The provider does not update Key Vault Secret tags when there are only tag changes/content type

[gnlds]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

• Started a long time ago and still exist.
  Terraform v0.12.23
  AzureRM 2.2.0

Affected Resource(s)

• azurerm_key_vault_secret

Terraform Configuration Files

Terraform Plan Output;

  # azurerm_key_vault_secret.my_secret will be updated in-place
  ~ resource "azurerm_key_vault_secret" "my_secret" {
      + content_type = "text/plain"
        id           = "https://***.vault.azure.net/secrets/MySecret/version_number_1_target"
        key_vault_id = "/subscriptions/***/resourceGroups/***/providers/Microsoft.KeyVault/vaults/my_kv"
        name         = "MySecret"
      ~ tags         = {
          + "tag1" = "tag_value_1"
          + "tag2" = "tag_value_2"
          + "tag3" = "tag_value_3"
          + "tag4" = "tag_value_4"
          + "tag5" = "tag_value_5"
          + "tag6" = "tag_value_6"
        }
        value        = (sensitive value)
        version      = "version_number_2_different"
    }

Debug Output

Panic Output

Expected Behavior

The provider should update tags and the content-type without changing the secret's value.

Actual Behavior

The provider just does not update Key Vault Secret tags or content type without any value changes. It's only applying changes when the value changed.

Steps to Reproduce

1. Add a new key vault and a secret with tags.
2. terraform plan
3. terraform apply
4. Without changing the secret's value, change one of the tag values or tag names or just content type.
5. terraform plan
6. See changes in the plan output.
7. terraform apply
8. Nothing changed.

Important Factoids

References

[njuCZ]

@gnlds it seems the latest azurerm provider does not have this problem, could you please upgrade the azurerm and have a try?

[e1011215]

I just tried the 2.9.0 version of the provider and the problem is still present.

[njuCZ]

@e1011215 Could you please paste your config snippet ? I am sorry I have tried agian and could not reproduce it. My operation is

provider "azurerm" {
    features {}
}

data "azurerm_key_vault" "test" {
  name                = "xxx"
  resource_group_name = "xxx"
}

resource "azurerm_key_vault_secret" "my_secret" {
        key_vault_id = data.azurerm_key_vault.test.id
        name         = "name"
        value        = "value1"
}

execute terraform apply

and then make the modification like below

provider "azurerm" {
    features {}
}

data "azurerm_key_vault" "test" {
  name                = "xxx"
  resource_group_name = "xxx"
}

resource "azurerm_key_vault_secret" "my_secret" {
        content_type = "text/plain"
        key_vault_id = data.azurerm_key_vault.test.id
        name         = "name"
        value        = "value1"
        tags         = {
           "tag1": "tag_value_1"
        }
}

execute terraform apply

I can see the tags and content_type are correct in the portal, and there is no diff.

[gnlds]

@njuCZ thanks for your support. Please see the following tests and their results;
(azurerm-2.10.0)

1. Without changing the value of the Key Vault Secret from Terraform we were able to ADD a new TAG.
2. Without changing the value of the Key Vault Secret from Terraform we were NOT able to UPDATE the TAG VALUE.

Another test that includes a user interaction; as you know, when we add a new version for the Key Vault Secret from the Azure Portal it resets tags. When we executed the Terraform after this change we were not able to ADD tags. Side note; we are using refresh parameters. Normally, we are not using the portal but this was just another test and I wanted to let you know.

[njuCZ]

@gnlds I am sorry that I have followed your step and still could not reproduce this bug. Neither does my colleague. Could you please give an snippet of the script?

[e1011215]

@njuCZ I apologize, I did not see your question in May was directed at me.
Your code is pretty much the same as mine. Here is the scenario:

• create the secret using Terraform,
• add a new version of the secret outside Terraform (in the portal), without specifying any tags,
• run "terraform plan"
  Terraform notices that the tags are missing and says it wants to add them
• run "terraform apply"
  the tags are not added
  (this is with azurerm 2.9.0)

[njuCZ]

@e1011215 @gnlds thanks for your clarification. I have got the reason of this issue and will submit a PR soon

[ghost]

This has been released in version 2.26.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 2.26.0"
}
# ... other configuration ...

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!