[Bug]: Vault_Azure_Backend_Role Fails on every apply even when no changes are made due to expecting role_name

[LiamLogan1996]

Terraform Core Version

1.5.0

Terraform Vault Provider Version

3.18.0

Vault Server Version

Vault 1.14.1+ent

Affected Resource(s)

The following resource is the issue vault_azure_secret_backend_role.

We are currently trying to create a new azure backend role so that we can generate dynamic secrets. On the first instance of to apply it will successfully create the role.

However, when we run a plan and apply a second time, it thinks there is a change to the backend_role and then it tries to create a new role however it gives us the following error:

Error: must specify at most one of 'role_name' or 'role_id'

We are currently running terraform version 1.5.0 and version 3.18.0 of the vault provider.

Expected Behavior

I would be expecting there to be no role recreated. There should be no changes which need to be made to this role as it already exists?

Actual Behavior

It is trying to create the backend role again, but internally it is saying there is no role name or role id assigned, however if you see via the screenshot these values are assigned

I also check the state file when this is running and I can also see that state contains both a role_id and role_name.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

Resource Block Being used in the code:

resource "vault_azure_secret_backend_role" "azure_dynamic_spn" { backend = "azure" role = local.playpen_name ttl = "720h" max_ttl = "800h" permanently_delete = true

azure_roles { role_name = "Owner" scope = "/subscriptions/${module.azurerm_subscription.subscription_id}/" }

depends_on = [module.azurerm_subscription] }

Steps to Reproduce

You should try to create a vault_azure_backend_secret_role using tf version 1.5 and vault provider version 3.18.0.

Run a terraform plan and apply first, let it create the role. Then run another plan and apply after the first has succeeded. Do not run any destroys, it has to be subsequent plan and applies.

