Unexpected behavior when kv-v2 mount path contains subpath.

[data-race]

Version

• terraform: 1.3.9
• provider registry.terraform.io/hashicorp/vault v3.13.0

Affected Resource(s)

• vault_kv_secret_v2
• vault_mount

Terraform Configuration Files

terraform {
  required_providers {
    vault = {
      source  = "hashicorp/vault"
      version = ">= 3.12.0"
    }
  }
}

provider "vault" {
  address = "http://localhost:8200"
  token   = "root"
}

resource "vault_mount" "test" {
  path        = "test/foo"
  type        = "kv-v2"
  options     = { version = "2" }
}

resource "vault_kv_secret_v2" "test" {
  mount = vault_mount.test.path
  name = "bar"
  data_json = jsonencode(
    {
      "hello": "world"
    }
  )
}

Reproduce

Hi there. I was using vault provider to provision some resources but I encounter some problems.
Above is a minimal example to reproduce my problem.
In this example, a vault_mount is created in path test/foo and then a vault_kv_secret_v2 is created under that path.
Then I execute terraform apply and it works fine.

> VAULT_TOKEN=root VAULT_ADDR=http://localhost:8200 vault secrets list
Path          Type         Accessor              Description
----          ----         --------              -----------
cubbyhole/    cubbyhole    cubbyhole_3b11cde3    per-token private secret storage
identity/     identity     identity_0a464287     identity store
secret/       kv           kv_8d71d15f           key/value secret storage
sys/          system       system_cdba0899       system endpoints used for control, policy and debugging
test/foo/     kv           kv_7840a449           This is the kv secret engine used by account service.

> VAULT_TOKEN=root VAULT_ADDR=http://localhost:8200 vault kv get test/foo/bar
== Secret Path ==
test/foo/data/bar

======= Metadata =======
Key                Value
---                -----
created_time       2023-03-08T12:54:16.611946Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            2

==== Data ====
Key      Value
---      -----
hello    world

However when I execute terraform plan/apply again, some unexpected changes appear.

Expected Behavior

Expected behavior is that there should be no change.

Actual Behavior

Actual behavior is shown below:

> terraform plan     
vault_mount.test: Refreshing state... [id=test/foo]
vault_kv_secret_v2.test: Refreshing state... [id=test/foo/data/bar]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated
with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # vault_kv_secret_v2.test must be replaced
-/+ resource "vault_kv_secret_v2" "test" {
      ~ data                = (sensitive value)
      ~ id                  = "test/foo/data/bar" -> (known after apply)
      ~ metadata            = {
          - "created_time"    = "2023-03-08T12:54:16.611946Z"
          - "custom_metadata" = "null"
          - "deletion_time"   = ""
          - "destroyed"       = "false"
          - "version"         = "2"
        } -> (known after apply)
      ~ mount               = "test" -> "test/foo" # forces replacement
      ~ name                = "data/bar" -> "bar" # forces replacement
      ~ path                = "test/foo/data/bar" -> (known after apply)
        # (3 unchanged attributes hidden)

      ~ custom_metadata {
          + cas_required         = (known after apply)
          + data                 = (known after apply)
          + delete_version_after = (known after apply)
          + max_versions         = (known after apply)
        }
    }

Plan: 1 to add, 0 to change, 1 to destroy.

This only happens when the mount path contains subpath.
I am not sure if the subpath is allowed in mount path.

Steps to Reproduce

1. launch a local vault dev server

vault server -dev -dev-root-token-id="root"

2. apply above terraform configuration file.
3. plan/apply the configuration file again.

[mouellet]

This seems to be a fix for the issue: #1781

[data-race]

cool. This issue can be closed.