Provider becomes stuck if a managed approle + secret ID is deleted

[dpedu]

Terraform Version

v1.1.3

Affected Resource(s)

Please list the resources as a list, for example:

• vault_approle_auth_backend_role_secret_id

If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this.

Terraform Configuration Files

locals {
  roles = toset(["foo", "bar"])
}

resource "vault_approle_auth_backend_role" "role" {
  for_each = local.roles

  role_name      = each.value
  backend        = data.vault_auth_backend.approle.path
}

resource "random_uuid" "secrets" {
  for_each = local.roles
}

resource "vault_approle_auth_backend_role_secret_id" "secret" {
  for_each = local.roles

  role_name = each.value
  backend   = data.vault_auth_backend.approle.path
  secret_id = random_uuid.secrets[each.value].result

  metadata = jsonencode({
    (redacted)
  })

  depends_on = [vault_approle_auth_backend_role.role]
}

Debug Output

2022-11-29T11:11:36.962-0800 [ERROR] vertex "module.bootstrap.vault_approle_auth_backend_role_secret_id.secret[\"bastion\"]" error: error checking if AppRole auth backend role SecretID "backend=approle::role=mp-approle-name::accessor=12352ac9-b0e4-ef7b-f17f-d7d975678ab9" exists: Error making API request.

URL: PUT https://vault.biz.matterport.com/v1/auth/approle/role/mp-approle-name/secret-id-accessor/lookup
Code: 500. Errors:

* 1 error occurred:
	* role "mp-approle-name" does not exist
2022-11-29T11:11:36.962-0800 [ERROR] vertex "module.bootstrap.vault_approle_auth_backend_role_secret_id.secret" error: error checking if AppRole auth backend role SecretID "backend=approle::role=mp-approle-name::accessor=12352ac9-b0e4-ef7b-f17f-d7d975678ab9" exists: Error making API request.

URL: PUT https://vault.biz.matterport.com/v1/auth/approle/role/mp-approle-name/secret-id-accessor/lookup
Code: 500. Errors:

* 1 error occurred:
	* role "mp-approle-name" does not exist
2022-11-29T11:11:36.962-0800 [ERROR] vertex "module.bootstrap.vault_approle_auth_backend_role_secret_id.secret (expand)" error: error checking if AppRole auth backend role SecretID "backend=approle::role=mp-approle-name::accessor=12352ac9-b0e4-ef7b-f17f-d7d975678ab9" exists: Error making API request.

URL: PUT https://vault.biz.matterport.com/v1/auth/approle/role/mp-approle-name/secret-id-accessor/lookup
Code: 500. Errors:

* 1 error occurred:
	* role "mp-approle-name" does not exist

Panic Output

N/A

Expected Behavior

The provider should detect that the approle does not exist and thus ignore the http error 500 returned from looking up the secret id accessor.

Actual Behavior

The provider behaves as if missing the approle secret id accessor is a fatal error. All future apply/block/refresh hits this error and are unable to proceed.

Removing the vault_approle_auth_backend_role_secret_id, only, unblocks terraform and terraform/the provider now detects that the bootstrap.vault_approle_auth_backend_role was deleted and offers to recreate it.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. Deploy a vault approle + secret into vault
2. Manually delete the approle
3. Run terraform refresh or apply or plan

[dejoost]

I can confirm this erratic behaviour is extremely annoying, any outlook on when this could be picked up?

[dejoost]

and duplicate of #1666