Azure Key Vault Soft-delete Is a Problem

2021-07-12 2 min read

Azure Key Vault is a great solution to manage secrets, keys and certificates. It also have many great features like Azure Key Vault soft-delete this feature is great to protect vault before unwanted deletion.

Another great tool is Terraform to manage Infrastructure As A Code and have exactly the same resources on each environment versioned thru git repository.

There is the place where some confusion happen to me because I was not aware of such great feature.

The problem

Terraform recreate previously dropped infrastructure using some predefined prefix and naming convention. Here is our problem…

Microsoft documentation say

Breaking change: the ability to opt out of soft-delete will be deprecated soon. Azure Key Vault users and administrators should enable soft-delete on their key vaults immediately. For Azure Key Vault Managed HSM, soft-delete is enabled by default and can’t be disabled.

This is a problem during test phase of infrastructure as a code solutions like Terraform this guides as to default behaviour of ARM resource manager is to restore previously used instance of Key Vault with all existing data (keys, secrets, etc). This guides to issue with old data when the same name of resource is used ex. When we reuse name devkeyvault in our tf script then devkeyvault is restored from “backup” using soft-delete feature with all existing data.


As a solution we can add into our cleaning script step to purge all deleted key vault we can do this from Portal or from CLI.



This is a quick guide of how-to series where I want to put some interesting topics from my day to day work.