[Bug]: Breaking change in 4.5.0 version of provider

[vonsch]

Terraform Core Version

1.10.5

Terraform Vault Provider Version

4.6.0

Vault Server Version

1.15

Affected Resource(s)

vault_approle_auth_backend_role_secret_id

Expected Behavior

After upgrade of provider from version 4.4.0 to 4.6.0, terraform won't force-recreate our vault_approle_auth_backend_role_secret_id resources

Actual Behavior

We upgraded terraform provider from version 4.4.0 to 4.6.0 and it caused that all of our vault_approle_auth_backend_role_secret_id resources are recreated. This is actually bad, because it causes that approle secrets gets recreated and our systems loose access to vault. Seems to be caused by #2345

Our plans show (example):

14:22:54.486 STDOUT terraform:   # module.i-etcd.vault_approle_auth_backend_role_secret_id.this["etcd01"] must be replaced
14:22:54.486 STDOUT terraform: -/+ resource "vault_approle_auth_backend_role_secret_id" "this" {
14:22:54.486 STDOUT terraform:       ~ accessor          = "458c59af-20e6-d671-6aa1-c5ae99f15782" -> (known after apply)          
14:22:54.486 STDOUT terraform:       - cidr_list         = [] -> null                                                                                                                         
14:22:54.486 STDOUT terraform:       ~ id                = "backend=approle::role=XXXX::accessor=458c59af-20e6-d671-6aa1-c5ae99f15782" -> (known after apply)
14:22:54.486 STDOUT terraform:       - metadata          = jsonencode({})                                                                                                                     
14:22:54.486 STDOUT terraform:       - num_uses          = 0 -> null                                                                                                                          
14:22:54.486 STDOUT terraform:       ~ secret_id         = (sensitive value)
14:22:54.487 STDOUT terraform:       - ttl               = 31536000 -> null # forces replacement                                                                                              
14:22:54.487 STDOUT terraform:       + wrapping_accessor = (known after apply)
14:22:54.487 STDOUT terraform:       + wrapping_token    = (sensitive value)                                                                                                                  
14:22:54.487 STDOUT terraform:         # (2 unchanged attributes hidden)  

Relevant Error/Panic Output Snippet

Terraform Configuration Files

resource "vault_approle_auth_backend_role_secret_id" "this" {
for_each = length(var.vault_approle) > 0 ? local.hostnames : toset([])

backend = "approle"
role_name = var.vault_approle
secret_id = try(var.vault_approle_secret_id_map[each.value], null)
}

Steps to Reproduce

1. Create vault_approle_auth_backend_role_secret_id with params like above, using provider 4.4.0 or older
2. Upgrade provider to 4.5.0 or newer
3. Try plan/apply
4. Watch how your resources are being recreated

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None