Terraform wants to re-create vault_gcp_auth_backend_role every time

[RobinsonWM]

Summary

If I have a vault_gcp_auth_backend_role resource, Terraform wants to recreate it on every subsequent run of terraform apply (or terraform plan,) even if I haven't actually changed the resource.

Terraform Version

>terraform -v
Terraform v0.11.10
+ provider.vault v1.2.0

Affected Resource(s)

• vault_gcp_auth_backend_role

Terraform Configuration Files

I omitted the values of the variables because they are all specific to my environment.

provider "vault" {
  address      = "${var.address}"
  token        = "${var.token}"
  ca_cert_file = "${var.ca_cert_file}"
  version      = "~> 1.2"
}

resource "vault_gcp_auth_backend_role" "my_role" {
  role                   = "elabs_developer"
  type                   = "iam"
  project_id             = "${var.project_id}"
  bound_service_accounts = ["${var.bound_service_account}"]
  policies               = ["default"]
  max_ttl                = "2h"
}

Debug Output

https://gist.github.com/RobinsonWM/3cea0f24335e540559e68552402e0fa2

Expected Behavior

Since I didn't change the resource at all, Terraform should not plan any changes.

Actual Behavior

Terraform reports changes for the resource:

>terraform apply
vault_gcp_auth_backend_role.my_role: Refreshing state... (ID: auth/gcp/role/elabs_developer)

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

-/+ vault_gcp_auth_backend_role.my_role (new resource required)
      id:                                "auth/gcp/role/elabs_developer" => <computed> (forces new resource)
      backend:                           "gcp" => "gcp"
      bound_service_accounts.#:          "1" => "1"
      bound_service_accounts.2121747459: "[email protected]" => "[email protected]"
      max_ttl:                           "7200" => "2h"
      period:                            "" => <computed>
      policies.#:                        "1" => "1"
      policies.1971754988:               "default" => "default"
      project_id:                        "sfmc-qa-poc" => "sfmc-qa-poc"
      role:                              "elabs_developer" => "elabs_developer"
      ttl:                               "" => <computed>
      type:                              "" => "iam" (forces new resource)


Plan: 1 to add, 0 to change, 1 to destroy.

Steps to Reproduce

1. terraform apply - on the first run, it creates the resource as expected
2. Don't make any changes in Vault or in the Terraform configuration file
3. terraform apply (or terraform plan) - it unexpectedly wants to recreate the resource

Important Factoids

I may have lumped two problems into one issue.

In the example, I expressed max_ttl as 2h. On the re-run, it sees the current value as 7200 (seconds) and wants to change it back to 2h even though they represent the same value.

However, if we remove max_ttl from the picture, the problem still happens, likely because of type.

[Phylu]

I have figured out the issue. The documentation [1] says that the type field is returned on a read as role_type. However the actual value is just role.

I have successfully patched the provider accordingly and afterwards, the issue is resolved. However I am not sure, how the API is supposed to be (what is the correct, expected response). I think this should be clarified before updating the provider here. I have created a ticket there [2].

[1] https://www.vaultproject.io/api/auth/gcp/index.html#sample-response-1
[2] hashicorp/vault-plugin-auth-gcp#56