hashicorp · benashz · Feb 25, 2022 · Feb 25, 2022 · Feb 25, 2022
@@ -1,8 +1,9 @@
 ## 3.3.1 (Unreleased)
 BUGS:
 * `resource/identity_group`: Report an error upon duplicate resource creation failure. Document group name caveats. ([#1352](https://github.com/hashicorp/terraform-provider-vault/pull/1352))
-* `resource/pki_secret_backend_root_sign_intermediate`: Fix panic when reading `ca_chain` from Vault ([#1357](https://github.com/hashicorp/terraform-provider-vault/issues/1357)
+* `resource/pki_secret_backend_root_sign_intermediate`: Fix panic when reading `ca_chain` from Vault ([#1357](https://github.com/hashicorp/terraform-provider-vault/issues/1357))
 * `resource/raft_snapshot_agent_config`: Properly handle nil response on read ([#1360](https://github.com/hashicorp/terraform-provider-vault/pull/1360))
+* `resource/identity_*`: Ensure non-existent entities are handled properly ([#1361](https://github.com/hashicorp/terraform-provider-vault/pull/1361))
 
 ## 3.3.0 (February 17, 2022)
 FEATURES:

@@ -170,20 +170,20 @@ func identityEntityRead(d *schema.ResourceData, meta interface{}) error {
 	client := meta.(*api.Client)
 	id := d.Id()
 
+	log.Printf("[DEBUG] Read IdentityEntity %s", id)
 	resp, err := readIdentityEntity(client, id, d.IsNewResource())
 	if err != nil {
 		// We need to check if the secret_id has expired
-		if resp == nil && util.IsExpiredTokenErr(err) {
+		if util.IsExpiredTokenErr(err) {
 			return nil
 		}
-		return fmt.Errorf("error reading IdentityEntity %q: %s", id, err)
-	}
 
-	log.Printf("[DEBUG] Read IdentityEntity %s", id)
-	if resp == nil {
-		log.Printf("[WARN] IdentityEntity %q not found, removing from state", id)
-		d.SetId("")
-		return nil
+		if isIdentityNotFoundError(err) {
+			log.Printf("[WARN] IdentityEntity %q not found, removing from state", id)
+			d.SetId("")
+			return nil
+		}
+		return fmt.Errorf("error reading IdentityEntity %q: %w", id, err)
 	}
 
 	for _, k := range []string{"name", "metadata", "disabled", "policies"} {

@@ -97,16 +97,16 @@ func identityEntityPoliciesRead(d *schema.ResourceData, meta interface{}) error
 	client := meta.(*api.Client)
 	id := d.Id()
 
+	log.Printf("[DEBUG] Read IdentityEntityPolicies %s", id)
 	resp, err := readIdentityEntity(client, id, d.IsNewResource())
 	if err != nil {
+		if isIdentityNotFoundError(err) {
+			log.Printf("[WARN] IdentityEntityPolicies %q not found, removing from state", id)
+			d.SetId("")
+			return nil
+		}
 		return err
 	}
-	log.Printf("[DEBUG] Read IdentityEntityPolicies %s", id)
-	if resp == nil {
-		log.Printf("[WARN] IdentityEntityPolicies %q not found, removing from state", id)
-		d.SetId("")
-		return nil
-	}
 
 	d.Set("entity_id", id)
 	d.Set("entity_name", resp.Data["name"])
@@ -149,6 +149,9 @@ func identityEntityPoliciesDelete(d *schema.ResourceData, meta interface{}) erro
 	} else {
 		apiPolicies, err := readIdentityEntityPolicies(client, id)
 		if err != nil {
+			if isIdentityNotFoundError(err) {
+				return nil
+			}
 			return err
 		}
 		for _, policy := range d.Get("policies").(*schema.Set).List() {

@@ -230,20 +230,21 @@ func identityGroupRead(d *schema.ResourceData, meta interface{}) error {
 	client := meta.(*api.Client)
 	id := d.Id()
 
+	log.Printf("[DEBUG] Read IdentityGroup %s", id)
 	resp, err := readIdentityGroup(client, id, d.IsNewResource())
 	if err != nil {
 		// We need to check if the secret_id has expired
 		if util.IsExpiredTokenErr(err) {
 			return nil
 		}
+
+		if isIdentityNotFoundError(err) {
+			log.Printf("[WARN] IdentityGroup %q not found, removing from state", id)
+			d.SetId("")
+			return nil
+		}
 		return fmt.Errorf("error reading IdentityGroup %q: %s", id, err)
 	}
-	log.Printf("[DEBUG] Read IdentityGroup %s", id)
-	if resp == nil {
-		log.Printf("[WARN] IdentityGroup %q not found, removing from state", id)
-		d.SetId("")
-		return nil
-	}
 
 	readFields := []string{"name", "type", "metadata", "member_entity_ids", "member_group_ids", "policies"}
 
@@ -319,9 +320,6 @@ func readIdentityGroupMemberEntityIds(client *api.Client, groupID string, retry
 	if err != nil {
 		return nil, err
 	}
-	if resp == nil {
-		return nil, fmt.Errorf("error IdentityGroup %s does not exist", groupID)
-	}
 
 	if v, ok := resp.Data["member_entity_ids"]; ok && v != nil {
 		return v.([]interface{}), nil

@@ -97,19 +97,23 @@ func identityGroupPoliciesRead(d *schema.ResourceData, meta interface{}) error {
 	client := meta.(*api.Client)
 	id := d.Id()
 
+	log.Printf("[DEBUG] Read IdentityGroupPolicies %s", id)
 	resp, err := readIdentityGroup(client, id, d.IsNewResource())
 	if err != nil {
+		if isIdentityNotFoundError(err) {
+			log.Printf("[WARN] IdentityGroupPolicies %q not found, removing from state", id)
+			d.SetId("")
+			return nil
+		}
 		return err
 	}
-	log.Printf("[DEBUG] Read IdentityGroupPolicies %s", id)
-	if resp == nil {
-		log.Printf("[WARN] IdentityGroupPolicies %q not found, removing from state", id)
-		d.SetId("")
-		return nil
-	}
 
-	d.Set("group_id", id)
-	d.Set("group_name", resp.Data["name"])
+	if err := d.Set("group_id", id); err != nil {
+		return err
+	}
+	if err := d.Set("group_name", resp.Data["name"]); err != nil {
+		return err
+	}
 
 	if d.Get("exclusive").(bool) {
 		if err = d.Set("policies", resp.Data["policies"]); err != nil {