Update azurerm_mssql_server with tde

[MichalSino]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

I've deployed Azure SQL with TDE using additional resource azurerm_mssql_server_transparent_data_encryption (not setting it inside the azurerm_mssql_server) and provider version 3.79. Now on version 3.83 I'm trying to update tags and got error: the primary_user_assigned_identity_id field must be specified to use the transparent_data_encryption_key_vault_key_id in Server

In version 3.79 works fine.

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.6.3

AzureRM Provider Version

3.83.0

Affected Resource(s)/Data Source(s)

azurerm_mssql_server

Terraform Configuration Files

resource "azurerm_mssql_server" "server" {
  name                          = format("%s-%s",var.server_name, substr(md5(var.resource_group),-4,-1))
  resource_group_name           = ""testrg"
  location                      = "westeurope"
  version                       = "12.0"
  administrator_login           = var.login
  administrator_login_password  = var.password
  minimum_tls_version           = "1.2"
  public_network_access_enabled = false
  
  outbound_network_restriction_enabled = true
  
  identity {
    type = "SystemAssigned"
  }

  azuread_administrator {
    login_username              = var.adm_login
    object_id                   = var.obj_id
    tenant_id                   = var.tenant
    azuread_authentication_only = true
  }
  
  lifecycle {
    ignore_changes = [ transparent_data_encryption_key_vault_key_id ]
  }
}

resource "azurerm_role_assignment" "kv_role_assign" {
  scope                 = var.key-id
  role_definition_id    = var.role_key_assignment
  principal_id          = azurerm_mssql_server.server.identity.0.principal_id
  
  depends_on = [
    azurerm_mssql_server.server
  ]
}

resource "azurerm_mssql_server_transparent_data_encryption" "tde" {
  server_id           = azurerm_mssql_server.server.id
  key_vault_key_id    = var.key_id

  depends_on = [
    azurerm_role_assignment.kv_role_assign,
    azurerm_mssql_server.server
  ]
}

Debug Output/Panic Output

-

Expected Behaviour

Updating resource

Actual Behaviour

Error: the primary_user_assigned_identity_id field must be specified to use the transparent_data_encryption_key_vault_key_id in Server

Steps to Reproduce

terraform apply

Important Factoids

No response

References

No response

[harshavmb]

Hi @MichalSino ,

I could replicate the issue with newer versions (higher than 3.79.0). For more updates, you could follow the PR here.

[MichalSino]

Hi @harshavmb ,
Thanks for the link. I couldn't find it earlier.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.