Getting "Unable to determine the Resource ID for the Key Vault at URL "https://vaultname.vault.azure.net/"

[alfredomagallon]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.1.5

AzureRM Provider Version

3.29.1

Affected Resource(s)/Data Source(s)

azurerm_key_vault_secret

Terraform Configuration Files

resource "azurerm_key_vault_secret" "secret" {
  name            = var.secret_name
  value           = var.secret_value
  key_vault_id    = var.keyvault_id
  content_type    = var.content_type
  not_before_date = try(var.not_before_date, null)
  expiration_date = try(var.expiration_date, null)

  # add key_vault_id to ignore_changes to fix unexpected AKV secret replacement
  lifecycle {
    ignore_changes = [
      tags,
      key_vault_id
    ]
  }

  tags = var.tags
}

Debug Output/Panic Output

Error: Unable to determine the Resource ID for the Key Vault at URL "https://<redacted-keyvault-name>.vault.azure.net/" ... in resource "azurerm_key_vault_secret" "secret":
   1: resource "azurerm_key_vault_secret" "secret"

Expected Behaviour

It should have retrieved the resource ID with no problems, like it usually does

Actual Behaviour

Error: Unable to determine the Resource ID for the Key Vault at URL "https://.vault.azure.net/" ... in resource "azurerm_key_vault_secret" "secret":
1: resource "azurerm_key_vault_secret" "secret"

Steps to Reproduce

terraform apply

Important Factoids

No response

References

I am working with one subscription only and the user is SPN with full permissions in the subscription.
The SPN is able to do
"az keyvault show --name " without problems, and that shows the correct resource ID

[aristosvo]

Hi @alfredomagallon! Thanks for posting this question.

It seems you are using the Key Vault [vault_uri](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret#vault_uri) instead of the id. To be honest, it confuses me as well a lot of the time, but I know that there is some confusion around it :)

A KV id looks like /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.KeyVault/vaults/vault1 instead, like the ID of most Azure resources.

[alfredomagallon]

Thanks for your comment, @aristosvo

I'm not specifying any keyvault URI, I'm just using the ID coming from the following data:

data "azurerm_key_vault" "keyvault" {
  resource_group_name = var.resource_group_name
  name                = var.keyvault_name
}

Thanks

[aristosvo]

Ah, sorry, didn't dig deep enough.

Is this Key Vault in the same subscription as the other resources you're using or are there any special network settings configured on the Key Vault? There is something off, just not sure what.

[alfredomagallon]

Yes, I already saw the issues with keyvault being on a different subscription, but it is not the case
Keyvault is public at this time.

Update: It worked fine after several retries, didn't seem the retries but the passing of some time solved the problem.

[arwolfe]

I am seeing this error as well. Any further ideas or remedies for this issue?
Terraform: 1.4.1
azurerm: 3.51.0

GET /subscriptions/<<<subscription_id>>>/resources?%24filter=resourceType+eq+%27Microsoft.KeyVault%2Fvaults%27+and+name+eq+%27kv-tqmcpk-db47-app%27&%24top=5&api-version=2020-06-01 HTTP/1.1
Host: management.azure.com
User-Agent: Go/go1.19.3 (amd64-linux) go-autorest/v14.2.1 Azure-SDK-For-Go/v66.0.0 resources/2020-06-01 HashiCorp Terraform/1.4.1 (+https://www.terraform.io) Terraform Plugin SDK/2.10.1 terraform-provider-azurerm/dev VSTS_76ddd577-89db-4482-bf46-9101a6d2614b_build_581_0 pid-222c6c49-1b0a-5959-a213-6608f9eb8820
X-Ms-Correlation-Request-Id: ddb20500-6101-6271-7640-d6e7fadc67b2
Accept-Encoding: gzip: timestamp=2023-04-12T14:56:24.220Z
2023-04-12T14:56:24.411Z [DEBUG] provider.terraform-provider-azurerm_v3.51.0_x5: AzureRM Response for https://management.azure.com/subscriptions/<<<subscription_id>>>/resources?%24filter=resourceType+eq+%27Microsoft.KeyVault%2Fvaults%27+and+name+eq+%27kv-tqmcpk-db47-app%27&%24top=5&api-version=2020-06-01: 
HTTP/2.0 200 OK
Cache-Control: no-cache
Content-Type: application/json; charset=utf-8
Date: Wed, 12 Apr 2023 14:56:23 GMT
Expires: -1
Pragma: no-cache
Strict-Transport-Security: max-age=31536000; includeSubDomains
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Ms-Correlation-Request-Id: ddb20500-6101-6271-7640-d6e7fadc67b2
X-Ms-Ratelimit-Remaining-Subscription-Reads: 11999
X-Ms-Request-Id: 0e6bdce8-c056-4628-9356-c1fcd88253df
X-Ms-Routing-Request-Id: NORTHCENTRALUS:20230412T145624Z:0e6bdce8-c056-4628-9356-c1fcd88253df

{"value":[]}: timestamp=2023-04-12T14:56:24.411Z
2023-04-12T14:56:24.411Z [TRACE] provider.terraform-provider-azurerm_v3.51.0_x5: Called downstream: tf_provider_addr=provider tf_req_id=d6f783bf-9ba3-94a0-f7d4-52af9a143d25 tf_resource_type=azurerm_key_vault_secret tf_rpc=ApplyResourceChange @caller=github.com/hashicorp/terraform-plugin-sdk/v2@v2.24.1/helper/schema/resource.go:807 @module=sdk.helper_schema timestamp=2023-04-12T14:56:24.411Z
2023-04-12T14:56:24.411Z [TRACE] provider.terraform-provider-azurerm_v3.51.0_x5: Received downstream response: @module=sdk.proto diagnostic_warning_count=0 tf_proto_version=5.3 tf_req_duration_ms=191 tf_resource_type=azurerm_key_vault_secret tf_rpc=ApplyResourceChange @caller=github.com/hashicorp/terraform-plugin-go@v0.14.3/tfprotov5/internal/tf5serverlogging/downstream_request.go:37 diagnostic_error_count=1 tf_provider_addr=provider tf_req_id=d6f783bf-9ba3-94a0-f7d4-52af9a143d25 timestamp=2023-04-12T14:56:24.411Z
2023-04-12T14:56:24.411Z [ERROR] provider.terraform-provider-azurerm_v3.51.0_x5: Response contains error diagnostic: tf_proto_version=5.3 @caller=github.com/hashicorp/terraform-plugin-go@v0.14.3/tfprotov5/internal/diag/diagnostics.go:55 @module=sdk.proto diagnostic_detail= diagnostic_severity=ERROR diagnostic_summary="Unable to determine the Resource ID for the Key Vault at URL "https://kv-tqmcpk-db47-app.vault.azure.net/"" tf_req_id=d6f783bf-9ba3-94a0-f7d4-52af9a143d25 tf_resource_type=azurerm_key_vault_secret tf_provider_addr=provider tf_rpc=ApplyResourceChange timestamp=2023-04-12T14:56:24.411Z
2023-04-12T14:56:24.411Z [TRACE] provider.terraform-provider-azurerm_v3.51.0_x5: Served request: tf_req_id=d6f783bf-9ba3-94a0-f7d4-52af9a143d25 tf_resource_type=azurerm_key_vault_secret tf_rpc=ApplyResourceChange @caller=github.com/hashicorp/terraform-plugin-go@v0.14.3/tfprotov5/tf5server/server.go:831 tf_provider_addr=provider @module=sdk.proto tf_proto_version=5.3 timestamp=2023-04-12T14:56:24.411Z

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.