Terraform won't create certificate role in vault

Hello,

I have the following two roles that I’m trying to add to vault. The second one, etcd_ca_clients, works. The first one is never created:

resource "vault_pki_secret_backend_role" "etcd_ca" {
        depends_on = [ vault_pki_secret_backend_intermediate_set_signed.kube1_etcd_ca ]
        backend = vault_mount.kube1_etcd_ca.path
        name = "kubernetes"
        ttl = 283824000
        allow_ip_sans = true
        key_type = "rsa"
        key_bits = "2048"
        allow_any_name = true
        allowed_domains = ["*"]
        allow_subdomains = true
}
resource "vault_pki_secret_backend_role" "etcd_ca_clients" {
        depends_on = [ vault_pki_secret_backend_intermediate_set_signed.kube1_etcd_ca ]
        backend = vault_mount.kube1_etcd_ca.path
        name = "kubernetes-client"
        ttl = 283824000
        allow_ip_sans    = true
        key_type = "rsa"
        key_bits = "2048"
        allow_any_name = true
        allowed_domains = ["*"]
        allow_subdomains = true
        organization = [ "system:masters" ]
}

Whenever I use terraform apply, tf checks its state and sees that the role wasn’t created and it tries to crete it over and over.
I don’t know how I can debug this further. These are the roles that I have in that mount point:

root@vault-0:~# vault list kube1-etcd-ca/roles
Keys
----
kubernetes-client

Any ideas what I should be starting with? It’s weird, because the roles are almost identical, the only exception is ‘organization’.

Terraform version is 1.3.1 and vault is 1.11.4.

I suggest using the Vault audit log to find out exactly what request Terraform is sending to Vault, and how Vault is responding.

Unfortunately I don’t know what happened, but after restarting vault trying to enable audit from the configuration file (which I understand is actually not possible? That you have to do it only over the command line?), then reapplying terraform, it created the role. So there you go
Thanks for the suggestion in any case.