This may ultimately be a Vault question, but I encountered it while using the Vault provider for Terraform, and the Terraform module certainly has a bug in that it either is missing functionality or does not return an error when it should. I’ve left out specific examples because they contain sensitive information, but tried to provide enough information that the problem could be easily reproduced from my explanation. If you require specific examples, I can try to put some together.
According to the documentation here, a role_tag can be assigned to a vault_aws_auth_backend_role if either the auth_type is set to ec2 or if inferred_entity_type is set to ec2_instance. The latter case is where I am having an issue. I assumed that the documentation meant that it would work if I set auth_type to iam and inferred_entity_type to ec2_instance, but I can clearly see in the source code that this is not the case.
The result of this is that when I try to run a terraform plan, it shows that the role resource will be created, and clearly shows that it will have the role_tag that I defined. However, once I run terraform apply and create the resource, and the check it through the vault CLI with vault read auth/aws/... it shows the role_tag as n/a. If I then go back to terraform, run terraform refresh and terraform plan again, it shows now that the resource has been created, but an in-place
update will happen to add the role_tag to the resource. Repeated terraform applys after this does not have any effect, it forever shows as to be changed until I remove it from my Terraform code.
I attempted to add the logic to the bits of source code that I linked above, and installed the provider locally to test it, but then I received this error from Vault when trying to run terraform apply:
* tried to enable role_tag when not using ec2 auth method
So, in conclusion, somewhere along the line here there is a problem. Either the documentation linked above is correct and Vault itself has a bug and needs to be configured to allow role_tags for iam auth roles when inferred_entity_type is set to ec2_instance (and then subsequently the Vault provider needs to be updated to honor this capability), or the documentation is wrong and needs to be updated, and subsequently the Vault provider needs to be updated to error out when a user attempts to do this rather than failing silently.