Terraform Core Version

1.9.8

Terraform Vault Provider Version

4.4.0

Vault Server Version

1.18.0

Affected Resource(s)

vault_aws_auth_backend_config_identity

Expected Behavior

The following resource should apply:

resource "vault_aws_auth_backend_config_identity" "example" {
  backend      = "aws"
  iam_alias    = "canonical_arn"
  iam_metadata = ["canonical_arn", "account_id"]
}

Actual Behavior

I see the error below:

│ Error: expected iam_alias to be one of ["role_id" "unique_id" "full_arn"], got canonical_arn
│ 
│   with vault_aws_auth_backend_config_identity.example,
│   on main.tf line 7, in resource "vault_aws_auth_backend_config_identity" "example":
│    7:   iam_alias    = "canonical_arn"

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

provider "vault" {
  address = "<snip>"
}

resource "vault_aws_auth_backend_config_identity" "example" {
  backend      = "aws"
  iam_alias    = "canonical_arn"
  iam_metadata = ["canonical_arn", "account_id"]
}

Steps to Reproduce

Run terraform plan with the above config.

Debug Output

No response

Panic Output

No response

Important Factoids

Vault documentation, showing that canonical_arn is supported: https://developer.hashicorp.com/vault/api-docs/auth/aws#parameters-2

References

No response

Would you like to implement a fix?

None