[AWS Auth Backend Role] Recreate the resource if resolve_aws_unique_ids is set to false

[Ninir]

Description

This fixes a case on vault_aws_auth_backend_role where resolve_aws_unique_ids cannot be updated from true to false without recreating the resource, while updating from false to true is allowed (Source).

Tests are passing with the following:

$ make testacc TESTARGS='-run=TestAccAWSAuthBackendRole_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test $(go list ./... |grep -v 'vendor') -v -run=TestAccAWSAuthBackendRole_ -timeout 120m
?   	github.com/terraform-providers/terraform-provider-vault	[no test files]
testing: warning: no tests to run
PASS
ok  	github.com/terraform-providers/terraform-provider-vault/util	(cached) [no tests to run]
=== RUN   TestAccAWSAuthBackendRole_importInferred
--- PASS: TestAccAWSAuthBackendRole_importInferred (12.35s)
=== RUN   TestAccAWSAuthBackendRole_importEC2
--- PASS: TestAccAWSAuthBackendRole_importEC2 (12.06s)
=== RUN   TestAccAWSAuthBackendRole_importIAM
--- PASS: TestAccAWSAuthBackendRole_importIAM (12.09s)
=== RUN   TestAccAWSAuthBackendRole_inferred
--- PASS: TestAccAWSAuthBackendRole_inferred (10.56s)
=== RUN   TestAccAWSAuthBackendRole_ec2
--- PASS: TestAccAWSAuthBackendRole_ec2 (10.65s)
=== RUN   TestAccAWSAuthBackendRole_iam
--- PASS: TestAccAWSAuthBackendRole_iam (10.64s)
=== RUN   TestAccAWSAuthBackendRole_iam_resolve_aws_unique_ids
--- PASS: TestAccAWSAuthBackendRole_iam_resolve_aws_unique_ids (10.64s)
=== RUN   TestAccAWSAuthBackendRole_iamUpdate
--- PASS: TestAccAWSAuthBackendRole_iamUpdate (18.07s)
PASS
ok  	github.com/terraform-providers/terraform-provider-vault/vault	97.256s

This also fixes a crash I encountered when adding the CustomizeDiff function, made by updating mitchellh/copystructure and `mitchellh/reflectway to the newest versions. Here is the crash log:

