vault_gcp_secret_roleset doesn't reflect service _account_email change

[DaveDeCaprio]

I'm using the vault 2.1.0 provider and having an issue with the resource not updating properly.

I'm using the following resource configuration to set up service account access:

resource "vault_gcp_secret_roleset" "role" {
backend = "gcp"
roleset = "role"
secret_type = "access_token"
token_scopes = ["https://www.googleapis.com/auth/cloud-platform"]
project = data.google_project.terraform.project_id

binding {
resource = data.google_folder.details.name

roles = [
  "roles/compute.osAdminLogin",
  "roles/storage.objectViewer",
  "roles/iam.serviceAccountUser"
]

}
}

Actual Behavior

If I add a new role to the roles list (example "roles/compute.viewer") , the resource correctly updates and adds the role, but in the process it recreates the service account email. The terraform plan doesn't indicate that the email will change and other resources that depend on the output value of the service_account_email don't update.

Expected Behavior

Either the role should be updated without changing the email, or the plan should note that the email will change and dependent resources should update.

[lawliet89]

I tried to fix this in #476 but I ran into https://github.com/hashicorp/terraform/issues/17411#issuecomment-515314101 and it's causing a permanent diff in plans.

I'll see if I can work around it.

Edit: Worked around the bug. #476 should fix this.