This is a bug in the provider, which should be reported in the provider's own issue tracker. With provider[\"registry.terraform.io/hashicorp/vault\"]

[juansapr]

Hi there,

I am opening this ticket because I am doing a complex Terraform where I have a Kubernetes cluster in AWS and from there I need to read some Kubernetes secrets and with that I can connect to a vault to then create a new key in the vault. The problem is that today I started getting the next error:

╷
│ Error: Provider produced inconsistent result after apply
│ 
│ When applying changes to module.iam_vault.vault_generic_secret.aws_s3_bucket, provider "provider[\"registry.terraform.io/hashicorp/vault\"]"
│ produced an unexpected new value: Root resource was present, but now absent.
│ 
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.
╵

Terraform Version an provider versions

Terraform v1.5.5 on darwin_amd64

• provider registry.terraform.io/hashicorp/aws v5.11.0
• provider registry.terraform.io/hashicorp/kubernetes v2.22.0
• provider registry.terraform.io/hashicorp/vault v3.19.0

Terraform Provider Files

provider "aws" {
  region  = var.region
  #  version = "~> 3.74.0"
  default_tags {
    tags = {
      Org   = "<Org>"
      Group = "<group>"
      Team  = "<team>"
      Stack = "<stack>"
    }
  }
}

provider "kubernetes" {
  host                   = data.aws_eks_cluster.this.endpoint
  cluster_ca_certificate = base64decode(data.aws_eks_cluster.this.certificate_authority[0].data)
  exec {
    api_version = var.kubecfg_client_apiversion
    args        = ["eks", "get-token", "--cluster-name", var.eks_cluster_name]
    command     = "aws"
  }
}

provider "vault" {
  address=data.kubernetes_secret.kubernetes_vault.data.url
  skip_child_token=true
  auth_login {
    path="auth/approle/login"
    namespace = data.kubernetes_secret.kubernetes_vault.data.namespace
    parameters={
      role_id   = data.kubernetes_secret.kubernetes_vault.data.role_id
      secret_id = data.kubernetes_secret.kubernetes_vault.data.secret_id
    }
  }
}

IAM-vault/main.tf

esource "vault_generic_secret" "aws_s3_bucket" {
  data_json = <<EOT
{
  "aws_iam_access_key": "${var.aws_iam_access_key}",
  "aws_iam_secret_access_key": "${var.aws_iam_access_secret_key}",
  "s3_bucket_arn": "${var.s3_bucket_arn}",
  "s3_bucket_region": "${var.s3_bucket_region}",
  "s3_bucket_id": "${var.s3_bucket_id}"
}
EOT
  path      = "${var.vault_rootdir}/aws_s3_bucket_${var.env}"
#  namespace = var.vault_namespace
}

How tho reproduce

terraform apply

Expected Behavior

I expect that I can apply the terraform plan and it will create a new key in the Vault and don't show any errors.

Actual Behavior

So when I tried to apply the plan and the vault was able to login but the problem happen when I tried to create a key.

[Feyd-Rauth]

Maybe your token does not have read permissions? I've had the similar issue.