ForceNew on azuredevops_serviceendpoint_azurerm

[hbuckle]

After importing an existing AzureRM service endpoint terraform plan shows it needs to be replaced due to credentials. Is this correct behaviour? It should be possible to update the credentials of the service endpoint without replacing it?

  # azuredevops_serviceendpoint_azurerm.manual_workaround must be replaced
-/+ resource "azuredevops_serviceendpoint_azurerm" "manual_workaround" {
      ~ authorization             = {
          - "scheme" = "ServicePrincipal"
        } -> (known after apply)
        azurerm_spn_tenantid      = "***"
        azurerm_subscription_id   = "***"
        azurerm_subscription_name = "staging"
      + description               = "Managed by terraform-sql_server"
      ~ id                        = "***" -> (known after apply)
        project_id                = "***"
        service_endpoint_name     = "cbuk-core-staginggreen-sql-manualworkaround"

      + credentials { # forces replacement
          + serviceprincipalid       = "***"
          + serviceprincipalkey      = (sensitive value)
          + serviceprincipalkey_hash = (sensitive value)
        }

      - timeouts {}
    }

[xuzhang3]

Hi @hbuckle This is the right behavior. Recreation service connection will have a new ID which may broken your current CI/CD.
I try remove the force new flag and it works too, looks there's no need to renew a new service connection when credentials changed, this can an update of the API but ADO provider not updated.

[hbuckle]

@xuzhang3 - I can raise a PR to remove the ForceNew so credentials can be updated?

[xuzhang3]

@hbuckle Remove the credentials.ForceNew and you can build a private package and test it, you will find that Terraform will only update the credentials not create a new one.

[xuzhang3]

Close this issue, feel free to open another issue if you have questions.