There should be no changes reported by Terraform if the configured tune block parameters have not changed.
Actual Behavior
Terraform always reports that the vault_jwt_auth_backend resource will be updated in-place unless all of the tune parameters (default_lease_ttl, max_lease_ttl, and token_type are currently the only ones with default values) match the defaults (I'm assuming as reported by the target Vault server, rather than defaults set within the provider code). This includes when the tune block exists but has no attributes configured (as none of the attributes are required).
Relevant Error/Panic Output Snippet
$ terraform apply -auto-approve
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# vault_jwt_auth_backend.jwt_backend will be created
+ resource "vault_jwt_auth_backend" "jwt_backend" {
+ accessor = (known after apply)
+ bound_issuer = "https://token.actions.githubusercontent.com"
+ disable_remount = false
+ id = (known after apply)
+ local = false
+ namespace_in_state = true
+ oidc_discovery_url = "https://token.actions.githubusercontent.com"
+ path = "jwt-test"
+ tune = [
+ {
+ allowed_response_headers = []
+ audit_non_hmac_request_keys = []
+ audit_non_hmac_response_keys = []
+ default_lease_ttl = ""
+ listing_visibility = ""
+ max_lease_ttl = ""
+ passthrough_request_headers = []
+ token_type = "default-service"
},
]
+ type = "jwt"
}
Plan: 1 to add, 0 to change, 0 to destroy.
vault_jwt_auth_backend.jwt_backend: Creating...
vault_jwt_auth_backend.jwt_backend: Creation complete after 1s [id=jwt-test]
Apply complete! Resources: 1 added, 0 changed, 0 destroyed.
$ terraform apply -auto-approve
vault_jwt_auth_backend.jwt_backend: Refreshing state... [id=jwt-test]
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
# vault_jwt_auth_backend.jwt_backend will be updated in-place
~ resource "vault_jwt_auth_backend" "jwt_backend" {
id = "jwt-test"
~ tune = [
- {
- allowed_response_headers = []
- audit_non_hmac_request_keys = []
- audit_non_hmac_response_keys = []
- default_lease_ttl = "768h"
- listing_visibility = ""
- max_lease_ttl = "768h"
- passthrough_request_headers = []
- token_type = "default-service"
},
+ {
+ allowed_response_headers = []
+ audit_non_hmac_request_keys = []
+ audit_non_hmac_response_keys = []
+ default_lease_ttl = ""
+ listing_visibility = ""
+ max_lease_ttl = ""
+ passthrough_request_headers = []
+ token_type = "default-service"
},
]
# (12 unchanged attributes hidden)
}
Plan: 0 to add, 1 to change, 0 to destroy.
vault_jwt_auth_backend.jwt_backend: Modifying... [id=jwt-test]
vault_jwt_auth_backend.jwt_backend: Modifications complete after 0s [id=jwt-test]
Terraform Configuration Files
Sample configuration that always produces an update in-place operation:
Sample configuration that reports "No changes" (I assume the values for default_lease_ttl, and max_lease_ttl would need to be different if there were different global default values configured for the Vault server):
Terraform Core Version
1.7.5
Terraform Vault Provider Version
4.2.0
Vault Server Version
1.15.7+ent
Affected Resource(s)
Expected Behavior
There should be no changes reported by Terraform if the configured
tune
block parameters have not changed.Actual Behavior
Terraform always reports that the
vault_jwt_auth_backend
resource will be updated in-place unless all of the tune parameters (default_lease_ttl
,max_lease_ttl
, andtoken_type
are currently the only ones with default values) match the defaults (I'm assuming as reported by the target Vault server, rather than defaults set within the provider code). This includes when thetune
block exists but has no attributes configured (as none of the attributes are required).Relevant Error/Panic Output Snippet
Terraform Configuration Files
Sample configuration that always produces an update in-place operation:
Sample configuration that reports "No changes" (I assume the values for
default_lease_ttl
, andmax_lease_ttl
would need to be different if there were different global default values configured for the Vault server):Steps to Reproduce
terraform apply
terraform apply
Debug Output
No response
Panic Output
No response
Important Factoids
No response
References
Possibly related to https://github.com/hashicorp/terraform-provider-vault/issues/1172 ? Unclear if the behaviour reported in that issue with the
provider_config
block for OIDC is using the same provider machinery for this issue with thetune
block.Would you like to implement a fix?
None