Pulumi reports vault.azure.BackendRole always has changes

[dgivens]

What happened?

Pulumi always reports changes for vault.azure.BackendRole resources even when no changes have been made.

~ vault:azure/backendRole:BackendRole: (update)
    [id=azure/roles/mgmt-reader]
    [urn=urn:pulumi:hashistack.dev::hashistack::vault:azure/backendRole:BackendRole::mgmt-reader]
    [provider=urn:pulumi:hashistack.dev::hashistack::pulumi:providers:vault::default_5_10_0::0a3911b0-f18a-49fa-ab4c-f043f1d1fd19]
  ~ azureRoles: [
      ~ [0]: {
              + roleName: [secret]
              ~ scope   : [secret] => [secret]
            }
    ]

Expected Behavior

Pulumi should not attempt to make changes when they are unnecessary.

Steps to reproduce

Something like the following should work, with mgmtScope being either a subscription or management group.

import * as vault from "@pulumi/vault";

interface AzurePlatformConfig {
  clientId: string;
  clientSecret: string;
  subscriptionId: string;
  tenantId: string;
  mgmtScope: string;
}

const platformConfig =
  config.requireSecretObject<AzurePlatformConfig>("azurePlatform");

const platformBackend = new vault.azure.Backend(
  "azure",
  {
    path: "azure",
    clientId: platformConfig.clientId,
    clientSecret: platformConfig.clientSecret,
    subscriptionId: platformConfig.subscriptionId,
    tenantId: platformConfig.tenantId,
    useMicrosoftGraphApi: true,
  },
  {
    ignoreChanges: ["clientSecret"],
    deleteBeforeReplace: true,
  }
);

new vault.azure.BackendRole(
  "mgmt-reader",
  {
    backend: platformBackend.path.apply((p) => p!),
    role: "mgmt-reader",
    ttl: "3600",
    maxTtl: "86400",
    azureRoles: [
      {
        roleName: "Reader",
        scope: platformConfig.mgmtScope,
      },
    ],
  }
);

Output of pulumi about

CLI
Version      3.62.0
Go Version   go1.20.2
Go Compiler  gc

Plugins
NAME    VERSION
aws     5.35.0
consul  3.8.0
gcp     6.53.0
nodejs  unknown
vault   5.10.0

Host
OS       ubuntu
Version  20.04
Arch     x86_64

This project is written in nodejs: executable='/home/esdev/.nvm/versions/node/v18.9.1/bin/node' version='v18.9.1'

<removed resources>

Found no pending operations associated with hashistack.dev

Backend
Name           esdev
URL            s3://<redacted>?region=<redacted>&awssdk=2&profile=<redacted>
User           esdev
Organizations

Dependencies:
NAME                              VERSION
@pulumi/aws                       5.35.0
@pulumi/consul                    3.8.0
@pulumi/gcp                       6.53.0
@pulumi/pulumi                    3.62.0
@pulumi/vault                     5.10.0
@types/mustache                   4.2.2
mustache                          4.2.0
@types/node                       17.0.23
@typescript-eslint/eslint-plugin  5.58.0
@typescript-eslint/parser         5.58.0
eslint                            8.38.0
eslint-config-prettier            8.8.0
prettier                          2.8.7
typescript                        4.9.4

Pulumi locates its logs in /tmp by default

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[jazzyfresh]

Thank you for reporting this! This has been added to our project board

[aq17]

@t0yv0 looks like an instance of pulumi/pulumi-terraform-bridge#866?