Debug Output

Terraform v1.5.0 on linux_amd64 {"@level":"info","@message":"Terraform 1.5.0","@module":"terraform.ui","@timestamp":"2023-08-30T15:32:16.805676Z","terraform":"1.5.0","type":"version","ui":"1.1"} {"@level":"info","@message":"module.playpen_basic_azure.vault_azure_secret_backend_role.azure_dynamic_spn: Plan to update","@module":"terraform.ui","@timestamp":"2023-08-30T15:32:19.557680Z","change":{"resource":{"addr":"module.playpen_basic_azure.vault_azure_secret_backend_role.azure_dynamic_spn","module":"module.playpen_basic_azure","resource":"vault_azure_secret_backend_role.azure_dynamic_spn","implied_provider":"vault","resource_type":"vault_azure_secret_backend_role","resource_name":"azure_dynamic_spn","resource_key":null},"action":"update"},"type":"planned_change"} {"@level":"info","@message":"module.playpen_basic_azure.data.vault_azure_access_credentials.role_creds: Plan to read","@module":"terraform.ui","@timestamp":"2023-08-30T15:32:19.557813Z","change":{"resource":{"addr":"module.playpen_basic_azure.data.vault_azure_access_credentials.role_creds","module":"module.playpen_basic_azure","resource":"data.vault_azure_access_credentials.role_creds","implied_provider":"vault","resource_type":"vault_azure_access_credentials","resource_name":"role_creds","resource_key":null},"action":"read","reason":"read_because_dependency_pending"},"type":"planned_change"} {"@level":"info","@message":"module.playpen_basic_azure.module.workspace.data.tfe_team.users["PlatformOperations"]: Plan to read","@module":"terraform.ui","@timestamp":"2023-08-30T15:32:19.557855Z","change":{"resource":{"addr":"module.playpen_basic_azure.module.workspace.data.tfe_team.users["PlatformOperations"]","module":"module.playpen_basic_azure.module.workspace","resource":"data.tfe_team.users["PlatformOperations"]","implied_provider":"tfe","resource_type":"tfe_team","resource_name":"users","resource_key":"PlatformOperations"},"action":"read","reason":"read_because_dependency_pending"},"type":"planned_change"} {"@level":"info","@message":"module.playpen_basic_azure.module.workspace.data.tfe_team.users["playpen-abc123-azure-pdev"]: Plan to read","@module":"terraform.ui","@timestamp":"2023-08-30T15:32:19.557894Z","change":{"resource":{"addr":"module.playpen_basic_azure.module.workspace.data.tfe_team.users["playpen-abc123-azure-pdev"]","module":"module.playpen_basic_azure.module.workspace","resource":"data.tfe_team.users["playpen-abc123-azure-pdev"]","implied_provider":"tfe","resource_type":"tfe_team","resource_name":"users","resource_key":"playpen-abc123-azure-pdev"},"action":"read","reason":"read_because_dependency_pending"},"type":"planned_change"} {"@level":"info","@message":"module.playpen_basic_azure.module.workspace.tfe_variable.env_variables["TF_VAR_client_id"]: Plan to create","@module":"terraform.ui","@timestamp":"2023-08-30T15:32:19.557943Z","change":{"resource":{"addr":"module.playpen_basic_azure.module.workspace.tfe_variable.env_variables["TF_VAR_client_id"]","module":"module.playpen_basic_azure.module.workspace","resource":"tfe_variable.env_variables["TF_VAR_client_id"]","implied_provider":"tfe","resource_type":"tfe_variable","resource_name":"env_variables","resource_key":"TF_VAR_client_id"},"action":"create"},"type":"planned_change"} {"@level":"info","@message":"module.playpen_basic_azure.module.workspace.tfe_variable.env_variables["TF_VAR_client_secret"]: Plan to create","@module":"terraform.ui","@timestamp":"2023-08-30T15:32:19.557985Z","change":{"resource":{"addr":"module.playpen_basic_azure.module.workspace.tfe_variable.env_variables["TF_VAR_client_secret"]","module":"module.playpen_basic_azure.module.workspace","resource":"tfe_variable.env_variables["TF_VAR_client_secret"]","implied_provider":"tfe","resource_type":"tfe_variable","resource_name":"env_variables","resource_key":"TF_VAR_client_secret"},"action":"create"},"type":"planned_change"} {"@level":"info","@message":"module.playpen_basic_azure.module.workspace.tfe_team_access.users["playpen-abc123-azure-pdev"]: Plan to replace","@module":"terraform.ui","@timestamp":"2023-08-30T15:32:19.558022Z","change":{"resource":{"addr":"module.playpen_basic_azure.module.workspace.tfe_team_access.users["playpen-abc123-azure-pdev"]","module":"module.playpen_basic_azure.module.workspace","resource":"tfe_team_access.users["playpen-abc123-azure-pdev"]","implied_provider":"tfe","resource_type":"tfe_team_access","resource_name":"users","resource_key":"playpen-abc123-azure-pdev"},"action":"replace","reason":"cannot_update"},"type":"planned_change"} {"@level":"info","@message":"module.playpen_basic_azure.module.workspace.tfe_team_access.users["PlatformOperations"]: Plan to