panic: interface conversion: interface {} is schema.schemaMap, not *schema.schemaMap
2019-04-04T18:26:24.406-0700 [DEBUG] plugin.terraform-provider-vault: 
2019-04-04T18:26:24.406-0700 [DEBUG] plugin.terraform-provider-vault: goroutine 134 [running]:
2019-04-04T18:26:24.406-0700 [DEBUG] plugin.terraform-provider-vault: github.com/terraform-providers/terraform-provider-vault/vendor/github.com/hashicorp/terraform/helper/schema.(*schemaMap).DeepCopy(0xc00000e658, 0xc000679290)
2019-04-04T18:26:24.406-0700 [DEBUG] plugin.terraform-provider-vault: 	/Users/myuser/go/src/github.com/terraform-providers/terraform-provider-vault/vendor/github.com/hashicorp/terraform/helper/schema/schema.go:447 +0xa2
2019-04-04T18:26:24.406-0700 [DEBUG] plugin.terraform-provider-vault: github.com/terraform-providers/terraform-provider-vault/vendor/github.com/hashicorp/terraform/helper/schema.schemaMap.Diff(0xc000188d80, 0xc0001e2960, 0xc000679170, 0x1d215b0, 0x1cb0d60, 0xc0006273b0, 0x1bd3f40, 0x0, 0x1013d31)
2019-04-04T18:26:24.406-0700 [DEBUG] plugin.terraform-provider-vault: 	/Users/myuser/go/src/github.com/terraform-providers/terraform-provider-vault/vendor/github.com/hashicorp/terraform/helper/schema/schema.go:489 +0xa3a
2019-04-04T18:26:24.406-0700 [DEBUG] plugin.terraform-provider-vault: github.com/terraform-providers/terraform-provider-vault/vendor/github.com/hashicorp/terraform/helper/schema.(*Resource).Diff(0xc000312e70, 0xc0001e2960, 0xc000679170, 0x1cb0d60, 0xc0006273b0, 0x100d801, 0xc000077b80, 0x10bf92c)
2019-04-04T18:26:24.406-0700 [DEBUG] plugin.terraform-provider-vault: 	/Users/myuser/go/src/github.com/terraform-providers/terraform-provider-vault/vendor/github.com/hashicorp/terraform/helper/schema/resource.go:250 +0x17c
2019-04-04T18:26:24.406-0700 [DEBUG] plugin.terraform-provider-vault: github.com/terraform-providers/terraform-provider-vault/vendor/github.com/hashicorp/terraform/helper/schema.(*Provider).Diff(0xc00022fab0, 0xc0001e2910, 0xc0001e2960, 0xc000679170, 0xc000069400, 0x18, 0x2b476c0)
2019-04-04T18:26:24.406-0700 [DEBUG] plugin.terraform-provider-vault: 	/Users/myuser/go/src/github.com/terraform-providers/terraform-provider-vault/vendor/github.com/hashicorp/terraform/helper/schema/provider.go:296 +0x9c
2019-04-04T18:26:24.406-0700 [DEBUG] plugin.terraform-provider-vault: github.com/terraform-providers/terraform-provider-vault/vendor/github.com/hashicorp/terraform/plugin.(*ResourceProviderServer).Diff(0xc0005c8640, 0xc0005cb860, 0xc0005380a0, 0x0, 0x0)
2019-04-04T18:26:24.406-0700 [DEBUG] plugin.terraform-provider-vault: 	/Users/myuser/go/src/github.com/terraform-providers/terraform-provider-vault/vendor/github.com/hashicorp/terraform/plugin/resource_provider.go:538 +0x57
2019-04-04T18:26:24.406-0700 [DEBUG] plugin.terraform-provider-vault: reflect.Value.call(0xc00048e360, 0xc00000e040, 0x13, 0x1ccc15e, 0x4, 0xc000077f18, 0x3, 0x3, 0xc000317700, 0x0, ...)
2019-04-04T18:26:24.406-0700 [DEBUG] plugin.terraform-provider-vault: 	/usr/local/Cellar/go/1.11/libexec/src/reflect/value.go:447 +0x449
2019-04-04T18:26:24.406-0700 [DEBUG] plugin.terraform-provider-vault: reflect.Value.Call(0xc00048e360, 0xc00000e040, 0x13, 0xc00051cf18, 0x3, 0x3, 0xc00051cf40, 0x12253ce, 0xc000473c00)
2019-04-04T18:26:24.406-0700 [DEBUG] plugin.terraform-provider-vault: 	/usr/local/Cellar/go/1.11/libexec/src/reflect/value.go:308 +0xa4
2019-04-04T18:26:24.406-0700 [DEBUG] plugin.terraform-provider-vault: net/rpc.(*service).call(0xc0000c0400, 0xc0001d21e0, 0xc000036110, 0xc000036120, 0xc0002de180, 0xc000194880, 0x1ab8a60, 0xc0005cb860, 0x16, 0x1ab8aa0, ...)
2019-04-04T18:26:24.406-0700 [DEBUG] plugin.terraform-provider-vault: 	/usr/local/Cellar/go/1.11/libexec/src/net/rpc/server.go:384 +0x14e
2019-04-04T18:26:24.406-0700 [DEBUG] plugin.terraform-provider-vault: created by net/rpc.(*Server).ServeCodec
2019-04-04T18:26:24.406-0700 [DEBUG] plugin.terraform-provider-vault: 	/usr/local/Cellar/go/1.11/libexec/src/net/rpc/server.go:481 +0x47e
2019/04/04 18:26:24 [ERROR] root: eval: *terraform.EvalRefresh, err: vault_policy.services: unexpected EOF
2019/04/04 18:26:24 [ERROR] root: eval: *terraform.EvalDiff, err: unexpected EOF
2019/04/04 18:26:24 [ERROR] root: eval: *terraform.EvalSequence, err: vault_policy.services: unexpected EOF
2019/04/04 18:26:24 [ERROR] root: eval: *terraform.EvalSequence, err: unexpected EOF
2019/04/04 18:26:24 [ERROR] root: eval: *terraform.EvalRefresh, err: vault_auth_backend.approle: unexpected EOF
2019/04/04 18:26:24 [ERROR] root: eval: *terraform.EvalSequence, err: vault_auth_backend.approle: unexpected EOF
2019/04/04 18:26:24 [TRACE] [walkRefresh] Exiting eval tree: vault_auth_backend.approle
2019/04/04 18:26:24 [TRACE] [walkRefresh] Exiting eval tree: vault_aws_auth_backend_role.example
2019/04/04 18:26:24 [TRACE] [walkRefresh] Exiting eval tree: vault_policy.services
2019/04/04 18:26:24 [TRACE] dag/walk: upstream errored, not walking "provider.vault (close)"
2019-04-04T18:26:24.409-0700 [DEBUG] plugin: plugin process exited: path=/Users/myuser/go/bin/terraform-provider-vault
2019/04/04 18:26:24 [DEBUG] plugin: waiting for all plugin processes to complete...
2019-04-04T18:26:24.415-0700 [WARN ] plugin: error closing client during Kill: err="connection is shut down"

