policy_definition_resource: Force recreation when policy definition parameter names change

internal/services/policy/policy_definition_resource.go

@@ -45,7 +45,7 @@ func resourceArmPolicyDefinition() *pluginsdk.Resource {
 		Schema: resourceArmPolicyDefinitionSchema(),
 
 		CustomizeDiff: pluginsdk.CustomizeDiffShim(func(ctx context.Context, d *pluginsdk.ResourceDiff, v interface{}) error {
-			// `parameters` cannot have values removed so we'll ForceNew if there are less parameters between Terraform runs
+			// `parameters` cannot have values removed or renamed so we'll ForceNew if any parameter names are removed/changed
 			if d.HasChange("parameters") {
 				oldParametersRaw, newParametersRaw := d.GetChange("parameters")
 				if oldParametersString := oldParametersRaw.(string); oldParametersString != "" {
@@ -64,8 +64,10 @@ func resourceArmPolicyDefinition() *pluginsdk.Resource {
 						return fmt.Errorf("expanding JSON for `parameters`: %+v", err)
 					}
 
-					if len(newParameters) < len(oldParameters) {
-						return d.ForceNew("parameters")
+					for oldKey := range oldParameters {
+						if _, exists := newParameters[oldKey]; !exists {
+							return d.ForceNew("parameters")
+						}
 					}
 				}
 			}

internal/services/policy/policy_definition_resource_test.go

@@ -176,6 +176,33 @@ func TestAccAzureRMPolicyDefinition_removeParameter(t *testing.T) {
 	})
 }
 
+func TestAccAzureRMPolicyDefinition_renameParameter(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_policy_definition", "test")
+	r := PolicyDefinitionResource{}
+
+	data.ResourceTestIgnoreRecreate(t, r, []acceptance.TestStep{
+		{
+			Config: r.basic(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.renamedParameter(data),
+			ConfigPlanChecks: resource.ConfigPlanChecks{
+				PreApply: []plancheck.PlanCheck{
+					plancheck.ExpectResourceAction(data.ResourceName, plancheck.ResourceActionReplace),
+				},
+			},
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+	})
+}
+
 func (r PolicyDefinitionResource) Exists(ctx context.Context, client *clients.Client, state *pluginsdk.InstanceState) (*bool, error) {
 	definitionsClient := client.Policy.DefinitionsClient
 	id, err := parse.PolicyDefinitionID(state.ID)
@@ -480,6 +507,48 @@ PARAMETERS
 `, data.RandomInteger, mode, data.RandomInteger)
 }
 
+func (r PolicyDefinitionResource) renamedParameter(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+
+resource "azurerm_policy_definition" "test" {
+  name         = "acctestpol-%d"
+  policy_type  = "Custom"
+  mode         = "All"
+  display_name = "acctestpol-%d"
+
+  policy_rule = <<POLICY_RULE
+	{
+    "if": {
+      "not": {
+        "field": "location",
+        "in": "[parameters('allowedRegions')]"
+      }
+    },
+    "then": {
+      "effect": "audit"
+    }
+  }
+POLICY_RULE
+
+  parameters = <<PARAMETERS
+	{
+    "allowedRegions": {
+      "type": "Array",
+      "metadata": {
+        "description": "The list of allowed regions for resources.",
+        "displayName": "Allowed regions",
+        "strongType": "location"
+      }
+    }
+  }
+PARAMETERS
+}
+`, data.RandomInteger, data.RandomInteger)
+}
+
 func (r PolicyDefinitionResource) additionalParameter(data acceptance.TestData) string {
 	return fmt.Sprintf(`
 provider "azurerm" {