azurerm_key_vault_secret keeps refreshing on time format changes

[Darkfogel]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.9.8

AzureRM Provider Version

4.8.0

Affected Resource(s)/Data Source(s)

azurerm_key_vault_secret

Terraform Configuration Files

resource "azurerm_key_vault_secret" "password_in_keyvault" {
  name            = azuread_application.app.display_name
  value           = azuread_service_principal_password.password-1.value
  key_vault_id    = var.keyvault_id
  not_before_date = azuread_service_principal_password.password-1.start_date
  expiration_date = azuread_service_principal_password.password-1.end_date
}

Debug Output/Panic Output

Terraform will perform the following actions:

  # azurerm_key_vault_secret.password_in_keyvault["kv1"] will be updated in-place
  ~ resource "azurerm_key_vault_secret" "password_in_keyvault" {
      ~ expiration_date         = "2026-11-01T17:59:05Z" -> "2026-11-01T17:59:04.9661444Z"
        id                      = "xxxxxxxx"
        name                    = "xxxxxxxx"
      ~ not_before_date         = "2024-11-01T17:59:05Z" -> "2024-11-01T17:59:04.9661444Z"
        # (7 unchanged attributes hidden)
    }

Expected Behaviour

The azurerm_key_vault_secret_password is updated, and the next plan shows no changes

Actual Behaviour

After the apply, the next plan shows the exact same changes, as if nothing was actually changed.

Terraform will perform the following actions:

azurerm_key_vault_secret.password_in_keyvault["kv1"] will be updated in-place

~ resource "azurerm_key_vault_secret" "password_in_keyvault" { ~ expiration_date = "2026-11-01T17:59:05Z" -> "2026-11-01T17:59:04.9661444Z" id = "xxxxxxxx" name = "xxxxxxxx" ~ not_before_date = "2024-11-01T17:59:05Z" -> "2024-11-01T17:59:04.9661444Z"

(7 unchanged attributes hidden)

}

Steps to Reproduce

1. terraform plan
2. terraform apply
3. terraform plan

Important Factoids

No response

References

No response

[wuxu92]

The azuread_service_principal_password.password-1.start_date is not fully compatible with the expiration_date, which requires an expiration UTC datetime (Y-m-d'T'H:M:S'Z'). Try using formatdate to convert the Azure AD time to the required expiration date format.

[Darkfogel]

The azuread_service_principal_password.password-1.start_date is not fully compatible with the expiration_date, which requires an expiration UTC datetime (Y-m-d'T'H:M:S'Z'). Try using formatdate to convert the Azure AD time to the required expiration date format.

Thank you for your answer. I will try that.

Is it a new behavior? It's been working quite nicely for the past year and a half.

[wuxu92]

@Darkfogel I believe it's a breaking change in the AzureAD provider or the azure application API. There's a related issue.: https://github.com/hashicorp/terraform-provider-azuread/issues/1545.