azurerm_key_vault - can now be created without subscription level per…

…missions (fixes #6059) (#6260)

fixes #6059

azurerm/internal/services/keyvault/resource_arm_key_vault.go

@@ -216,14 +216,16 @@ func resourceArmKeyVaultCreate(d *schema.ResourceData, meta interface{}) error {
 	// before creating check to see if the key vault exists in the soft delete state
 	softDeletedKeyVault, err := client.GetDeleted(ctx, name, location)
 	if err != nil {
-		if !utils.ResponseWasNotFound(softDeletedKeyVault.Response) {
+		// If Terraform lacks permission to read at the Subscription we'll get 409, not 404
+		if !utils.ResponseWasNotFound(softDeletedKeyVault.Response) && !utils.ResponseWasForbidden(softDeletedKeyVault.Response) {
 			return fmt.Errorf("Error checking for the presence of an existing Soft-Deleted Key Vault %q (Location %q): %+v", name, location, err)
 		}
 	}
 
 	// if so, does the user want us to recover it?
+
 	recoverSoftDeletedKeyVault := false
-	if !utils.ResponseWasNotFound(softDeletedKeyVault.Response) {
+	if !utils.ResponseWasNotFound(softDeletedKeyVault.Response) && !utils.ResponseWasForbidden(softDeletedKeyVault.Response) {
 		if !meta.(*clients.Client).Features.KeyVault.RecoverSoftDeletedKeyVaults {
 			// this exists but the users opted out so they must import this it out-of-band
 			return fmt.Errorf(optedOutOfRecoveringSoftDeletedKeyVaultErrorFmt(name, location))

azurerm/utils/response.go

@@ -11,6 +11,10 @@ func ResponseWasNotFound(resp autorest.Response) bool {
 	return ResponseWasStatusCode(resp, http.StatusNotFound)
 }
 
+func ResponseWasForbidden(resp autorest.Response) bool {
+	return ResponseWasStatusCode(resp, http.StatusForbidden)
+}
+
 func ResponseErrorIsRetryable(err error) bool {
 	if arerr, ok := err.(autorest.DetailedError); ok {
 		err = arerr.Original