Databricks Community

Dnirmania · ‎04-09-2025

Hi Team

Accidentally, we removed one of the NCC private endpoints from our storage account that was created using Terraform. When I tried to destroy and recreate it, I encountered the following error. According to some articles, the private endpoint will be automatically purged after 7 days, but how can I purge it immediately?

Error: cannot delete mws ncc private endpoint rule: Private endpoint rule with id *******-ee7a-4087-8264-******* is already deactivated and will be purged at 1744806202021.

Vidhi_Khaitan · ‎07-14-2025

Once a private endpoint rule is deactivated, it isn't immediately removed. Instead, it will be scheduled for purging after a set time period. In your case, the rule is slated for purging at the timestamp mentioned.
This situation can occur in scenarios where a user manually deletes a private endpoint rule while it's still being managed by Terraform, leading to inconsistencies between the Terraform state and the actual resources in Azure. As a result, when Terraform tries to recreate or manage the rule, it runs into conflicts due to the existing deactivated state of the rule.

If the rule is already deactivated, the easiest approach would be to wait for the automatic purging to occur as scheduled.

Otherwise, you can remove the endpoint like this -

https://docs.databricks.com/aws/en/security/network/serverless-network-security/manage-private-endpo...

MHenn1g · 2 weeks ago

The terraform provider tries to destroy the ncc rule.
It discovers, that the ncc rule has already been deleted.
This sounds more like the logical thing would be to ignore and move on with the terraform destroy procedure instead of blocking the process for 7 days or forcing the users to manually remove the ncc rules from the state file o.O

nayan_wylde · 2 weeks ago

If you need to re-establish the private endpoint immediately and cannot wait for the purge time, your only option is to define a new private endpoint resource and private endpoint connection rule with a unique name in your Terraform configuration.

Since the original ID is still reserved until purged, using a different name bypasses the soft-delete conflict and allows for instant creation.

Action: Modify the name of your azurerm_private_endpoint resource in Terraform (e.g., change it from mws-ncc-peto mws-ncc-pe-v2).

MHenn1g · 2 weeks ago

The problem with that is, that you can't create a resource with a new name, unless you manually remove the old one from the terraform state first.

This is because the terraform provider needs to destroy the original resource, before it will continue in marking the apply run a success...So I fear, as long as that resource is residing in the terraform state, the process is blocked, because the old resource is stuck in this 7 day purging window.

nayan_wylde · 2 weeks ago

That's an excellent point about Terraform state. You are correct that if the old private endpoint resource is still in your Terraform state file, any subsequent apply attempt to create a new resource with a different name (or even just destroy the old one) will likely fail because the Azure API is blocking the full deletion, thus keeping the resource in a "tainted" or "deleting" state within Terraform.

Since you've already attempted to destroy the resource via Terraform, and the Azure API confirmed it's in a deactivated state, the standard destroy operation is likely stuck awaiting the final purge.

Solution: Manually Remove from Terraform State

The most effective way to unblock your deployment is to manually remove the private endpoint resource from your Terraform state file. This tells Terraform to stop managing that specific resource, allowing the rest of your configuration (including creating a new endpoint) to proceed without the "stuck" resource causing a failure.