azurerm_key_vault takes exactly 10 minutes to delete

[GraemeMeyerGT]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform (and AzureRM Provider) Version

• Terraform Core version: v1.9.2
• AzureRM Provider version: v3.112.0

Affected Resource(s)/Data Source(s)

azurerm_key_vault

Terraform Configuration Files

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "3.112.0"
    }
  }
}

provider "azurerm" {
  features {}
}

data "azurerm_client_config" "current" {}

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

resource "random_string" "random" {
  length  = 8
  special = false
  upper   = false
}

resource "azurerm_key_vault" "example" {
  name                        = "examplekv-${random_string.random.result}"
  location                    = azurerm_resource_group.example.location
  resource_group_name         = azurerm_resource_group.example.name
  enabled_for_disk_encryption = true
  tenant_id                   = data.azurerm_client_config.current.tenant_id
  soft_delete_retention_days  = 7
  purge_protection_enabled    = false

  sku_name = "standard"
}

Description / Feedback

The azurerm_key_vault resource is taking an unusually long time to destroy, seemingly exactly 10 minutes according to Terraform. This seems implausible as Key Vaults typically destroy much faster. This behaviour suggests a potential bug in the AzureRM provider.

Expected behaviour: The Key Vault should be destroyed in a reasonable amount of time, typically under three minutes.

Actual behaviour: The Key Vault destruction is taking exactly 10 minutes according to Terraform.

References

This seems likely to be related to the changes made in v3.106.0 or v3.107.0 (#26070 and #26199 respectively). I'm not familiar enough with Go to diagnose much further. I tried this Terraform configuration with 3.105.0 and it also took exactly 10 minutes to destroy the Key Vault, so it may not be related to these releases as I'd previously thought.

I've collected a TRACE of the core + provider, redacted some values and uploaded here:

redacted_terraform_destroy_core_trace.zip

I created a PowerShell script to try to replicate the same creation and deletion operations using the Azure CLI so I could time it for a rough comparison, and the Azure CLI seems to be able to do the whole create --> delete --> done process in about 2 minutes:

Resource Group creation time: 1.7927926 seconds
Key Vault creation time: 34.5628745 seconds
Warning! If you have soft-delete protection enabled on this key vault, you will not be able to reuse this key vault name until the key vault has been purged from the soft deleted state. Please see the following documentation for additional guidance.
https://docs.microsoft.com/azure/key-vault/general/soft-delete-overview
Waiting for Key Vault deletion to complete...
Key Vault deletion time: 4.8046427 seconds
Resource Group deletion time: 47.3098359 seconds
Total execution time: 93.466661 seconds

[GraemeMeyerGT]

I'm not sure how the v4.0-beta label got on here, and I'm not sure how to take it off... apologies if this messes up something

[wuxu92]

Hi @GraemeMeyerGT thanks for filing this issue.

Actually, the key vault was deleted in 4 seconds as shown in the log:

AzureRM will automatically purge the key vault if purge protection is not enabled. The purge operation takes about 10 minutes:

the start of purging:

the purge finished:

[GraemeMeyerGT]

Thanks @wuxu92, do you have any idea how to get it to delete faster? It's not clear to me why Terraform should trigger a 10 minute delete/purge, whilst the Azure Key Vault or the Azure Portal UI would do it whatever way is faster? (I'll admit, we're at the edge of my understanding of how KV works).

[wuxu92]

@GraemeMeyerGT To speed up deletion by skipping the purge operation, set the provider feature purge_soft_delete_on_destroy to false..

provider "azurerm" {
  features {
    keyvault {
	  purge_soft_delete_on_destroy = false
	}
  }
}

more details see provider features documentaion: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/features-block#purge_soft_deleted_certificates_on_destroy:~:text=The%20key_vault%20block%20supports%20the%20following%3A

[GraemeMeyerGT]

I see, thanks @wuxu92. I will close this issue

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.