Terraform force APIM replacement even only named value is changed

Is there an existing issue for this?

[X] I have searched the existing issues

Community Note

Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.0.0

AzureRM Provider Version

3.116

Affected Resource(s)/Data Source(s)

resource "azurerm_api_management" "apim2" {

Terraform Configuration Files

resource "azurerm_api_management" "apim2" {
            name= "xxxx"
            location = "xxx"
            resource_group_name = "xxxx"
            publisher_name      = "xxxx"
            publisher_email     = "xxxxx"

            sku_name = "xxxxx" 
            virtual_network_type          = "xxxx" 
            identity {
                type= "SystemAssigned"
            } 

}

resource "azurerm_api_management_named_value" "example" {
    name                = "xxxxx"
    resource_group_name = "Hs-test-APIM"
    api_management_name = "xxxxx"
    display_name        = "abcde"
    secret = true      
        value_from_key_vault {
            secret_id= xxxxxx
  }       
}

Debug Output/Panic Output

module.api_management[xxxx].azurerm_api_management.apim must be replaced

Expected Behaviour

The user only updated value of the APIM named value from plain text to azure key vault. So the expectation should be an in-place update.

Actual Behaviour

The terraform shows that the APIM must be replaced

I've already double confirmed the tfstate file that the location of APIM is already eastasia, so the location didn't change and the only change is named value which should not replace APIM.

Steps to Reproduce

change the value of terraform variabale file of apim named value from plain text to key vault.
terrafrom plan.

Important Factoids

No response

References

No response

Hi @shawnhaoMS thanks for opening this issue. Unfortunately, I could not reproduce the issue with the following TF config and repro steps. Could you reproduce it with the following? If not, could you provide the complete tf configuration (including variable values) and detailed reproduction steps to reproduce and troubleshoot？

Step1: Create a azurerm_api_management_named_value with plain text.

terraform {
  required_providers {
    azurerm = {
      version = "3.116.0" 
    }
  }
}

provider "azurerm" {

  features {
   key_vault {
      purge_soft_delete_on_destroy = true
    }
  }
}

resource "azurerm_resource_group" "test" {
  name     = "acctestRG-elena-test-27933"
  location = "eastus"
}

resource "azurerm_user_assigned_identity" "test" {
  name                = "acctestUAI-27933"
  location            = azurerm_resource_group.test.location
  resource_group_name = azurerm_resource_group.test.name
}

resource "azurerm_api_management" "test" {
  name                = "acctestAM-27933"
  location            = azurerm_resource_group.test.location
  resource_group_name = azurerm_resource_group.test.name
  publisher_name      = "pub1"
  publisher_email     = "pub1@email.com"

  sku_name = "Consumption_0"

  identity {
    type = "UserAssigned"
    identity_ids = [
      azurerm_user_assigned_identity.test.id,
    ]
  }
}

data "azurerm_client_config" "current" {}

resource "azurerm_key_vault" "test" {
  name                = "acctestKV-27933"
  location            = azurerm_resource_group.test.location
  resource_group_name = azurerm_resource_group.test.name
  tenant_id           = data.azurerm_client_config.current.tenant_id
  sku_name            = "standard"
}

resource "azurerm_key_vault_access_policy" "test" {
  key_vault_id = azurerm_key_vault.test.id
  tenant_id    = data.azurerm_client_config.current.tenant_id
  object_id    = data.azurerm_client_config.current.object_id
  certificate_permissions = [
    "Create",
    "Delete",
    "DeleteIssuers",
    "Get",
    "GetIssuers",
    "Import",
    "List",
    "ListIssuers",
    "ManageContacts",
    "ManageIssuers",
    "SetIssuers",
    "Update",
    "Purge",
  ]
  secret_permissions = [
    "Get",
    "Delete",
    "List",
    "Purge",
    "Recover",
    "Set",
  ]
}

resource "azurerm_key_vault_access_policy" "test2" {
  key_vault_id = azurerm_key_vault.test.id
  tenant_id    = azurerm_user_assigned_identity.test.tenant_id
  object_id    = azurerm_user_assigned_identity.test.principal_id
  secret_permissions = [
    "Get",
    "List",
  ]
}

resource "azurerm_key_vault_secret" "test" {
  name         = "secret-27933"
  value        = "rick-and-morty"
  key_vault_id = azurerm_key_vault.test.id

  depends_on = [azurerm_key_vault_access_policy.test]
}

resource "azurerm_api_management_named_value" "test" {
  name                = "acctestAMProperty-27933"
  resource_group_name = azurerm_api_management.test.resource_group_name
  api_management_name = azurerm_api_management.test.name
  display_name        = "TestProperty27933"
  secret              = true
  value               = "Test Value"
}

Step2: Update the azurerm_api_management_named_value to key vault with the following azurerm_api_management_named_value config.

...
resource "azurerm_api_management_named_value" "test" {
  name                = "acctestAMProperty-27933"
  resource_group_name = azurerm_api_management.test.resource_group_name
  api_management_name = azurerm_api_management.test.name
  display_name        = "TestProperty27933"
  secret              = true
  value_from_key_vault {
    secret_id          = azurerm_key_vault_secret.test.id
    identity_client_id = azurerm_user_assigned_identity.test.client_id
  }
}
...

Result:

hashicorp / terraform-provider-azurerm