vault_kubernetes_auth_backend_role audience field cannot be unset

[viktorradnai]

Hi there,

Thank you for opening an issue. Please note that we try to keep the Terraform issue tracker reserved for bug reports and feature requests. For general usage questions, please see: https://www.terraform.io/community.html.

Terraform Version

0.12.29

Affected Resource(s)

• vault_kubernetes_auth_backend_role

Expected Behavior

When I remove the audience property from the resource, it should be unset from the actual Vault role as well

Actual Behavior

When I remove the audience property, it remains set on the Vault role. The only way to remove it is to taint the role, forcing it to be recreated without the audience setting.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. Create resource:

resource "vault_auth_backend" "kubernetes" {
  type = "kubernetes"
}

resource "vault_kubernetes_auth_backend_role" "example" {
  backend                          = vault_auth_backend.kubernetes.path
  role_name                        = "example"
  bound_service_account_names      = ["example"]
  bound_service_account_namespaces = ["example"]
  token_ttl                        = 3600
  token_policies                   = ["example"]
  audience                         = "vault"
}

2. terraform apply
3. Verify result:

vault read auth/kubernetes/role/example
Key                                 Value
---                                 -----
audience                            vault
bound_service_account_names         [example]
bound_service_account_namespaces    [example]
token_bound_cidrs                   []
token_explicit_max_ttl              0s
token_max_ttl                       0s
token_no_default_policy             false
token_num_uses                      0
token_period                        0s
token_policies                      [example]
token_ttl                           1h
token_type                          default

4. Remove the audience = "vault" line and terraform apply:

Terraform will perform the following actions:

  # vault_kubernetes_auth_backend_role.reader will be updated in-place
  ~ resource "vault_kubernetes_auth_backend_role" "example" {
      - audience                         = "vault" -> null
        backend                          = "kubernetes"
        bound_service_account_names      = [
            "example",
        ]
        bound_service_account_namespaces = [
            "example",
        ]
        id                               = "auth/kubernetes/role/example"
        role_name                        = "example"
        token_bound_cidrs                = []
        token_explicit_max_ttl           = 0
        token_max_ttl                    = 0
        token_no_default_policy          = false
        token_num_uses                   = 0
        token_period                     = 0
        token_policies                   = [
            "read",
        ]
        token_ttl                        = 3600
        token_type                       = "default"
    }

5. Verify result and note that audience vault line remains:

vault read auth/kubernetes/role/example
Key                                 Value
---                                 -----
audience                            vault
bound_service_account_names         [example]
bound_service_account_namespaces    [example]
token_bound_cidrs                   []
token_explicit_max_ttl              0s
token_max_ttl                       0s
token_no_default_policy             false
token_num_uses                      0
token_period                        0s
token_policies                      [example]
token_ttl                           1h
token_type                          default

[rnikoopour]

This is present in Terraform 0.13.2 with Vault provider 2.14

[davidmontoyago]

This is still present in Terraform 0.14.7 and Vault provider 2.19.0. Workaround is to destroy and re-create the role.