Terraform Version

Terraform v0.12.23

Affected Resource(s)

• vault_aws_secret_backend_role

Terraform Configuration Files

resource "vault_aws_secret_backend_role" "ecr" {
  backend         = vault_aws_secret_backend.aws.path
  name            = "ecr"
  credential_type = "assumed_role"

  role_arns = [
    "arn:aws:iam::${local.account_id}:role/${local.role-name}",
  ]

  policy_arns = [
    "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
  ]
}

Expected Behavior

Plan runs successfully, as well as apply.

Actual Behavior

Error: "policy_arns": conflicts with role_arns

  on aws-secret.tf line 47, in resource "vault_aws_secret_backend_role" "ecr":
  47: resource "vault_aws_secret_backend_role" "ecr" {



Error: "role_arns": conflicts with policy_arns

  on aws-secret.tf line 47, in resource "vault_aws_secret_backend_role" "ecr":
  47: resource "vault_aws_secret_backend_role" "ecr" {

Steps to Reproduce

Please list the steps required to reproduce the issue:

1. terraform plan

References

• Seems like this is a config desync with aws_secret_backend_role: support role_arns argument #407 where the case where credential_type = assumed_role and both role_arns and policy_arns has not been tested because it did not exist back then.
• Upstream documentation for Vault does not mention anything about it https://www.vaultproject.io/api-docs/secret/aws/#parameters-3
• Upstream documentation for AWS does seem to mention policy arns are valid for sts:AssumeRole https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html (as well as inline ones)