[Bug]: vault_jwt_auth_backend tune block always updates unless config matches Vault server defaults

[crusstu]

Terraform Core Version

1.7.5

Terraform Vault Provider Version

4.2.0

Vault Server Version

1.15.7+ent

Affected Resource(s)

• vault_jwt_auth_backend

Expected Behavior

There should be no changes reported by Terraform if the configured tune block parameters have not changed.

Actual Behavior

Terraform always reports that the vault_jwt_auth_backend resource will be updated in-place unless all of the tune parameters (default_lease_ttl, max_lease_ttl, and token_type are currently the only ones with default values) match the defaults (I'm assuming as reported by the target Vault server, rather than defaults set within the provider code). This includes when the tune block exists but has no attributes configured (as none of the attributes are required).

Relevant Error/Panic Output Snippet

$ terraform apply -auto-approve

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # vault_jwt_auth_backend.jwt_backend will be created
  + resource "vault_jwt_auth_backend" "jwt_backend" {
      + accessor           = (known after apply)
      + bound_issuer       = "https://token.actions.githubusercontent.com"
      + disable_remount    = false
      + id                 = (known after apply)
      + local              = false
      + namespace_in_state = true
      + oidc_discovery_url = "https://token.actions.githubusercontent.com"
      + path               = "jwt-test"
      + tune               = [
          + {
              + allowed_response_headers     = []
              + audit_non_hmac_request_keys  = []
              + audit_non_hmac_response_keys = []
              + default_lease_ttl            = ""
              + listing_visibility           = ""
              + max_lease_ttl                = ""
              + passthrough_request_headers  = []
              + token_type                   = "default-service"
            },
        ]
      + type               = "jwt"
    }

Plan: 1 to add, 0 to change, 0 to destroy.
vault_jwt_auth_backend.jwt_backend: Creating...
vault_jwt_auth_backend.jwt_backend: Creation complete after 1s [id=jwt-test]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

$ terraform apply -auto-approve
vault_jwt_auth_backend.jwt_backend: Refreshing state... [id=jwt-test]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # vault_jwt_auth_backend.jwt_backend will be updated in-place
  ~ resource "vault_jwt_auth_backend" "jwt_backend" {
        id                     = "jwt-test"
      ~ tune                   = [
          - {
              - allowed_response_headers     = []
              - audit_non_hmac_request_keys  = []
              - audit_non_hmac_response_keys = []
              - default_lease_ttl            = "768h"
              - listing_visibility           = ""
              - max_lease_ttl                = "768h"
              - passthrough_request_headers  = []
              - token_type                   = "default-service"
            },
          + {
              + allowed_response_headers     = []
              + audit_non_hmac_request_keys  = []
              + audit_non_hmac_response_keys = []
              + default_lease_ttl            = ""
              + listing_visibility           = ""
              + max_lease_ttl                = ""
              + passthrough_request_headers  = []
              + token_type                   = "default-service"
            },
        ]
        # (12 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.
vault_jwt_auth_backend.jwt_backend: Modifying... [id=jwt-test]
vault_jwt_auth_backend.jwt_backend: Modifications complete after 0s [id=jwt-test]

Terraform Configuration Files

Sample configuration that always produces an update in-place operation:

terraform {
  required_providers {
    vault = {
      source  = "hashicorp/vault"
      version = "= 4.2.0"
    }
  }
  required_version = ">= 1.7.0"
}

resource "vault_jwt_auth_backend" "jwt_backend" {
  path = "jwt-test"
  type = "jwt"

  bound_issuer       = "https://token.actions.githubusercontent.com"
  oidc_discovery_url = "https://token.actions.githubusercontent.com"

  tune {
    token_type = "default-service"  
  }
}

Sample configuration that reports "No changes" (I assume the values for default_lease_ttl, and max_lease_ttl would need to be different if there were different global default values configured for the Vault server):

terraform {
  required_providers {
    vault = {
      source  = "hashicorp/vault"
      version = "= 4.2.0"
    }
  }
  required_version = ">= 1.7.0"
}

resource "vault_jwt_auth_backend" "jwt_backend" {
  path = "jwt-test"
  type = "jwt"

  bound_issuer       = "https://token.actions.githubusercontent.com"
  oidc_discovery_url = "https://token.actions.githubusercontent.com"

  tune {
    default_lease_ttl = "768h"
    max_lease_ttl     = "768h"
    token_type        = "default-service"
  }
}

Steps to Reproduce

1. Apply the first Terraform code above to provision the JWT auth backend with terraform apply
2. Re-apply the same Terraform code with terraform apply
3. Note Terraform reports 1 resource to change when there should be no changes to the infrastructure necessary because the Terraform code has not changed

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

Possibly related to https://github.com/hashicorp/terraform-provider-vault/issues/1172 ? Unclear if the behaviour reported in that issue with the provider_config block for OIDC is using the same provider machinery for this issue with the tune block.

Would you like to implement a fix?

None