terraform-provider-vault icon indicating copy to clipboard operation
terraform-provider-vault copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

aws_auth_backend_sts_role account_id change should ForceNew

Open chammock opened this issue 2 years ago • 0 comments

Terraform Version

Terraform v1.1.9
on darwin_amd64
+ provider registry.terraform.io/hashicorp/vault v3.5.0

Affected Resource(s)

  • resource_aws_auth_backend_sts_role

Terraform Configuration Files

Initial

resource "vault_auth_backend" "aws" {
  type = "aws"
}

resource "vault_aws_auth_backend_sts_role" "role" {
  backend    = vault_auth_backend.aws.path
  account_id = "1234567890"
  sts_role   = "arn:aws:iam::1234567890:role/my-role"
}

Debug Output

N/A

Panic Output

N/A

Expected Behavior

The resource should be recreated as the account_id is changed and the account id is used to make up the path in vault. The account_id attribute should be ForceNew: true

Actual Behavior

The account_id is updated in the state but not in the vault path or resource id. And since the path is not getting updated, the sts_role gets updated on the wrong old vault path.

Steps to Reproduce

  1. terraform apply sample config above
  2. Change the account_id and sts_role to a new value, IE 0987654321
  3. terraform apply

Example output of terraform plan/apply after step 2

resource "vault_aws_auth_backend_sts_role" "role" {
    ~ account_id = "1234567890" -> "0987654321"
      id                  = "auth/aws/config/sts/1234567890"
    ~ sts_role      = "arn:aws:iam::1234567890:role/my-role" -> "arn:aws:iam::0987654321:role/my-role"
    # (1 unchanged attribute hidden)
}

Important Factoids

N/A

References

Are there any other GitHub issues (open or closed) or Pull Requests that should be linked here? For example:

  • https://github.com/hashicorp/terraform-provider-vault/blob/main/vault/resource_aws_auth_backend_sts_role.go#L30

chammock avatar May 13 '22 16:05 chammock