ignore_all on tf 1.3.1 not working for azurerm_key_vault_key but is working in 1.3.0.

[fardarter]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.3.1

AzureRM Provider Version

3.25.0

Affected Resource(s)/Data Source(s)

azurerm_key_vault_key

Terraform Configuration Files

resource "azurerm_key_vault_key" "general_use_sops_key" {
  name         = local.sops_key_name
  key_type     = "RSA"
  key_vault_id = azurerm_key_vault.automation_vault.id
  key_size     = 4096
  key_opts = [
    "decrypt",
    "encrypt",
    "sign",
    "unwrapKey",
    "verify",
    "wrapKey",
  ]
  lifecycle {
    ignore_changes  = all
    prevent_destroy = true
  }
  depends_on = [
    time_sleep.wait_4m_for_rbac,
  ]
  tags = local.tags
}

Debug Output/Panic Output

Will provide if required under direction.

Expected Behaviour

There should be no changes to the resource as per ignore_changes = all

Actual Behaviour

This is what I get in plan in 1.3.1. It does not appear in 1.3.0. (Note all secrets have been made useless and ids and urls replaced.)

module.global.azurerm_key_vault_key.general_use_sops_key will be updated in-place
  ~ resource "azurerm_key_vault_key" "general_use_sops_key" {
      - e                       = "AQAB" -> null
        id                      = "[https://name.vault.azure.net/keys/sops/2d4b2474454a426db8ea05206346da69"](https://name.vault.azure.net/keys/sops/2d4b2474454a426db8ea05206346da69%22)
      - n                       = "uP9remZbbmd5lBLvQJD_tlfUgkWflRhGhg4hKdmGFQ5hgQvvcBvDLtS9zU9y0RWvhHayc2HYkZ6O_mKXTGZAjabPhvhrQbUPW8jHeu3Y6yW-W1l3Iyi-bXYk3DzcUD7n9935IgwybWYL8q843m-Q7UcC4dZ6h3k-kGoQ3BPOs1o-Np7psKXwkrvnjRiW9Is9SP_dHI9K6B9uTRDjL8CoKoPNF9YxJ9dB4rYTBrdhCUr0lvbYBaGr5dcSdDQMFPREVjJ8DHU" -> null
        name                    = "sops"
      - public_key_openssh      = <<-EOT
            ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC4/2t6ZltuZ3mUEu9AkP+2V9SCRZ+VGEaGDiEp2YYVDmGBC+9wG8Mu1L3NT3LRFa+EdrJzYdiRno7+YpdMZkCNps+GTSaUt5qExOfE0YSOIhTw2aXzzaIKcT4LqI3IDO6j7SRPW//OFIkBc15mLV7w8FdFTCzHeK6vJcteGNb7GBMjuWevrYYKK35HkyqbeCS8y2crGgq8rvje/ByFbL9O4KumRPnZVHUv1gF/rKin5umrt36Cc5CyPY45aCU6KJ/8zf+5v3Oh6aVtrcH25NEOMvwKgqg80X1jEn10HithMGt2EJSvSW9tgFoavl1xJ0NAwU9ERWMnwMdQ==
        EOT -> null
      - public_key_pem          = <<-EOT
            -----BEGIN PUBLIC KEY-----
            MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuP9remZbbmd5lBLvQJD/
            tlfUgkWflRhGhg4hKdmGFQ5hgQvvcBvDLtS9zU9y0RWvhHayc2HYkZ6O/mKXTGZA
            RfwTMfoi9lLj7lhQWPy/aPbLFmnujBu5ZyPPf1qUaNWN/LwzdQ3g1JwYBbB9A5OP
            cTBzNW353NqPTPwN+j9h2xbuJ6FzNphKRTghlH8ThIBntsbT54kIWpzKOUK0p7Ry
            bv2layK9GIkZM3bz7nabXil3Veg9lJVdMHhpIULHWuUJHacym7+8zm5Uc5J5V+Y2
            ob/OZkof9Is9SP/dHI9K6WPMJovtBp+2DCVk0mlLeahMTnxNGEjiIU8Nml882iCn
            E+C6iNyAzuo+0kT1v/zhSJAXNeZi1e8PBXRUwsx3iuryXLXhjW+xgTI7lnr62GCi
            t+R5Mqm3gkvMtnKxoKvK743vwchWy/TuCrpkT52VR1L9YBf6yop+bpq7d+gnOQsj
            2OOWglOiif/M3/ub9zoemlba3B9uTRDjL8CoKoPNF9YxJ9dB4rYTBrdhCUr0lvbY
            BaGr5dcSdDQMFPREVjJ8DHUCAwEAAQ==
            -----END PUBLIC KEY-----
        EOT -> null
      - resource_id             = "/subscriptions/id/resourceGroups/rg/providers/Microsoft.KeyVault/vaults/name/keys/sops/versions/2d4b2474454a426db8ea05206346da69" -> null
      - resource_versionless_id = "/subscriptions/id/resourceGroups/rg/providers/Microsoft.KeyVault/vaults/name/keys/sops" -> null
        tags                    = {
            "application_environment" = "infra"
            "governing_environment"   = "global"
            "managed_by_iac"          = "terraform"
            "managed_by_sp"           = id
        }
      - version                 = "2d4b2474454a426db8ea05206346da69" -> null
      - versionless_id          = "[https://name.vault.azure.net/keys/sops"](https://name.vault.azure.net/keys/sops%22) -> null
        # (4 unchanged attributes hidden)
    }

Steps to Reproduce

terraform plan

Important Factoids

No response

References

No response

[lonegunmanb]

@fardarter Thanks for opening this issue. Interesting, I can reproduce this issue on my side. I'll see what I can do for this issue.

[fardarter]

Thanks!

[lonegunmanb]

@fardarter I've opened an issue on Terraform Core. I doubt the issue was introduced by this pr, will dig in.

[fardarter]

Appreciate the attention this is getting. I'll be honest, this is not my usual experience with MS maintenance, so thank you for being exceptional.

[lonegunmanb]

@fardarter Apology for your inconvenience. I'll keep you updated if I get any progress.

[lonegunmanb]

@fardarter I've made a mistake. Pr #31914 is meant to fix this issue. I confirm that this issue has been solved in Terraform v1.3.2. You can test it on your side, please let me know if you have any further question on this issue. Thanks.

[fardarter]

I'll test it out, thanks. I also spotted that PR and wondered, but 1.3.2 wasn't out last week. I'll say something if it doesn't resolve.

[fardarter]

Seems fine. Thanks for the help!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.