Merge pull request #382 from Ninir/f-vault-aws-backend-role

[AWS Auth Backend Role] Recreate the resource if resolve_aws_unique_ids is set to false
hashicorp · Jun 3, 2019 · 1fe8cce · 1fe8cce
2 parents f9a67f8 + ef14904
commit 1fe8cce
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 9 deletions.
diff --git a/vault/resource_aws_auth_backend_role.go b/vault/resource_aws_auth_backend_role.go
@@ -18,11 +18,12 @@ var (
 
 func awsAuthBackendRoleResource() *schema.Resource {
 	return &schema.Resource{
-		Create: awsAuthBackendRoleCreate,
-		Read:   awsAuthBackendRoleRead,
-		Update: awsAuthBackendRoleUpdate,
-		Delete: awsAuthBackendRoleDelete,
-		Exists: awsAuthBackendRoleExists,
+		CustomizeDiff: resourceVaultAwsAuthBackendRoleCustomizeDiff,
+		Create:        awsAuthBackendRoleCreate,
+		Read:          awsAuthBackendRoleRead,
+		Update:        awsAuthBackendRoleUpdate,
+		Delete:        awsAuthBackendRoleDelete,
+		Exists:        awsAuthBackendRoleExists,
 		Importer: &schema.ResourceImporter{
 			State: schema.ImportStatePassthrough,
 		},
@@ -258,6 +259,20 @@ func awsAuthBackendRoleResource() *schema.Resource {
 	}
 }
 
+func resourceVaultAwsAuthBackendRoleCustomizeDiff(diff *schema.ResourceDiff, v interface{}) error {
+	if diff.HasChange("resolve_aws_unique_ids") {
+		o, n := diff.GetChange("resolve_aws_unique_ids")
+		// The resolve_aws_unique_ids field can be updated from false to true
+		// but cannot be updated from true to false without recreating.
+		if o.(bool) && !n.(bool) {
+			if err := diff.ForceNew("resolve_aws_unique_ids"); err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
 func setSlice(d *schema.ResourceData, tfFieldName, vaultFieldName string, data map[string]interface{}) {
 	if ifcValue, ok := d.GetOk(tfFieldName); ok {
 		ifcValues := ifcValue.([]interface{})

diff --git a/website/docs/r/aws_auth_backend_role.html.md b/website/docs/r/aws_auth_backend_role.html.md
@@ -107,17 +107,16 @@ The following arguments are supported:
   `inferred_entity_type` is set. This only applies when `auth_type` is set to
   `iam`.
 
-* `resolve_aws_unique_ids` - (Optional) If set to `true`, the
+* `resolve_aws_unique_ids` - (Optional, Forces new resource) If set to `true`, the
   `bound_iam_principal_arns` are resolved to [AWS Unique
   IDs](http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids)
   for the bound principal ARN. This field is ignored when a
   `bound_iam_principal_arn` ends in a wildcard. Resolving to unique IDs more
   closely mimics the behavior of AWS services in that if an IAM user or role is
   deleted and a new one is recreated with the same name, those new users or
   roles won't get access to roles in Vault that were permissioned to the prior
-  principals of the same name. Defaults to `true`. Once set to `true`, this
-  cannot be changed to `false`--the role must be deleted and recreated, with
-  the value set to `true`.
+  principals of the same name. Defaults to `true`.
+  Once set to `true`, this cannot be changed to `false` without recreating the role.
 
 * `ttl` - (Optional) The TTL period of tokens issued using this role, provided
   as a number of seconds.