#24087 : Disable use_system_assigned_identity to false when user_assi…

…gned_identity_id is set in encryption block

internal/services/recoveryservices/recovery_services_vault_resource.go

@@ -787,6 +787,7 @@ func expandEncryption(d *pluginsdk.ResourceData) *vaults.VaultPropertiesEncrypti
 	}
 	if v, ok := encryptionMap["user_assigned_identity_id"].(string); ok && v != "" {
 		encryption.KekIdentity.UserAssignedIdentity = utils.String(v)
+		encryption.KekIdentity.UseSystemAssignedIdentity = utils.Bool(false)
 	}
 	return encryption
 }
@@ -809,6 +810,7 @@ func flattenVaultEncryption(model vaults.Vault) interface{} {
 	encryptionMap["infrastructure_encryption_enabled"] = *encryption.InfrastructureEncryption == vaults.InfrastructureEncryptionStateEnabled
 	if encryption.KekIdentity.UserAssignedIdentity != nil {
 		encryptionMap["user_assigned_identity_id"] = *encryption.KekIdentity.UserAssignedIdentity
+		encryptionMap["use_system_assigned_identity"] = false
 	}
 	return encryptionMap
 }

website/docs/r/recovery_services_vault.html.markdown

@@ -84,7 +84,7 @@ An `encryption` block supports the following:
 
 * `user_assigned_identity_id` - (Optional) Specifies the user assigned identity ID to be used.
 
-* `use_system_assigned_identity` - (Optional) Indicate that system assigned identity should be used or not. Defaults to `true`.
+* `use_system_assigned_identity` - (Optional) Indicate that system assigned identity should be used or not. Defaults to `true`. When `user_assigned_identity_id` is set, this flag is set to `false`.
 
 !> **Note:** `use_system_assigned_identity` only be able to set to `false` for **new** vaults. Any vaults containing existing items registered or attempted to be registered to it are not supported. Details can be found in [the document](https://learn.microsoft.com/en-us/azure/backup/encryption-at-rest-with-cmk?tabs=portal#before-you-start)