ignore_changes=all causes replacement every time #31912
Description
Terraform Version
1.3.1Terraform Configuration Files
resource "azurerm_key_vault_certificate" "cert1" {
name = "cert1"
key_vault_id = "/subscriptions/.../some-keyvault"
certificate_policy {
issuer_parameters {
name = "Self"
}
key_properties {
key_size = 2048
exportable = true
key_type = "RSA"
reuse_key = false
}
secret_properties {
content_type = "application/x-pkcs12"
}
x509_certificate_properties {
extended_key_usage = ["1.3.6.1.5.5.7.3.1"]
key_usage = [
"cRLSign",
"dataEncipherment",
"digitalSignature",
"keyAgreement",
"keyCertSign",
"keyEncipherment",
]
subject = "CN=aaa.bbb.com"
subject_alternative_names {
dns_names = ["aaa.bbb.com"]
}
validity_in_months = 12
}
}
lifecycle {
ignore_changes = all
}
}Debug Output
https://gist.github.com/tamirkamara/85d890e496855c209548a65e5c64b50a
Expected Behavior
After initial creating Terraform shouldn't try to recreate the certificate.
Actual Behavior
When ignore_changes = all is included Terraform 1.3.1 keeps trying to replace the object on every run while the Azure object hasn't changed (in fact it was just created in the first place). This hasn't happened in 1.2.9 and before (I confirmed).
Oddly enough, if I remove `ignore_changes = all' then 1.3.1 doesn't try to recreate immediately but will try to do so when the remove object is changed (which isn't the desired behavior).
Steps to Reproduce
As described in the actual behavior.
Additional Context
No response
References
No response