Before the CustomizeDiff fix

resolve_aws_unique_ids - True to False

$ terraform apply
vault_auth_backend.approle: Refreshing state... (ID: approle)
vault_policy.services: Refreshing state... (ID: services)
vault_auth_backend.aws: Refreshing state... (ID: aws)
vault_aws_auth_backend_role.example: Refreshing state... (ID: auth/aws/role/test-role-iam)

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  ~ vault_aws_auth_backend_role.example
      resolve_aws_unique_ids: "true" => "false"


Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

vault_aws_auth_backend_role.example: Modifying... (ID: auth/aws/role/test-role-iam)
  resolve_aws_unique_ids: "true" => "false"

Error: Error applying plan:

1 error(s) occurred:

* vault_aws_auth_backend_role.example: 1 error(s) occurred:

* vault_aws_auth_backend_role.example: error updating AWS auth backend role "auth/aws/role/test-role-iam": Error making API request.

URL: PUT https://myvault.com/v1/auth/aws/role/test-role-iam
Code: 400. Errors:

* changing resolve_aws_unique_ids from true to false is not allowed

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

resolve_aws_unique_ids - False to True

$ terraform apply
vault_auth_backend.approle: Refreshing state... (ID: approle)
vault_policy.services: Refreshing state... (ID: services)
vault_auth_backend.aws: Refreshing state... (ID: aws)
vault_aws_auth_backend_role.example: Refreshing state... (ID: auth/aws/role/test-role-iam)

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  ~ vault_aws_auth_backend_role.example
      resolve_aws_unique_ids: "false" => "true"


Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

vault_aws_auth_backend_role.example: Modifying... (ID: auth/aws/role/test-role-iam)
  resolve_aws_unique_ids: "false" => "true"
vault_aws_auth_backend_role.example: Modifications complete after 1s (ID: auth/aws/role/test-role-iam)

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

After the CustomizeDiff fix

resolve_aws_unique_ids - True to False

$ terraform apply
vault_auth_backend.approle: Refreshing state... (ID: approle)
vault_policy.services: Refreshing state... (ID: services)
vault_auth_backend.aws: Refreshing state... (ID: aws)
vault_aws_auth_backend_role.example: Refreshing state... (ID: auth/aws/role/test-role-iam)

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

-/+ vault_aws_auth_backend_role.example (new resource required)
      id:                        "auth/aws/role/test-role-iam" => <computed> (forces new resource)
      allow_instance_migration:  "false" => "false"
      auth_type:                 "iam" => "iam"
      backend:                   "aws" => "aws"
      bound_iam_role_arns.#:     "1" => "1"
      bound_iam_role_arns.0:     "arn:aws:iam::532332872873:role/test-gauthier" => "arn:aws:iam::532332872873:role/test-gauthier"
      disallow_reauthentication: "false" => "false"
      inferred_aws_region:       "us-east-1" => "us-east-1"
      inferred_entity_type:      "ec2_instance" => "ec2_instance"
      max_ttl:                   "86400" => "86400"
      policies.#:                "1" => "1"
      policies.0:                "services" => "services"
      resolve_aws_unique_ids:    "true" => "false" (forces new resource)
      role:                      "test-role-iam-gauthier" => "test-role-iam-gauthier"
      ttl:                       "3600" => "3600"


