azurerm_key_vault_certificate not recovering soft deleted certificate

[itdevops-channelcapital]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.5.4

AzureRM Provider Version

3.69

Affected Resource(s)/Data Source(s)

azurerm_key_vault_certificate

Terraform Configuration Files

terraform {
  required_version = ">= 1.0"
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "3.69"
    }
  }
  backend "azurerm" {
    key = "terraform.tfstate"
  }
}

provider "azurerm" {
  features {
    key_vault {
      purge_soft_delete_on_destroy    = false
      recover_soft_deleted_key_vaults = true

      purge_soft_deleted_certificates_on_destroy = false
      purge_soft_deleted_keys_on_destroy         = false
      purge_soft_deleted_secrets_on_destroy      = false
      recover_soft_deleted_certificates          = true
      recover_soft_deleted_secrets               = true
      recover_soft_deleted_keys                  = true
    }
  }
}

resource "azurerm_key_vault_certificate" "default" {
  name         = "some-cert"
  key_vault_id = "<key vault id>"

  certificate_policy {
    issuer_parameters {
      name = "Self"
    }

    key_properties {
      exportable = true
      key_size   = 4096
      key_type   = "RSA"
      reuse_key  = false
    }

    lifetime_action {
        action {
          action_type = "AutoRenew"
        }

        trigger {
          days_before_expiry = 90
        }
    }

    secret_properties {
      content_type = "application/x-pkcs12"
    }

    x509_certificate_properties {
      extended_key_usage = ["1.3.6.1.5.5.7.3.1"]
      key_usage          = ["dataEncipherment", "digitalSignature", "keyCertSign"]
      subject            = "CN=some-cert"
      validity_in_months = 12

      subject_alternative_names {
        dns_names = []
      }
    }
  }
}

Debug Output/Panic Output

Error: keyvault.BaseClient#CreateCertificate: Failure responding to request: StatusCode=409 -- Original Error: autorest/azure: Service returned an error. Status=409 Code="Conflict" Message="Certificate some-cert is currently in a deleted but recoverable state, and its name cannot be reused; in this state, the certificate can only be recovered or purged." InnerError={"code":"ObjectIsDeletedButRecoverable"}

Expected Behaviour

The certificate should have been recovered/restored.

Actual Behaviour

The certificate is not recovered and the apply throws an error.

Steps to Reproduce

2. Use version 3.69 or greater of the AzureRM provider.

This works perfectly fine when using 3.68 of the AzureRM provider.

Important Factoids

No response

References

Based on some initial investigation into this issue, it seems there were some rather big changes in the azurerm_key_vault_certificate resource module.
Please refer to this PR that was merged in for the 3.69 release.
#20627

[rcskosir]

@itdevops-channelcapital Thank you for taking the time to open this issue, please subscribe to @wuxu92's PR #23204 that has been opened to fix this issue.

[itdevops-channelcapital]

That's fantastic. Thanks very much.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.