Application Object Id can never be removed from role once it has been set

[archimeid]

Hi,

I've discovered what I assume is a bug concerning role property application_object_id. Once it has been set, it will never be removed from role during updates unless it is explicitly set to null or "".

In my opinion, application_object_id should be removed directly if not present in the payload.

I discovered this when using Vault provider for Terraform. When switching one role from using existing service principal to using Azure roles in addition to using the property permanently_delete, I got the following error :

permanently_delete must be false if application_object_id is provided

The following code should handle if application_object_id is missing from payload :

vault-plugin-secrets-azure/path_roles.go

Lines 266 to 281 in 789187e

	// update and verify Application Object ID if provided
	if appObjectID, ok := d.GetOk("application_object_id"); ok {
	role.ApplicationObjectID = appObjectID.(string)
	}
	if role.ApplicationObjectID != "" {
	app, err := client.provider.GetApplication(ctx, role.ApplicationObjectID)
	if err != nil {
	return nil, fmt.Errorf("error loading Application: %w", err)
	}
	role.ApplicationID = app.AppID
	if role.PermanentlyDelete {
	return logical.ErrorResponse("permanently_delete must be false if application_object_id is provided"), nil
	}
	}

Adding an else block like this should be effective :

if appObjectID, ok := d.GetOk("application_object_id"); ok { 
    role.ApplicationObjectID = appObjectID.(string) 
} else {
    role.ApplicationObjectID = ""
}