Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

azurerm_key_vault_secret can't remove expiration_date #28355

Open
1 task done
daniel-anova opened this issue Dec 20, 2024 · 1 comment
Open
1 task done

azurerm_key_vault_secret can't remove expiration_date #28355

daniel-anova opened this issue Dec 20, 2024 · 1 comment
Labels
service/key-vault Key Vault v/4.x

Comments

@daniel-anova
Copy link
Contributor

daniel-anova commented Dec 20, 2024
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.6.6

AzureRM Provider Version

4.14

Affected Resource(s)/Data Source(s)

azurerm_key_vault_secret

Terraform Configuration Files

provider "azurerm" {
  features {}
}

locals {
  location = "eastus"

  # First deploy setting an expiration date
  expiration_date = "2024-12-30T00:00:00Z"
  # Then try removing it by setting to null
  # expiration_date = null
}

data "azurerm_client_config" "t" {}

resource "azurerm_resource_group" "t" {
  name     = "test"
  location = local.location
}

resource "azurerm_key_vault" "t" {
  name                = "kv-testbug"
  location            = local.location
  resource_group_name = azurerm_resource_group.t.name
  sku_name            = "standard"
  tenant_id           = data.azurerm_client_config.t.tenant_id

  access_policy {
    tenant_id = data.azurerm_client_config.t.tenant_id
    object_id = data.azurerm_client_config.t.object_id

    key_permissions = [
      "Create",
      "Get",
    ]

    secret_permissions = [
      "Set",
      "Get",
      "Delete",
      "Purge",
      "Recover"
    ]
  }
}

# HACK used to workaround bug
# resource "null_resource" "t" {
#   triggers = {
#     is_null = local.expiration_date == null
#   }
# }

resource "azurerm_key_vault_secret" "t" {
  name            = "test"
  value           = "secret"
  expiration_date = local.expiration_date
  key_vault_id    = azurerm_key_vault.t.id

  # HACK used to work around bug
  # lifecycle {
  #   replace_triggered_by = [
  #     null_resource.t
  #   ]
  # }
}

Debug Output/Panic Output

There's no error but expiration_date is never actually removed

Expected Behaviour

Secret to be recreated when expiration_date is set to null

Actual Behaviour

Secret is not changed and instead will always show removal of the expiration_date in the plan

Steps to Reproduce

  1. apply with an expiration_date
  2. set expiration_date to null and apply again
  3. run plan to verify no change has been actually applied

Important Factoids

No response

References

No response
@wuxu92
Copy link
Contributor

wuxu92 commented Dec 23, 2024

Hi @daniel-anova This should be a feature of Azure Key Vault Secret: the expiration date cannot be unset once set. The button becomes inactive in the portal as shown below:

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
service/key-vault Key Vault v/4.x
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wuxu92 @daniel-anova