Terraform wanting to redeploy azure vms for 'no' reason

Question

I got a VM defined in terraform like this:

resource "azurerm_linux_virtual_machine" "vm" {
  name                            = var.vm-name
  resource_group_name             = var.RG
  location                        = var.location
  size                            = var.vm-size
  admin_username                  = data.azurerm_key_vault_secret.username.value
  disable_password_authentication = true
  proximity_placement_group_id    = data.azurerm_proximity_placement_group.proximity-group.id
tags = var.tags
  network_interface_ids = [
    azurerm_network_interface.nic.id,
  ]
admin_ssh_key {
    username   = data.azurerm_key_vault_secret.username.value
    public_key = data.azurerm_key_vault_secret.pub.value
  }
os_disk {
    caching              = "ReadWrite"
    storage_account_type = "Premium_ZRS"
  }
source_image_reference {
    publisher = "Canonical"
    offer     = "0001-com-ubuntu-server-focal"
    sku       = "20_04-lts-gen2"
    version   = "latest"
  }
}

Every time I run tf apply it thinks that the admin_username has been changed and wants to redeploy the machine. This is happening to several environments I'm working with so logically I'm doing something wrong but I can't figure out what..

Answer 1

So, in short, there is a bug/feature in terraform, and the posted solution was to output the keyvault_id from the keyvault module, then declaring the output value as a variable to pass into other modules. So when getting the secrets now, I use the output value as key_vault_id in the data-block for the secrets like this:

data "azurerm_key_vault_secret" "username" {
  name         = var.username
  key_vault_id = var.keyvault_id
}

instead of this:

data "azurerm_key_vault_secret" "username" {
  name         = var.username
  key_vault_id = data.azurerm_key_vault.kv.id
}