use_token_groups changed to false in vault_ldap_auth_backend is not applied

[dr4Ke]

Hi there,

Thank you for opening an issue. Please note that we try to keep the Terraform issue tracker reserved for bug reports and feature requests. For general usage questions, please see: https://www.terraform.io/community.html.

Terraform Version

Terraform v0.12.20
+ provider.vault v2.7.1

Affected Resource(s)

Please list the resources as a list, for example:

• vault_ldap_auth_backend

If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this.

Terraform Configuration Files

resource "vault_ldap_auth_backend" "ldap" {
  description = "LDAP authentication"
  url = "ldap://ldapserver"
  starttls = false
  binddn = "cn=user,ou=userou,dc=domain,dc=local"
  bindpass = "PASSWORD"
  userdn = "cn=user,ou=userou,dc=domain,dc=local"
  userattr = "sAMAccountName"
  upndomain = ""
  groupdn = "dc=domain,dc=local"
  groupfilter = "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))"
  groupattr = ""
  use_token_groups = true # (once, then false)
}

Debug Output

Please provider a link to a GitHub Gist containing the complete debug output: https://www.terraform.io/docs/internals/debugging.html. Please do NOT paste the debug output in the issue; just paste a link to the Gist.

https://gist.github.com/dr4Ke/eb4a6ddc93bfe672637768ca5ae13fc5

Panic Output

Nope

Expected Behavior

The first execution, with use_token_groups = true creates the vault_ldap_auth_backend.ldap resource.

Then a second execution with use_token_groups = false should update the resource with this new value.

Actual Behavior

The use_token_groups doesn't change to false after it has been set to true.

When creating the resource with use_token_groups = false in the first place, it's working. It's only once this value was set to true that it cannot be toggled back to false.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. terraform apply

Important Factoids

Are there anything atypical about your accounts that we should know?
No.

References

Are there any other GitHub issues (open or closed) or Pull Requests that should be linked here? For example:
No, I didn't find related issues.

[dr4Ke]

When checking the result, terraform warns about an inexpected value:

2020-01-27T16:08:16.223+0100 [DEBUG] plugin.terraform-provider-vault_v2.7.1_x4: 2020/01/27 16:08:16 [DEBUG] Read LDAP auth backend config "auth/ldap/config"
2020/01/27 16:08:16 [WARN] Provider "registry.terraform.io/-/vault" produced an unexpected new value for vault_ldap_auth_backend.ldap, but we are tolerating it because it is using the legacy plugin SDK.
    The following problems may be the cause of any confusing errors from downstream operations:
      - .use_token_groups: was cty.False, but now cty.True