I am using the hashicorp/vault provider 3.5.0, to setup a database secrets engine with mongodbatlas. The plan shows that it will set the private_key every time. Is this a problem with my TF code or a bug in the provider?

resource "vault_database_secret_backend_connection" "dev" {
  backend       = var.db_backend
  name          = var.connection_name
  allowed_roles = [for s in var.databases : lower(s)]

  mongodbatlas {
    public_key  = var.public_key
    private_key = var.private_key
    project_id  = var.project_id
  }
}

This appears to be a bug in terraform-provider-vault - it doesn’t seem to contain any code to account for Vault not returning sensitive values password and/or private_key when read back from a database connection, so Terraform thinks it needs to re-set them every time.

Thanks, I thought so, but there was boilerplate in gitlab telling me I should ask here. I cannot send our debug output, but I will file an issue anyhow.

This should be resolved with the upcoming terraform-vault-provider release v3.6.0.