Challenges : Azure Site Recovery implementation for ADE encrypted VMs

I have couple of Windows VMs in Azure deployed using Terraform. Data disks for these VMs are ADE encrypted. Now I need to implement ASR for these VMs. Currently Terraform doesn’t support ASR for ADE encrypted VMs (reference link). So, I decided to enable ASR using Azure portal until Terraform release this feature. There is no issue in failing over from primary region to secondary and then failing back from secondary to primary region using azure portal. But issue occurs when I run Terraform Plan after failing back; it suggests below destructive change:

  # module.vm["westeurope_rg_8675_prod_dqjeemcjdu898"].module.Data_Disk["0"].azurerm_managed_disk.datadisk must be replaced
      ~ create_option        = "Restore" -> "Empty" # forces replacement
      - source_resource_id   = "/subscriptions/xxxxxxx-xxxx-xxxx-xxx-xxxxxxxxxxxx/resourceGroups/rg_8675_prod/providers/Microsoft.Compute/disks/dqjeemcjdu898_data000-ASRReplica/bookmark/xxxxxxx-xxxx-xxxx-xxx-xxxxxxxxxxxx" -> null # forces replacement

  # module.vm["westeurope_rg_8675_prod_dqjeemcjdu898"].module.Data_Disk["0"].azurerm_virtual_machine_data_disk_attachment.diskattachment["rg_8675_prod_dqjeemcjdu898_0"] must be replaced
      ~ managed_disk_id           = "/subscriptions/xxxxxxx-xxxx-xxxx-xxx-xxxxxxxxxxxx/resourceGroups/rg_8675_prod/providers/Microsoft.Compute/disks/dqjeemcjdu898_data000" -> (known after apply) # forces replacement

The reason for this seems that during failing back Azure change the disk creationOption to Restore and sourceResourceId as below:

“sourceResourceId”: “[concat(resourceId(‘Microsoft.Compute/disks’, parameters(‘disks_dqjeemcjdu898_data000_name’)), '-ASRReplica/bookmark/78b560a7-5g45-4be6-7u56-5f235655c27c’)]”


"resources": [
        {
            "type": "Microsoft.Compute/disks",
            "apiVersion": "2021-08-01",
            "name": "[parameters('disks_dqjeemcjdu898_data000_name')]",
            "location": "westeurope",
            "tags": {
                "Terraform_Stage": "Compute",
                "ASR-FODisk": "Created by Azure Site Recovery."
            },
            "sku": {
                "name": "StandardSSD_LRS",
                "tier": "Standard"
            },
            "properties": {
                "hyperVGeneration": "V1",
                "creationData": {
                    "createOption": "Restore",
                    "sourceResourceId": "[concat(resourceId('Microsoft.Compute/disks', parameters('disks_dqjeemcjdu898_data000_name')), '-ASRReplica/bookmark/78b560a7-5g45-4be6-7u56-5f235655c27c')]"
                },
                "diskSizeGB": 32,
                "diskIOPSReadWrite": 500,
                "diskMBpsReadWrite": 60,
                "encryptionSettingsCollection": {
                    "enabled": true,
                    "encryptionSettings": [
                        {
                            "diskEncryptionKey": {
                                "sourceVault": {
                                    "id": "[parameters('vaults_kv_8675_003_externalid')]"
                                },
                                "secretUrl": https://kv-8675-001.vault.azure.net/secrets/D0DEE6-RE92-4E43-DFG-RQWTGHYT/f9963bf4996642089c6eff2a34534
                            }
                        }
                    ],
                    "encryptionSettingsVersion": "1.1"
                },
                "encryption": {
                    "type": "EncryptionAtRestWithPlatformKey"
                },
                "networkAccessPolicy": "AllowAll",
                "publicNetworkAccess": "Enabled",
                "diskState": "Attached"
            }
        }
    ]

To see the impact, I applied this terraform plan in my dev environment. After terraform apply, I had to initialize & create new volume to attach the disk to the VM and lost all the data which is not ideal.

Not sure if this is again some terraform limitation or there is other way to handle this scenario better?