[Bug]: importing existing vault_auth_backend does not set all attributes

[crusstu]

Terraform Core Version

1.9.7

Terraform Vault Provider Version

4.4.0

Vault Server Version

1.16.6+ent

Affected Resource(s)

• vault_auth_backend

Expected Behavior

Importing existing auth backends should perform a complete import, and there should be no changes on a subsequent terraform apply.

Actual Behavior

Imported vault_auth_backend resources are missing attributes.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

terraform {
  required_providers {
    vault = {
      source  = "hashicorp/vault"
      version = "= 4.4.0"
    }
  }
  required_version = ">= 1.9.0"
}

resource "vault_auth_backend" "example" {
  path = "approle-test"
  type = "approle"

  tune {
    listing_visibility = "unauth"
  }
}

Steps to Reproduce

1. terraform init
2. terraform apply
3. terraform state show 'vault_auth_backend.example' and note the 8 attributes of the resource (including the 8 sub-attributes of the tune block)
4. terraform state rm 'vault_auth_backend.example'
5. terraform import 'vault_auth_backend.example' 'approle-test'
6. terraform state show 'vault_auth_backend.example' and note that only 6 attributes are set in the imported resource (notably the tune block and the disable_remount attribute are missing)
7. terraform apply and note there are changes to make to the resource
8. terraform state show 'vault_auth_backend.example' and note all 8 attributes of the resource are set

Debug Output

$ terraform state show 'vault_auth_backend.example'
# vault_auth_backend.example:
resource "vault_auth_backend" "example" {
    accessor        = "auth_approle_4808b77a"
    description     = null
    disable_remount = false
    id              = "approle-test"
    local           = false
    path            = "approle-test"
    tune            = [
        {
            allowed_response_headers     = []
            audit_non_hmac_request_keys  = []
            audit_non_hmac_response_keys = []
            default_lease_ttl            = null
            listing_visibility           = "unauth"
            max_lease_ttl                = null
            passthrough_request_headers  = []
            token_type                   = null
        },
    ]
    type            = "approle"
}

$ terraform state rm 'vault_auth_backend.example'
Removed vault_auth_backend.example
Successfully removed 1 resource instance(s).

$ terraform import 'vault_auth_backend.example' 'approle-test'
vault_auth_backend.example: Importing from ID "approle-test"...
vault_auth_backend.example: Import prepared!
  Prepared vault_auth_backend for import
vault_auth_backend.example: Refreshing state... [id=approle-test]

Import successful!

The resources that were imported are shown above. These resources are now in
your Terraform state and will henceforth be managed by Terraform.

$ terraform state show 'vault_auth_backend.example'
# vault_auth_backend.example:
resource "vault_auth_backend" "example" {
    accessor    = "auth_approle_4808b77a"
    description = null
    id          = "approle-test"
    local       = false
    path        = "approle-test"
    type        = "approle"
}

$ terraform apply
vault_auth_backend.example: Refreshing state... [id=approle-test]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # vault_auth_backend.example will be updated in-place
  ~ resource "vault_auth_backend" "example" {
      + disable_remount = false
        id              = "approle-test"
      + tune            = [
          + {
              + allowed_response_headers     = []
              + audit_non_hmac_request_keys  = []
              + audit_non_hmac_response_keys = []
              + listing_visibility           = "unauth"
              + passthrough_request_headers  = []
                # (3 unchanged attributes hidden)
            },
        ]
        # (5 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

vault_auth_backend.example: Modifying... [id=approle-test]
vault_auth_backend.example: Modifications complete after 0s [id=approle-test]

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

$ terraform state show 'vault_auth_backend.example'
# vault_auth_backend.example:
resource "vault_auth_backend" "example" {
    accessor        = "auth_approle_4808b77a"
    description     = null
    disable_remount = false
    id              = "approle-test"
    local           = false
    path            = "approle-test"
    tune            = [
        {
            allowed_response_headers     = []
            audit_non_hmac_request_keys  = []
            audit_non_hmac_response_keys = []
            default_lease_ttl            = null
            listing_visibility           = "unauth"
            max_lease_ttl                = null
            passthrough_request_headers  = []
            token_type                   = null
        },
    ]
    type            = "approle"
}

Panic Output

No response

Important Factoids

Unclear the implications of #2338 and possibly deprecating the tune block for auth mounts, but the disable_remount attribute is also missing from the import so this is not just related to how tune parameters are handled.

References

No response

Would you like to implement a fix?

None