Terraform v1.3.1 broke ignore_changes = all

[lonegunmanb]

Terraform Version

Terraform v1.3.1

For both windows and linux platform.

Terraform Configuration Files

provider "azurerm" {
  features {
    resource_group {
      prevent_deletion_if_contains_resources = false
    }
    key_vault {
      purge_soft_delete_on_destroy       = false
      purge_soft_deleted_keys_on_destroy = false
      recover_soft_deleted_key_vaults    = false
    }
  }
}

data "azurerm_client_config" "current" {}

resource "azurerm_resource_group" "example" {
  name     = "zjhe-f18563"
  location = "West Europe"
}

resource "azurerm_key_vault" "example" {
  name                       = "zjhef18563"
  location                   = azurerm_resource_group.example.location
  resource_group_name        = azurerm_resource_group.example.name
  tenant_id                  = data.azurerm_client_config.current.tenant_id
  sku_name                   = "premium"
  soft_delete_retention_days = 7

  access_policy {
    tenant_id = data.azurerm_client_config.current.tenant_id
    object_id = data.azurerm_client_config.current.object_id

    key_permissions = [
      "Create", "Decrypt", "Delete", "Encrypt", "Get", "Purge", "Recover", "Restore", "Sign", "UnwrapKey", "Verify",
      "WrapKey"
    ]

    secret_permissions = [
      "Set",
    ]
  }
}

resource "time_sleep" "wait_1_seconds" {
  create_duration = "1s"
  depends_on      = [azurerm_key_vault.example]
}

resource "azurerm_key_vault_key" "general_use_sops_key" {
  name         = "zjhe-f18563"
  key_type     = "RSA"
  key_vault_id = azurerm_key_vault.example.id
  key_size     = 4096
  key_opts     = [
    "decrypt",
    "encrypt",
    "sign",
    "unwrapKey",
    "verify",
    "wrapKey",
  ]
  lifecycle {
    #    ignore_changes  = [e, n, public_key_openssh, public_key_pem, resource_id, resource_versionless_id, version, versionless_id]
    ignore_changes  = all
    prevent_destroy = true
  }
  depends_on = [
    time_sleep.wait_1_seconds,
  ]
}

Debug Output

https://gist.github.com/lonegunmanb/dd44776cd320efed85bf46151c7586e1

Expected Behavior

data.azurerm_client_config.current: Reading...
data.azurerm_client_config.current: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD0xYjE0NWM2OC05YmRmLTQyNzktYjRjZS1mYjYxMDc2
MjVjNGI7b2JqZWN0SWQ9NjI1OWZjMjktZWUxMS00ODQwLWE1MWMtNDAzNGFhODkzZGY0O3N1YnNjcmlwdGlvbklkPTg1YjNkYmNhLTU5NzQtNDA2Ny05NjY5LTY3YTE0MTA5NWE
3Njt0ZW5hbnRJZD03MmY5ODhiZi04NmYxLTQxYWYtOTFhYi0yZDdjZDAxMWRiNDc=]
azurerm_resource_group.example: Refreshing state... [id=/subscriptions/xxxxxxxxxx/resourceGroups/zjhe-f18563]
azurerm_key_vault.example: Refreshing state... [id=/subscriptions/xxxxxxxxxx/resourceGroups/zjhe-f18563/provi
ders/Microsoft.KeyVault/vaults/zjhef18563]
time_sleep.wait_1_seconds: Refreshing state... [id=2022-10-10T03:44:52Z]
azurerm_key_vault_key.general_use_sops_key: Refreshing state... [id=https://zjhef18563.vault.azure.net/keys/zjhe-f18563/0c5bc6d3787842f
cbd23f13de3c922ec]

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.

