ID forces recreation due to trailing slash

[Hiwazup]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.6.2

AzureRM Provider Version

3.114.0

Affected Resource(s)/Data Source(s)

azurerm_private_endpoint

Terraform Configuration Files

resource "azurerm_key_vault" "this" {
  name                = var.key_vault_name
  location            = var.location
  resource_group_name = var.resource_group_name

  purge_protection_enabled   = var.purge_protection_enabled
  soft_delete_retention_days = var.soft_delete_retention_days

  sku_name = var.sku_name

  tenant_id = var.tenant_id

  enabled_for_deployment          = var.enabled_for_deployment
  enabled_for_disk_encryption     = var.enabled_for_disk_encryption
  enabled_for_template_deployment = var.enabled_for_template_deployment
  enable_rbac_authorization       = var.enable_rbac_authorization

  public_network_access_enabled   = var.public_network_access_enabled

  network_acls {
    bypass                     = "AzureServices"
    default_action             = "Deny"
    ip_rules                   = var.network_acls_ip_rules
    virtual_network_subnet_ids = var.network_acls_virtual_network_subnet_ids
  }
}

resource "azurerm_private_endpoint" "private-endpoint" {
  name                = var.pe_name
  location            = var.location
  resource_group_name = var.resource_group_name
  subnet_id           = data.azurerm_subnet.subnet.id

  private_service_connection {
    name                           = "${var.pe_name}-sc"
    private_connection_resource_id = azurerm_key_vault.this.id
    is_manual_connection           = false
    subresource_names              = ["vault"]
  }
}

Debug Output/Panic Output

# module.keyvault.azurerm_private_endpoint.private-endpoint[0] must be replaced
-/+ resource "azurerm_private_endpoint" "private-endpoint" {
      ~ custom_dns_configs       = [
          - {
              - fqdn         = "my-kv.vault.azure.net"
              - ip_addresses = [
                  - "1.2.3.4",
                ]
            },
        ] -> (known after apply)
      ~ id                       = "/subscriptions/XXX/resourceGroups/XXX/providers/Microsoft.Network/privateEndpoints/my-kv-pe" -> (known after apply)
        name                     = "my-kv-pe"
      ~ network_interface        = [
          - {
              - id   = "/subscriptions/XXX/resourceGroups/XXX/providers/Microsoft.Network/networkInterfaces/my-kv-pe.nic.12345"
              - name = "my-kv-pe.nic.12345"
            },
        ] -> (known after apply)
      ~ private_dns_zone_configs = [] -> (known after apply)
        # (3 unchanged attributes hidden)

      ~ private_service_connection {
            name                           = "my-kv-pe-sc"
          ~ private_connection_resource_id = "/subscriptions/XXX/resourceGroups/XXX/providers/Microsoft.KeyVault/vaults/my-kv" -> "/subscriptions/XXX/resourceGroups/XXX/providers/Microsoft.KeyVault/vaults/my-kv/" # forces replacement
          ~ private_ip_address             = "1.2.3.4" -> (known after apply)
            # (2 unchanged attributes hidden)
        }
    }

Expected Behaviour

Private Endpoint should be imported into Terraform State and should show no changes in TF Plan.

Actual Behaviour

After importing, TF Plan shows that the Private Endpoint must be replaced due to the trailing slash in the private_connection_resource_id. If trimsuffix(azurerm_key_vault.this.id, "/") is used in the config then the plan does not report issues.

Steps to Reproduce

1. Import PE into the TF State
2. Run TF Plan

Important Factoids

No response

References

No response

[magodo]

@Hiwazup The error indicates that the azurerm_key_vault.this.id has a trailing slash. Wondering is the key vault created by terraform, or you imported it?

[Hiwazup]

Hi @magodo, the Key Vault was imported with the resource described above.

[magodo]

I just tried to import a key vault using the latest provider, and the id seems good to me. Would you mind try re-importing this key vault again, and output the id to see if the trailing slash still exists?

[Hiwazup]

Hi @magodo, re-importing the Key Vault made me realise that I accidentally had a slash at the end of the ID when I imported it the first time. When I re-imported it, I spotted the issue and now it is behaving as expected. Thanks for taking the time to look into the issue!

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.