terraform-provider-vault
terraform-provider-vault copied to clipboard
Published
20 hours ago •
hashicorp
hashicorp
vault_pki_secret_backend_role produces perpetual diff when no key_usages are specified.
Terraform Version:
1.2.3
registry.terraform.io/hashicorp/vault v3.7.0
Affected Resource(s)
- vault_pki_secret_backend_role
Terraform Configuration Files
resource "vault_pki_secret_backend_role" "example_role" {
backend = vault_mount.ca.path
name = "example_signer"
allow_any_name = true
allow_ip_sans = false
server_flag = false
client_flag = false
code_signing_flag = false
email_protection_flag = false
ttl = local.vault_default_ttl
key_type = "ec"
key_bits = 256
key_usage = []
ext_key_usage = []
}
Expected Behavior
I expect the role to not have a key_usage array specified.
Actual Behavior
The provider ignores the empty key_usage array and produces a perpetual diff that looks like this:
~ resource "vault_pki_secret_backend_role" "example_role" {
id = "example/example_signer"
~ key_usage = [
- "DigitalSignature",
- "KeyAgreement",
- "KeyEncipherment",
]
name = "example_signer"
# (37 unchanged attributes hidden)
}
Steps to Reproduce
Apply the code piece from above.
References
#365 #1443 #748 Piece of code where it comes from: https://github.com/hashicorp/terraform-provider-vault/blob/main/vault/resource_pki_secret_backend_role.go#L626 / https://github.com/hashicorp/terraform-provider-vault/blob/main/vault/resource_pki_secret_backend_role.go#L408