Actual Behavior

data.azurerm_client_config.current: Reading...
azurerm_resource_group.example: Refreshing state... [id=/subscriptions/xxxxxxxxxx/resourceGroups/zjhe-f18563]
data.azurerm_client_config.current: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD0xYjE0NWM2OC05YmRmLTQyNzktYjRjZS1mYjYxMDc2
MjVjNGI7b2JqZWN0SWQ9NjI1OWZjMjktZWUxMS00ODQwLWE1MWMtNDAzNGFhODkzZGY0O3N1YnNjcmlwdGlvbklkPTg1YjNkYmNhLTU5NzQtNDA2Ny05NjY5LTY3YTE0MTA5NWE
3Njt0ZW5hbnRJZD03MmY5ODhiZi04NmYxLTQxYWYtOTFhYi0yZDdjZDAxMWRiNDc=]
azurerm_key_vault.example: Refreshing state... [id=/subscriptions/xxxxxxxxxx/resourceGroups/zjhe-f18563/provi
ders/Microsoft.KeyVault/vaults/zjhef18563]
time_sleep.wait_1_seconds: Refreshing state... [id=2022-10-10T03:44:52Z]
azurerm_key_vault_key.general_use_sops_key: Refreshing state... [id=https://zjhef18563.vault.azure.net/keys/zjhe-f18563/0c5bc6d3787842f
cbd23f13de3c922ec]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following      
symbols:
  ~ update in-place

Terraform will perform the following actions:

  # azurerm_key_vault_key.general_use_sops_key will be updated in-place
  ~ resource "azurerm_key_vault_key" "general_use_sops_key" {
      - e                       = "AQAB" -> null
        id                      = "https://zjhef18563.vault.azure.net/keys/zjhe-f18563/0c5bc6d3787842fcbd23f13de3c922ec"
      - n                       = "qP6OTWLXSULKSnNyMlHp_5gYuM52uDtmBz6SoDLX0iaBfcZVAF_H5QGJpw0HUVKbnGQtleOTyEyNbZd0yo05356d3qziXmoh5dn6
jC6Xyw0kesJIzj6UGVwh4sVZrFWio3xJ-_mTGPHFKRA--pehicUfz2F8OOi-p6kDyQbjQ66g09AaDI8FP-lfLhOpsC_BW6_VtI6h7rn9-FCSBJEyBykv1ECQ4Skc_lTOq4N8ZAU
Q6AexpvdbJf3v-Fh3XQr8FguZKKcoxV-ZvARsafap1uHFjioy_zqWkOQdKI4A2uVobH6IrTX4RXJUNfIbDw1dAHdYpDam4zGsI9JG818rD1g1EIzKvFTJLiS1RL-5wwr7ua3dvr
5DesNmTF9HooDyt6uIV5TokyweeYvXxbX2gkbCJrup-0wtJUxaK_KD9C51evQM5ppRzDTHD0YOA5e0GjaknqkleX7Vnsl6ZAf3xFfYAn8sdLJqb5VL78-rk21cAIhOX8QKWGSsQ
gMqa0feqaCLFVF9iln-pPr958j6Y3K244BJZhFN1nDhE3oevvDoDu2MeS2naQG88Xgm3aIeArowWD1XNCY54zliEzSP4P2ow6KR-c2Eh7FhWXtbJrAXownLL3iZpM4lHWfRVr4_
VznNVdUsg0xbCAdGpgrnZmtKhSTN1AxPmKxfFkGQz60" -> null
        name                    = "zjhe-f18563"
      - public_key_openssh      = <<-EOT
            ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCo/o5NYtdJQspKc3IyUen/mBi4zna4O2YHPpKgMtfSJoF9xlUAX8flAYmnDQdRUpucZC2V45PITI1tl3TKjTn
fnp3erOJeaiHl2fqMLpfLDSR6wkjOPpQZXCHixVmsVaKjfEn7+ZMY8cUpED76l6GJxR/PYXw46L6nqQPJBuNDrqDT0BoMjwU/6V8uE6mwL8Fbr9W0jqHuuf34UJIEkTIHKS/UQJ
DhKRz+VM6rg3xkBRDoB7Gm91sl/e/4WHddCvwWC5kopyjFX5m8BGxp9qnW4cWOKjL/OpaQ5B0ojgDa5WhsfoitNfhFclQ18hsPDV0Ad1ikNqbjMawj0kbzXysPWDUQjMq8VMkuJ
LVEv7nDCvu5rd2+vkN6w2ZMX0eigPK3q4hXlOiTLB55i9fFtfaCRsImu6n7TC0lTFor8oP0LnV69AzmmlHMNMcPRg4Dl7QaNqSeqSV5ftWeyXpkB/fEV9gCfyx0smpvlUvvz6uT
