[Bug]: vault_ssh_secret_backend_ca gets replaced after provider upgrade

[kwevers]

Terraform Core Version

1.8.5

Terraform Vault Provider Version

4.3.0

Vault Server Version

1.15.8+ent

Affected Resource(s)

• vault_ssh_secret_backend_ca

Expected Behavior

Upgrading the Vault provider from 4.2.0 to 4.3.0 should not result in any changes for a vault_ssh_secret_backend_ca resources if no config has been changed.

Actual Behavior

Upgrading the Vault provider from 4.2.0 to 4.3.0 results in vault_ssh_secret_backend_ca being replaced although no other changes have been made.
The key_type attribute, introduced in #1454, gets added (implicit, using the default value) and forces the resource to be replaced.

Relevant Error/Panic Output Snippet

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # vault_ssh_secret_backend_ca.ssh-client-ca must be replaced
-/+ resource "vault_ssh_secret_backend_ca" "ssh-client-ca" {
      ~ id                   = "ssh-client-signer" -> (known after apply)
      + key_type             = "ssh-rsa" # forces replacement
      + private_key          = (sensitive value)
      ~ public_key           = <<-EOT
            ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC2aqR/Xk9R+1xcSNkTMYVGRid36aZm/j3RafBMrZEDGgjsgbCVwWtvhPbplKc7dBxYxpwakHiV2zaHcUg8uRQC3svaH69d785L8MfNZJHKPtTZgDrHt4Xua0b1cemFSsp/PlG/GrAdmRqFsKvG6jgSwy+WcQrr+L5MLSZM+Q4mD3mWGRaW/4nwEmOGYoN6Lzyvoe5tJ9EcBYFCArmHvaTrRXG1iOxKiTj4niO0t7z02kX3vNjA75IPLJEq+5UZnXER3cVL4nMQ7Xw3we9KMT3bWFz9Gw4rehuYyks8gQJP0htVR08YJ85Nao09KPKagb7qbWfJWbF4eUX+nNyu8w0GyxGyO9qZK3kKndAYdGzocQMPZZLKcTxq8kbt0iz5OojzEZemb6i0FE8y4jw+Z9g5OZXpYLx72R79IPdRRsEjar5vsfpZQOTxgOPvTIiFxK6wFFXfmJa6mUonSnErI65Zsnz5M0A7gx9FJsN0IycvRDVjTe9ZxtbcPHX0hEyfvQRi1bD8nZiwGomTE/pQ62vwfLI4/KlWUolUQFpIQhLOoqOvQt8TCWB5KfeT17E4T0ufz3UA3qKo12I7yJox82XWMRLBGz6I78Xn8m4ryoDcBu6am3F1mH46p6QAlfByA81hkdb+kmxZA3O3X6Cu3bmuvwqfWWnAwA+XEpWwYwudLQ==
        EOT -> (known after apply)
        # (3 unchanged attributes hidden)
    }

  # vault_ssh_secret_backend_ca.ssh-host-ca must be replaced
-/+ resource "vault_ssh_secret_backend_ca" "ssh-host-ca" {
      ~ id                   = "ssh-host-signer" -> (known after apply)
      + key_type             = "ssh-rsa" # forces replacement
      + private_key          = (sensitive value)
      ~ public_key           = <<-EOT
            ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDI/Rdh27ECXKYSsT8b5IEcBGu9kwaOS7Bs09dftF1QODnKtEMAFf1mu+Mb0HqV1XeC9qFYY6nBbmXl2ZZEwDXQPvcLwxG71P/sknJdS4e46NRiCJB0UzbS2ILxXfHtQv9XyKSgeeNDp8oBeODET2yA8yVjkSy+qcc83lrKOgLYxVk8i0C07kLXXFRSVO/nIRU+CB3ex9J+bac2DaOwz8QnF8/ML7nCs/i+apL+VHIvfIzsz0n3cCki2VFNLaK+7hviPgs3bVaCjFkIc0kFQVH3ULR0LE+FPFRs70+CY8kW2uTTIy8RMGrAkxUuPTRCdJaSEMdVBoqmrgdRdTrPr6Lq0WQUukTgf1DQ3ruWALEa30W6hAOmu4YUqO/V2Kgq2QRGCvscQg9tIN0N3PZu1EeHf2J4kKvMdqJxYMAoig5XjSWSr9MvlunUhQT8R9GJrkVMrg0A2nr1FWzEwggakjQ+ZG4yxFXK79nXas1YE8sf56GIFR2hzZL9UgXiykSJBLXqzSepLfBqlryY5IeP12hCxqpGygHrYz8PvXe0R6MHreVDbIRgu51VyCODw01xYmuHQuh/4hysuW6gI75ySnEM2Zm41ysmEP2wpzCdiaw4QJJyMEI8ej0a5d4+SFw9yDy+qIVWjcWGyJnzxknsS/+0iS/yzm5vq4QlWkCiVc5rWw==
        EOT -> (known after apply)
        # (3 unchanged attributes hidden)
    }

Terraform Configuration Files

For both provider version 4.2.0 and 4.3.0 we're using this config.

resource "vault_ssh_secret_backend_ca" "ssh-host-ca" {
  backend              = vault_mount.ssh-host-signer.path
  generate_signing_key = true
  namespace            = vault_mount.ssh-host-signer.namespace
}

resource "vault_ssh_secret_backend_ca" "ssh-client-ca" {
  backend              = vault_mount.ssh-client-signer.path
  generate_signing_key = true
  namespace            = vault_mount.ssh-client-signer.namespace
}

Steps to Reproduce

• Create a vault_ssh_secret_backend_ca with provider version 4.2.0
• Upgrade to provider version 4.3.0
• Run a terraform plan

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

• Add key_type and key_bits to vault_ssh_secret_backend_ca #1454

Would you like to implement a fix?

No

[hubby2004]

We are seeing the same issue as well

[ochnerd]

We are seeing the same issue, key_type = ca will be changed to key_tyoe = ssh-rsa ist this correct?