This error occurs when trying to create an Azure Key Vault with a name that already exists, either as an active vault or in a soft-deleted state. Azure Key Vaults have globally unique names and are subject to soft-delete retention periods.
Azure Key Vault names must be globally unique across all Azure subscriptions and regions. When you delete a Key Vault, it enters a "soft-deleted" state for a retention period (default 90 days) before being permanently removed. If you attempt to create a new vault with the same name before the retention period expires, or if a vault with that name still exists in your subscription, you will receive this error. The Key Vault service prevents name reuse to protect against accidental overwrites and maintain security boundaries.
First, identify if a soft-deleted vault with your desired name exists:
az keyvault list-deletedThis command lists all soft-deleted Key Vaults in your subscription. Look for the vault name you're trying to create.
If you find the vault in the soft-deleted state and want to reuse the name, purge it immediately:
az keyvault purge --name <vault-name> --location <location>After purging, wait 1-2 minutes before attempting to create the new vault, as the name must fully propagate through Azure services.
If the deleted vault contains data you want to keep, recover it instead of purging:
az keyvault recover --name <vault-name> --location <location>Then update your Terraform state to import this recovered vault into your configuration.
Add the recovery feature to your Azure provider configuration to automatically recover soft-deleted vaults when creating a new one:
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~> 3.0"
}
}
}
provider "azurerm" {
features {
key_vault {
recover_soft_deleted_key_vaults = true
}
}
}This setting allows Terraform to automatically recover soft-deleted Key Vaults instead of failing.
If a Key Vault already exists and you want to manage it with Terraform, import it into your state file:
terraform import azurerm_key_vault.example \
/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.KeyVault/vaults/<vault-name>Then generate or write the corresponding Terraform configuration to match the imported resource.
If the vault name is taken globally and cannot be recovered, select a different, unique name:
resource "azurerm_key_vault" "example" {
name = "my-unique-vault-${data.azurerm_client_config.current.subscription_id}"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard"
}Include a unique suffix (timestamp, subscription ID, or random string) to guarantee global uniqueness.
Soft-delete is enabled by default for all Key Vaults and cannot be disabled; it is a mandatory feature for Azure Key Vault security and compliance. The retention period ranges from 7 to 90 days depending on your configuration. If purge protection is enabled on the deleted vault, you cannot purge it and must wait for the retention period to expire. Key Vault names follow the pattern: must be 3-24 characters, contain only alphanumerics and hyphens, and start with a letter. For highly available setups, consider using Key Vault names that include a region suffix or deployment identifier to simplify multi-region management.
Error: Error rendering template: template not found
How to fix "template not found" error in Terraform
Error: Error generating private key
How to fix 'Error generating private key' in Terraform
Error creating Kubernetes Service: field is immutable
How to fix "field is immutable" errors in Terraform
Error: Error creating local file: open: permission denied
How to fix "Error creating local file: permission denied" in Terraform
Error: line endings have changed from CRLF to LF
Line endings have changed from CRLF to LF in Terraform