'how to disable soft delete in key vault terraform

I'm trying to disable the soft-delete on key-vault. But i couldn't do it. Here's my terraform Code:

provider "azurerm" {
  features {
    key_vault {
      purge_soft_delete_on_destroy = true
    }
  }
}

data "azurerm_client_config" "current" {}

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_key_vault" "example" {
  name                        = "examplekeyvault"
  location                    = azurerm_resource_group.example.location
  resource_group_name         = azurerm_resource_group.example.name
  enabled_for_disk_encryption = true
  tenant_id                   = data.azurerm_client_config.current.tenant_id
  soft_delete_retention_days  = 7
  purge_protection_enabled    = false
}
terraformterraform-provider-azure


Solution 1:[1]

Terraform has officially deprecated the soft_delete_enabled field. This PR shows the field being deprecated starting version AzureRM 2.42.

Data Source: azurerm_key_vault - deprecating the field soft_delete_enabled (and conditionally removing this should 3.0 mode be enabled)

Resource: azurerm_key_vault - deprecating the field soft_delete_enabled and defaulting this to true (conditionally removing this should 3.0 mode be enabled). Notably this PR removes the error when attempting to disable/enable this - but since this is hard-coded to true in the Read function, operators can update their configurations (or remove the field) to clear this diff.

I was also able to verify at older version of the AzureRM provider, where I found this:

As of 2020-12-15 Azure now requires that Soft Delete is enabled on Key Vaults and this can no longer be disabled. Version v2.42 of the Azure Provider and later ignore the value of the soft_delete_enabled field and force this value to be true - as such this field can be safely removed from your Terraform Configuration. This field will be removed in version 3.0 of the Azure Provider.

Microsoft also mentions that opting out of soft delete is deprecated and will be completely disabled in February 2025.

If a secret is deleted and the key vault does not have soft-delete protection, it is deleted permanently. Although users can currently opt out of soft-delete during key vault creation, this ability is depreciated. In February 2025, Microsoft will enable soft-delete protection on all key vaults, and users will no longer be able to opt out of or turn off soft-delete. This will protect secrets from accidental or malicious deletion by a user.

As long as you're using the latest version of Terraform, Soft Delete should be enabled by default. There are no more fields available to specify this feature since the AzureAPI has deprecated it.

If you really want to disable Soft Delete, you would need to use an older version of the Terraform AzureRM provider - anything below 2.42.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1

Related Questions

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

How to enable terraform module only with a specific workspace

Use terraform to set up a lambda function triggered by a scheduled event source

Use terraform to set up a lambda function triggered by a scheduled event source

Terragrunt ignores newly added outputs in a project

tls unsigned certificate when using terraform

What is the best way to solve `EntityAlreadyExists` error in terraform?

Terraform: How to create API Gateway endpoints and methods from a list of objects?

Terraform - refactoring modules: Error: Provider configuration not present

Passing multiple provider aliases to a module in terraform 0.12.13

What is the AWS Service Principal value for stepfunction?

Terraform - Use of environment variables in TF files

Terraform : Init