No hard break on allow_read.

Deprecate allow_read instead of removing it outright.

vault/resource_generic_secret.go

@@ -45,6 +45,13 @@ func genericSecretResource() *schema.Resource {
 				ValidateFunc: ValidateDataJSON,
 			},
 
+			"allow_read": &schema.Schema{
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Description: "Attempt to read the token from Vault if true; if false, drift won't be detected.",
+				Deprecated:  "Please use disable_read instead.",
+			},
+
 			"disable_read": &schema.Schema{
 				Type:        schema.TypeBool,
 				Optional:    true,
@@ -124,6 +131,12 @@ func genericSecretResourceDelete(d *schema.ResourceData, meta interface{}) error
 
 func genericSecretResourceRead(d *schema.ResourceData, meta interface{}) error {
 	shouldRead := !d.Get("disable_read").(bool)
+	if !shouldRead {
+		// if disable_read is set to false or unset (we can't know which)
+		// and allow_read is set to true, go with allow_read.
+		shouldRead = d.Get("allow_read").(bool)
+	}
+
 	path := d.Id()
 
 	if shouldRead {

vault/resource_generic_secret_migrate.go

@@ -30,7 +30,6 @@ func migrateGenericSecretStateV0toV1(s *terraform.InstanceState) (*terraform.Ins
 	if disabledRead {
 		s.Attributes["disable_read"] = "true"
 	}
-	delete(s.Attributes, "allow_read")
 
 	log.Printf("[DEBUG] Attributes after migration: %#v:", s.Attributes)
 	return s, nil