replace","@module":"terraform.ui","@timestamp":"2023-08-30T15:32:19.558059Z","change":{"resource":{"addr":"module.playpen_basic_azure.module.workspace.tfe_team_access.users["PlatformOperations"]","module":"module.playpen_basic_azure.module.workspace","resource":"tfe_team_access.users["PlatformOperations"]","implied_provider":"tfe","resource_type":"tfe_team_access","resource_name":"users","resource_key":"PlatformOperations"},"action":"replace","reason":"cannot_update"},"type":"planned_change"} {"@level":"info","@message":"module.playpen_basic_azure.azurerm_consumption_budget_subscription.budget: Plan to replace","@module":"terraform.ui","@timestamp":"2023-08-30T15:32:19.558099Z","change":{"resource":{"addr":"module.playpen_basic_azure.azurerm_consumption_budget_subscription.budget","module":"module.playpen_basic_azure","resource":"azurerm_consumption_budget_subscription.budget","implied_provider":"azurerm","resource_type":"azurerm_consumption_budget_subscription","resource_name":"budget","resource_key":null},"action":"replace","reason":"cannot_update"},"type":"planned_change"} {"@level":"info","@message":"module.playpen_basic_azure.module.workspace.tfe_team_access.users["PlatformOperations"]: Destroying... [id=tws-Q8fBvNcLVGdympHW]","@module":"terraform.ui","@timestamp":"2023-08-30T15:32:20.105174Z","hook":{"resource":{"addr":"module.playpen_basic_azure.module.workspace.tfe_team_access.users["PlatformOperations"]","module":"module.playpen_basic_azure.module.workspace","resource":"tfe_team_access.users["PlatformOperations"]","implied_provider":"tfe","resource_type":"tfe_team_access","resource_name":"users","resource_key":"PlatformOperations"},"action":"delete","id_key":"id","id_value":"tws-Q8fBvNcLVGdympHW"},"type":"apply_start"} {"@level":"info","@message":"module.playpen_basic_azure.module.workspace.tfe_team_access.users["playpen-abc123-azure-pdev"]: Destroying... [id=tws-7ScQ4MiWXk1w6RpU]","@module":"terraform.ui","@timestamp":"2023-08-30T15:32:20.105994Z","hook":{"resource":{"addr":"module.playpen_basic_azure.module.workspace.tfe_team_access.users["playpen-abc123-azure-pdev"]","module":"module.playpen_basic_azure.module.workspace","resource":"tfe_team_access.users["playpen-abc123-azure-pdev"]","implied_provider":"tfe","resource_type":"tfe_team_access","resource_name":"users","resource_key":"playpen-abc123-azure-pdev"},"action":"delete","id_key":"id","id_value":"tws-7ScQ4MiWXk1w6RpU"},"type":"apply_start"} {"@level":"info","@message":"module.playpen_basic_azure.module.workspace.tfe_team_access.users["playpen-abc123-azure-pdev"]: Destruction complete after 0s","@module":"terraform.ui","@timestamp":"2023-08-30T15:32:20.169193Z","hook":{"resource":{"addr":"module.playpen_basic_azure.module.workspace.tfe_team_access.users["playpen-abc123-azure-pdev"]","module":"module.playpen_basic_azure.module.workspace","resource":"tfe_team_access.users["playpen-abc123-azure-pdev"]","implied_provider":"tfe","resource_type":"tfe_team_access","resource_name":"users","resource_key":"playpen-abc123-azure-pdev"},"action":"delete","elapsed_seconds":0},"type":"apply_complete"} {"@level":"info","@message":"module.playpen_basic_azure.module.workspace.tfe_team_access.users["PlatformOperations"]: Destruction complete after 0s","@module":"terraform.ui","@timestamp":"2023-08-30T15:32:20.309308Z","hook":{"resource":{"addr":"module.playpen_basic_azure.module.workspace.tfe_team_access.users["PlatformOperations"]","module":"module.playpen_basic_azure.module.workspace","resource":"tfe_team_access.users["PlatformOperations"]","implied_provider":"tfe","resource_type":"tfe_team_access","resource_name":"users","resource_key":"PlatformOperations"},"action":"delete","elapsed_seconds":0},"type":"apply_complete"} {"@level":"info","@message":"module.playpen_basic_azure.azurerm_consumption_budget_subscription.budget: Destroying... [id=/subscriptions/73e0cc48-6623-4840-8ced-67c3376a83d8/providers/Microsoft.Consumption/budgets/playpen-abc321-budget]","@module":"terraform.ui","@timestamp":"2023-08-30T15:32:22.644251Z","hook":{"resource":{"addr":"module.playpen_basic_azure.azurerm_consumption_budget_subscription.budget","module":"module.playpen_basic_azure","resource":"azurerm_consumption_budget_subscription.budget","implied_provider":"azurerm","resource_type":"azurerm_consumption_budget_subscription","resource_name":"budget","resource_key":null},"action":"delete","id_key":"id","id_value":"/subscriptions/73e0cc48-6623-4840-8ced-67c3376a83d8/providers/Microsoft.Consumption/budgets/playpen-abc321-budget"},"type":"apply_start"} {"@level":"info","@message":"module.playpen_basic_azure.vault_azure_secret_backend_role.azure_dynamic_spn: Modifying... [id=azure/roles/playpen-abc321]","@module":"terraform.ui","@timestamp":"2023-08-30T15:32:22.648642Z","hook":{"resource":{"addr":"module.playpen_basic_azure.vault_azure_secret_backend_role.azure_dynamic_spn","module":"module.playpen_basic_azure","resource":"vault_azure_secret_backend_role.azure_dynamic_spn","implied_provider":"vault","resource_type":"vault_azure_secret_backend_role","resource_name":"azure_dynamic_spn","resource_key":null},"action":"update","id_key":"id","id_value":"azure/roles/playpen-abc321"},"type":"apply_start"} {"@level":"info","@message":"module.playpen_basic_azure.vault_azure_secret_backend_role.azure_dynamic_spn: Modifications errored after 0s","@module":"terraform.ui","@timestamp":"2023-08-30T15:32:22.651211Z","hook":{"resource":{"addr":"module.playpen_basic_azure.vault_azure_secret_backend_role.azure_dynamic_spn","module":"module.playpen_basic_azure","resource":"vault_azure_secret_backend_role.azure_dynamic_spn","implied_provider":"vault","resource_type":"vault_azure_secret_backend_role","resource_name":"azure_dynamic_spn","resource_key":null},"action":"update","elapsed_seconds":0},"type":"apply_errored"} {"@level":"info","@message":"module.playpen_basic_azure.azurerm_consumption_budget_subscription.budget: Destruction complete after 2s","@module":"terraform.ui","@timestamp":"2023-08-30T15:32:25.037831Z","hook":{"resource":{"addr":"module.playpen_basic_azure.azurerm_consumption_budget_subscription.budget","module":"module.playpen_basic_azure","resource":"azurerm_consumption_budget_subscription.budget","implied_provider":"azurerm","resource_type":"azurerm_consumption_budget_subscription","resource_name":"budget","resource_key":null},"action":"delete","elapsed_seconds":2},"type":"apply_complete"} {"@level":"info","@message":"module.playpen_basic_azure.azurerm_consumption_budget_subscription.budget: Creating...","@module":"terraform.ui","@timestamp":"2023-08-30T15:32:25.046299Z","hook":{"resource":{"addr":"module.playpen_basic_azure.azurerm_consumption_budget_subscription.budget","module":"module.playpen_basic_azure","resource":"azurerm_consumption_budget_subscription.budget","implied_provider":"azurerm","resource_type":"azurerm_consumption_budget_subscription","resource_name":"budget","resource_key":null},"action":"create"},"type":"apply_start"} {"@level":"info","@message":"module.playpen_basic_azure.azurerm_consumption_budget_subscription.budget: Creation complete after 4s [id=/subscriptions/73e0cc48-6623-4840-8ced-67c3376a83d8/providers/Microsoft.Consumption/budgets/playpen-abc321-budget]","@module":"terraform.ui","@timestamp":"2023-08-30T15:32:29.305500Z","hook":{"resource":{"addr":"module.playpen_basic_azure.azurerm_consumption_budget_subscription.budget","module":"module.playpen_basic_azure","resource":"azurerm_consumption_budget_subscription.budget","implied_provider":"azurerm","resource_type":"azurerm_consumption_budget_subscription","resource_name":"budget","resource_key":null},"action":"create","id_key":"id","id_value":"/subscriptions/73e0cc48-6623-4840-8ced-67c3376a83d8/providers/Microsoft.Consumption/budgets/playpen-abc321-budget","elapsed_seconds":4},"type":"apply_complete"} {"@level":"error","@message":"Error: must specify at most one of 'role_name' or 'role_id'","@module":"terraform.ui","@timestamp":"2023-08-30T15:32:30.007044Z","diagnostic":{"severity":"error","summary":"must specify at most one of 'role_name' or 'role_id'","detail":"","address":"module.playpen_basic_azure.vault_azure_secret_backend_role.azure_dynamic_spn","range":{"filename":"module/vault.tf","start":{"line":1,"column":64,"byte":63},"end":{"line":1,"column":65,"byte":64}},"snippet":{"context":"resource "vault_azure_secret_backend_role" "azure_dynamic_spn"","code":"resource "vault_azure_secret_backend_role" "azure_dynamic_spn" {","start_line":1,"highlight_start_offset":63,"highlight_end_offset":64,"values":[]}},"type":"diagnostic"} Operation failed: failed running terraform apply (exit 1)

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[LiamLogan1996]

I have noticed that there are no tests which are actually running for the azure_secret_backend_role e.g as you can see here https://github.com/hashicorp/terraform-provider-vault/actions/runs/6028652164/job/16356445593#step:8:1150. This test gets skipped because the subscription id is set to null due to there being no subscription obtained from the environmental vars.

The test is seen here https://github.com/hashicorp/terraform-provider-vault/blob/main/vault/resource_azure_secret_backend_role_test.go#L21. Is it possible that this issue is being escaped due to the fact that it is not being tested, so it assumed to be working?