pki.vault_pki_secret_backend_role is not idempotent, updates key_usage every run

[ghost]

This issue was originally opened by @spuder as hashicorp/terraform#24837. It was migrated here as a result of the provider split. The original body of the issue is below.

---

Problem

The vault_pki_secret_backend_role resource is not idempotent because every time I do terraform apply it attempts to update these values.

      ~ key_usage                          = [
          - "DigitalSignature",
          - "KeyAgreement",
          - "KeyEncipherment",
        ]

Terraform Version

Terraform v0.12.24
+ provider.vault v2.1.0

Terraform Configuration Files

resource "vault_pki_secret_backend" "consul" {
  path = "consul"
  description = "Root CA used to sign *.service.<dc>-<env>.consul certs. Expires May 2023"
  max_lease_ttl_seconds = 94608000 # 3 years
}

resource "vault_pki_secret_backend_config_urls" "config_urls" {
  backend              = vault_pki_secret_backend.consul.path
  issuing_certificates = ["http://127.0.0.1:8200/v1/pki/ca"]
  crl_distribution_points = ["http://127.0.0.1:8200/v1/pki/crl"]
}

resource "vault_pki_secret_backend_role" "consul" {
  backend = vault_pki_secret_backend.consul.path
  name    = "dev.consul"
  allowed_domains = [
    "dev.consul",
    "*.dev.consul"
  ]
  allow_subdomains = true
  allow_bare_domains = true
  allowed_other_sans = [
  ]
}

Debug Output

 # module.pki.vault_pki_secret_backend_role.consul will be updated in-place
  ~ resource "vault_pki_secret_backend_role" "consul" {
        allow_any_name                     = false
        allow_bare_domains                 = true
        allow_glob_domains                 = false
        allow_ip_sans                      = true
        allow_localhost                    = true
        allow_subdomains                   = true
        allowed_domains                    = [
            "sb-sand.consul",
            "*.sb-sand.consul",
        ]
        allowed_other_sans                 = []
        allowed_uri_sans                   = []
        backend                            = "consul"
        basic_constraints_valid_for_non_ca = false
        client_flag                        = true
        code_signing_flag                  = false
        country                            = []
        email_protection_flag              = false
        enforce_hostnames                  = true
        ext_key_usage                      = []
        generate_lease                     = false
        id                                 = "consul/roles/dev.consul"
        key_bits                           = 2048
        key_type                           = "rsa"
      ~ key_usage                          = [
          - "DigitalSignature",
          - "KeyAgreement",
          - "KeyEncipherment",
        ]
        locality                           = []
        max_ttl                            = "0"
        name                               = "dev.consul"
        no_store                           = false
        organization                       = []
        ou                                 = []
        policy_identifiers                 = []
        postal_code                        = []
        province                           = []
        require_cn                         = true
        server_flag                        = true
        street_address                     = []
        ttl                                = "0"
        use_csr_common_name                = true
        use_csr_sans                       = true
    }

[Andor]

https://github.com/terraform-providers/terraform-provider-vault/issues/365