diff --git a/azurerm/internal/services/keyvault/resource_arm_key_vault.go b/azurerm/internal/services/keyvault/resource_arm_key_vault.go index 561c93e5e1fa..0c8a593b9295 100644 --- a/azurerm/internal/services/keyvault/resource_arm_key_vault.go +++ b/azurerm/internal/services/keyvault/resource_arm_key_vault.go @@ -216,14 +216,16 @@ func resourceArmKeyVaultCreate(d *schema.ResourceData, meta interface{}) error { // before creating check to see if the key vault exists in the soft delete state softDeletedKeyVault, err := client.GetDeleted(ctx, name, location) if err != nil { - if !utils.ResponseWasNotFound(softDeletedKeyVault.Response) { + // If Terraform lacks permission to read at the Subscription we'll get 409, not 404 + if !utils.ResponseWasNotFound(softDeletedKeyVault.Response) && !utils.ResponseWasForbidden(softDeletedKeyVault.Response) { return fmt.Errorf("Error checking for the presence of an existing Soft-Deleted Key Vault %q (Location %q): %+v", name, location, err) } } // if so, does the user want us to recover it? + recoverSoftDeletedKeyVault := false - if !utils.ResponseWasNotFound(softDeletedKeyVault.Response) { + if !utils.ResponseWasNotFound(softDeletedKeyVault.Response) && !utils.ResponseWasForbidden(softDeletedKeyVault.Response) { if !meta.(*clients.Client).Features.KeyVault.RecoverSoftDeletedKeyVaults { // this exists but the users opted out so they must import this it out-of-band return fmt.Errorf(optedOutOfRecoveringSoftDeletedKeyVaultErrorFmt(name, location)) diff --git a/azurerm/utils/response.go b/azurerm/utils/response.go index 7e33d28c9432..3141e98a2478 100644 --- a/azurerm/utils/response.go +++ b/azurerm/utils/response.go @@ -11,6 +11,10 @@ func ResponseWasNotFound(resp autorest.Response) bool { return ResponseWasStatusCode(resp, http.StatusNotFound) } +func ResponseWasForbidden(resp autorest.Response) bool { + return ResponseWasStatusCode(resp, http.StatusForbidden) +} + func ResponseErrorIsRetryable(err error) bool { if arerr, ok := err.(autorest.DetailedError); ok { err = arerr.Original