vault_pki_secret_backend_root_cert not properly refreshing state

[neilmock]

Terraform Version

0.14.2

Affected Resource(s)

Please list the resources as a list, for example:

• vault_pki_secret_backend_root_cert

Terraform Configuration Files

resource "vault_mount" "nomad_ca" {
  path = "nomad-ca"
  type = "pki"

  max_lease_ttl_seconds = 315360000 # 10y
}

resource "vault_pki_secret_backend_root_cert" "nomad" {
  backend              = vault_mount.nomad_ca.path
  common_name          = "Nomad root CA 1"
  exclude_cn_from_sans = true
  key_bits             = 521
  key_type             = "ec"
  type                 = "internal"
  ttl                  = vault_mount.nomad_ca.max_lease_ttl_seconds
}

Expected Behavior

vault_pki_secret_backend_root_cert.nomad was deleted from Vault. Subsequent runs of terraform apply should refresh the state, detect the deletion, and re-create the root cert.

Actual Behavior

The state is supposedly refreshed:

vault_pki_secret_backend_root_cert.nomad: Refreshing state... [id=nomad-ca/root/generate/internal]

But the deletion was not detected and the state value of vault_pki_secret_backend_root_cert.nomad remains as the deleted cert.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. terraform apply on the HCL above to create the initial cert on a fresh Vault and a fresh Terraform (no existing state).
2. delete the cert from Vault manually.
3. terraform apply on the HCL above to see the "actual behavior".

References

I am not a Terraform provider expert, but I believe this could be because the "read" operation is not implemented on the resource:

https://github.com/hashicorp/terraform-provider-vault/blob/master/vault/resource_pki_secret_backend_root_cert.go#L287