TF Apply fails when attempting to purge KV secrets

Hi guys,

I’ve got a situation where I’ve had numerous secrets in a KV. That’s got purge-protection enabled. I then elected to remove those secrets from TF & handle otherwise. The TF Apply successfully deleted the secrets, but failed attempting to purge them with a 403 error. The Apply managed to remove those secrets from the State file too.

A “Day 2” scripting process now manages those secrets & has put the same secrets in place in the KV.

A month on, & I’m on to building other resources & running a Plan in preparation. Strange thing is that the Plan knows about those secrets, despite them not being in the state file (or code) & wants to delete/purge them again.

How does TF do this? i.e. know to remove KV secrets that are not in the state file or configuration (i.e. TF code)?

If we manually add a new KV secret, TF doesn’t know or care about it. But how does it know that it historically managed these other secrets & that they got “restored”?


Hi @martin.baker,

Terraform cannot see any object that’s not tracked in the state, so I have to assume that they weren’t actually removed from the state after all.

If a provider returns an error when asked to apply a “delete” change then Terraform Core will typically retain the existing value so that the provider can try again on the next run, so unless you did something special to remove them I would expect that the failed attempt to purge caused them to remain in the state.

1 Like