Plan: 1 to add, 0 to change, 1 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

vault_aws_auth_backend_role.example: Destroying... (ID: auth/aws/role/test-role-iam)
vault_aws_auth_backend_role.example: Destruction complete after 1s
vault_aws_auth_backend_role.example: Creating...
  allow_instance_migration:  "" => "false"
  auth_type:                 "" => "iam"
  backend:                   "" => "aws"
  bound_iam_role_arns.#:     "" => "1"
  bound_iam_role_arns.0:     "" => "arn:aws:iam::532332872873:role/test-gauthier"
  disallow_reauthentication: "" => "false"
  inferred_aws_region:       "" => "us-east-1"
  inferred_entity_type:      "" => "ec2_instance"
  max_ttl:                   "" => "86400"
  policies.#:                "" => "1"
  policies.0:                "" => "services"
  resolve_aws_unique_ids:    "" => "false"
  role:                      "" => "test-role-iam-gauthier"
  ttl:                       "" => "3600"
vault_aws_auth_backend_role.example: Creation complete after 1s (ID: auth/aws/role/test-role-iam)

Apply complete! Resources: 1 added, 0 changed, 1 destroyed.

resolve_aws_unique_ids - False to True

$ terraform apply
vault_auth_backend.approle: Refreshing state... (ID: approle)
vault_policy.services: Refreshing state... (ID: services)
vault_auth_backend.aws: Refreshing state... (ID: aws)
vault_aws_auth_backend_role.example: Refreshing state... (ID: auth/aws/role/test-role-iam)

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  ~ vault_aws_auth_backend_role.example
      resolve_aws_unique_ids: "false" => "true"


Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

vault_aws_auth_backend_role.example: Modifying... (ID: auth/aws/role/test-role-iam)
  resolve_aws_unique_ids: "false" => "true"
vault_aws_auth_backend_role.example: Modifications complete after 1s (ID: auth/aws/role/test-role-iam)

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

[tyrannosaurus-becks]

Hi @Ninir ! Thanks for contributing this!

Would it be possible to get a test that reproduces the issue, and then I can see that this solution fixes it?

[Ninir]

Hi @tyrannosaurus-becks

You can use this sequence for instance:

1. Set a config as

resource "vault_aws_auth_backend_role" "example" {
  backend                         = "aws"
  role                            = "test-role"
  auth_type                       = "iam"
  bound_iam_role_arns             = ["arn:aws:iam::123456789012:role/MyRole"]
  inferred_entity_type            = "ec2_instance"
  inferred_aws_region             = "us-east-1"
  ttl                             = 60
  max_ttl                         = 120 
  policies                        = ["default"]
  resolve_aws_unique_ids          = true
}

2. Apply
3. Change resolve_aws_unique_ids to be false
4. Apply
5. It will fail with:

terraform apply
vault_aws_auth_backend_role.example: Refreshing state... (ID: auth/aws/role/test-role)

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  ~ vault_aws_auth_backend_role.example
      resolve_aws_unique_ids: "true" => "false"


Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

vault_aws_auth_backend_role.example: Modifying... (ID: auth/aws/role/test-role)
  resolve_aws_unique_ids: "true" => "false"

Error: Error applying plan:

1 error(s) occurred:

* vault_aws_auth_backend_role.example: 1 error(s) occurred:

* vault_aws_auth_backend_role.example: error updating AWS auth backend role "auth/aws/role/test-role": Error making API request.

URL: PUT https://<redacted>/v1/auth/aws/role/test-role
Code: 400. Errors:

* changing resolve_aws_unique_ids from true to false is not allowed

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

[Ninir]

I am gonna rebase it also in order to get the Go Modules setup!

[Ninir]

@tyrannosaurus-becks I am under the impression that the master branch has go modules not up to date, or it's not tidied up/vendored entirely. Running go mod vendor updates a bunch of things. Do you know about that?

[tyrannosaurus-becks]

Hi @Ninir , thanks for working on this!

I was more looking for a test like adding to the ones here.

I'm not too certain about what you're describing with go modules.

[Ninir]

@tyrannosaurus-becks I'm gonna work on that :)

I'm not too certain about what you're describing with go modules.
Well, running go mod vendor on the master branch updates a BUNCH of things on my side, but I guess it's gonna be fixed/updated by #425

[tyrannosaurus-becks]

Hi @Ninir ! I took a second look at this, and ran the tests locally. It would be nice to have a test recreating the failure, but I think in this case, since you do show a before/after in the PR, it should be fine. Thank you for this contribution!