bVwAiE5fxApYZKxCAyprR96poIsVUX2KWf6k+v3nyPpjcrbjgElmEU3WcOETeh6+8OgO7Yx5LadpAbzxeCbdoh4CujBYPVc0JjnjOWITNI/g/ajDopH5zYSHsWFZe1smsBejCcs
veJmkziUdZ9FWvj9XOc1V1SyDTFsIB0amCudma0qFJM3UDE+YrF8WQZDPrQ==
        EOT -> null
      - public_key_pem          = <<-EOT
            -----BEGIN PUBLIC KEY-----
            MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqP6OTWLXSULKSnNyMlHp
            /5gYuM52uDtmBz6SoDLX0iaBfcZVAF/H5QGJpw0HUVKbnGQtleOTyEyNbZd0yo05
            356d3qziXmoh5dn6jC6Xyw0kesJIzj6UGVwh4sVZrFWio3xJ+/mTGPHFKRA++peh
            icUfz2F8OOi+p6kDyQbjQ66g09AaDI8FP+lfLhOpsC/BW6/VtI6h7rn9+FCSBJEy
            Bykv1ECQ4Skc/lTOq4N8ZAUQ6AexpvdbJf3v+Fh3XQr8FguZKKcoxV+ZvARsafap
            1uHFjioy/zqWkOQdKI4A2uVobH6IrTX4RXJUNfIbDw1dAHdYpDam4zGsI9JG818r
            D1g1EIzKvFTJLiS1RL+5wwr7ua3dvr5DesNmTF9HooDyt6uIV5TokyweeYvXxbX2
            gkbCJrup+0wtJUxaK/KD9C51evQM5ppRzDTHD0YOA5e0GjaknqkleX7Vnsl6ZAf3
            xFfYAn8sdLJqb5VL78+rk21cAIhOX8QKWGSsQgMqa0feqaCLFVF9iln+pPr958j6
            Y3K244BJZhFN1nDhE3oevvDoDu2MeS2naQG88Xgm3aIeArowWD1XNCY54zliEzSP
            4P2ow6KR+c2Eh7FhWXtbJrAXownLL3iZpM4lHWfRVr4/VznNVdUsg0xbCAdGpgrn
            ZmtKhSTN1AxPmKxfFkGQz60CAwEAAQ==
            -----END PUBLIC KEY-----
        EOT -> null
      - resource_id             = "/subscriptions/xxxxxxxxxx/resourceGroups/zjhe-f18563/providers/Microsoft.K
eyVault/vaults/zjhef18563/keys/zjhe-f18563/versions/0c5bc6d3787842fcbd23f13de3c922ec" -> null
      - resource_versionless_id = "/subscriptions/xxxxxxxxxx/resourceGroups/zjhe-f18563/providers/Microsoft.K
eyVault/vaults/zjhef18563/keys/zjhe-f18563" -> null
        tags                    = {}
      - version                 = "0c5bc6d3787842fcbd23f13de3c922ec" -> null
      - versionless_id          = "https://zjhef18563.vault.azure.net/keys/zjhe-f18563" -> null
        # (4 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── 

Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run
"terraform apply" now.

Steps to Reproduce

1. terraform init
2. terraform apply -auto-approve

For those two steps, I used Terraform v1.3.1 on windows.

3. docker run --rm -v ${pwd}:/src -w /src -it -e ARM_CLIENT_ID -e ARM_CLIENT_SECRET -e ARM_SUBSCRIPTION_ID -e ARM_ TENANT_ID hashicorp/terraform:1.3.1 plan

Additional Context

You can easily get the expected output by using v1.3.0 image:

docker run --rm -v ${pwd}:/src -w /src  -it -e ARM_CLIENT_ID -e ARM_CLIENT_SECRET -e ARM_SUBSCRIPTION_ID -e ARM_
TENANT_ID hashicorp/terraform:1.3.0 plan

This issue only occurs with ignore_changes = all, if we assigned affected attributes explicitly then the plan will skip update.

References

No response

[lonegunmanb]

The #31914 looks suspicious to me.

[lonegunmanb]

I made a mistake, the #31914 is meant to fix this issue.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.