Ensure all mount errors are covered (#2289)

* CI: Test against vault enterprise 1.17.1 and bump other versions
* Build: Add support running tests using gotestsum
* CI: Drop 1.11.12-ent

.github/workflows/build.yml

@@ -63,12 +63,12 @@ jobs:
       fail-fast: false
       matrix:
         image:
-        - "vault-enterprise:1.11.12-ent"
         - "vault-enterprise:1.12.11-ent"
         - "vault-enterprise:1.13.13-ent"
-        - "vault-enterprise:1.14.12-ent"
-        - "vault-enterprise:1.15.8-ent"
-        - "vault-enterprise:1.16.2-ent"
+        - "vault-enterprise:1.14.13-ent"
+        - "vault-enterprise:1.15.11-ent"
+        - "vault-enterprise:1.16.5-ent"
+        - "vault-enterprise:1.17.1-ent"
         - "vault:latest"
     services:
       vault:

Makefile

@@ -17,12 +17,21 @@ build: go-version-check fmtcheck
 test: go-version-check fmtcheck
 	TF_ACC= VAULT_TOKEN= go test $(TESTARGS) -timeout 10m $(TEST_PATH)
 
+testsum: go-version-check fmtcheck
+	TF_ACC= VAULT_TOKEN= gotestsum $(TEST_PATH) $(TESTARGS) -test.timeout 10m
+
 testacc: fmtcheck
 	TF_ACC=1 go test $(TESTARGS) -timeout 30m $(TEST_PATH)
 
+testaccsum: fmtcheck
+	TF_ACC=1 gotestsum $(TEST_PATH) $(TESTARGS) -timeout 30m
+
 testacc-ent:
 	make testacc TF_ACC_ENTERPRISE=1
 
+testaccsum-ent:
+	make testaccsum TF_ACC_ENTERPRISE=1
+
 dev: go-version-check fmtcheck
 	go build -o terraform-provider-vault
 	mv terraform-provider-vault ~/.terraform.d/plugins/
@@ -71,4 +80,4 @@ ifeq (,$(wildcard $(GOPATH)/src/$(WEBSITE_REPO)))
 endif
 	@$(MAKE) -C $(GOPATH)/src/$(WEBSITE_REPO) website-provider-test PROVIDER_PATH=$(shell pwd) PROVIDER_NAME=$(PKG_NAME)
 
-.PHONY: build test testacc testacc-ent vet fmt fmtcheck errcheck test-compile website website-test go-version-check
+.PHONY: build test testacc testacc-ent vet fmt fmtcheck errcheck test-compile website website-test go-version-check testaccsum testaccsum-ent

go.mod

@@ -34,6 +34,7 @@ require (
 	github.com/jcmturner/gokrb5/v8 v8.4.4
 	github.com/mitchellh/go-homedir v1.1.0
 	github.com/mitchellh/mapstructure v1.5.0
+	github.com/stretchr/testify v1.9.0
 	golang.org/x/crypto v0.23.0
 	golang.org/x/net v0.25.0
 	golang.org/x/oauth2 v0.18.0
@@ -148,7 +149,6 @@ require (
 	github.com/sasha-s/go-deadlock v0.2.0 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/sony/gobreaker v0.5.0 // indirect
-	github.com/stretchr/testify v1.9.0 // indirect
 	github.com/vmihailenco/msgpack v4.0.4+incompatible // indirect
 	github.com/vmihailenco/msgpack/v5 v5.4.1 // indirect
 	github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect

util/mountutil/mountutil.go

@@ -6,17 +6,18 @@ package mountutil
 import (
 	"context"
 	"errors"
-	"fmt"
+	"net/http"
 	"strings"
 
-	"github.com/hashicorp/terraform-provider-vault/internal/consts"
 	"github.com/hashicorp/vault/api"
+
+	"github.com/hashicorp/terraform-provider-vault/internal/consts"
 )
 
 // Error strings that are returned by the Vault API.
 const (
-	ErrVaultSecretMountNotFound = "No secret engine mount at"
-	ErrVaultAuthMountNotFound   = "No auth engine at"
+	VaultSecretMountNotFoundErrMsg = "No secret engine mount at"
+	VaultAuthMountNotFoundErrMsg   = "No auth engine at"
 )
 
 // Error strings that are used internally by TFVP
@@ -28,40 +29,24 @@ var (
 
 // GetMount will fetch the secret mount at the given path.
 func GetMount(ctx context.Context, client *api.Client, path string) (*api.MountOutput, error) {
-	mount, err := client.Sys().GetMountWithContext(ctx, path)
-	// Hardcoding the error string check is not ideal, but Vault does not
-	// return 404 in this case
-	if err != nil && strings.Contains(err.Error(), ErrVaultSecretMountNotFound) {
-		return nil, fmt.Errorf("%w: %s", ErrMountNotFound, err)
+	if resp, err := client.Sys().GetMountWithContext(ctx, path); err != nil {
+		return nil, err
+	} else if resp == nil {
+		return nil, ErrMountNotFound
+	} else {
+		return resp, nil
 	}
-	// some other error occured, like 403, etc.
-	if err != nil {
-		return nil, fmt.Errorf("error reading from Vault: %s", err)
-	}
-	// no error but no mount either, so return not found
-	if mount == nil {
-		return nil, fmt.Errorf("%w: %s", ErrMountNotFound, err)
-	}
-	return mount, nil
 }
 
 // GetAuthMount will fetch the auth mount at the given path.
 func GetAuthMount(ctx context.Context, client *api.Client, path string) (*api.MountOutput, error) {
-	mount, err := client.Sys().GetAuthWithContext(ctx, path)
-	// Hardcoding the error string check is not ideal, but Vault does not
-	// return 404 in this case
-	if err != nil && strings.Contains(err.Error(), ErrVaultAuthMountNotFound) {
-		return nil, fmt.Errorf("%w: %s", ErrMountNotFound, err)
+	if resp, err := client.Sys().GetAuthWithContext(ctx, path); err != nil {
+		return nil, err
+	} else if resp == nil {
+		return nil, ErrMountNotFound
+	} else {
+		return resp, nil
 	}
-	// some other error occured, like 403, etc.
-	if err != nil {
-		return nil, fmt.Errorf("error reading from Vault: %s", err)
-	}
-	// no error but no mount either, so return not found
-	if mount == nil {
-		return nil, fmt.Errorf("%w: %s", ErrMountNotFound, err)
-	}
-	return mount, nil
 }
 
 // NormalizeMountPath to be in a form valid for accessing values from api.MountOutput
@@ -74,21 +59,40 @@ func TrimSlashes(path string) string {
 	return strings.Trim(path, consts.PathDelim)
 }
 
-// CheckMountEnabledWithContext in Vault
-func CheckMountEnabledWithContext(ctx context.Context, client *api.Client, path string) (bool, error) {
-	_, err := GetMount(ctx, client, path)
-	if errors.Is(err, ErrMountNotFound) {
-		return false, err
-	}
-
-	if err != nil {
+// CheckMountEnabled in Vault
+func CheckMountEnabled(ctx context.Context, client *api.Client, path string) (bool, error) {
+	if _, err := GetMount(ctx, client, path); err != nil {
+		if IsMountNotFoundError(err) {
+			return false, nil
+		}
 		return false, err
 	}
 
 	return true, nil
 }
 
-// CheckMountEnabled in Vault
-func CheckMountEnabled(client *api.Client, path string) (bool, error) {
-	return CheckMountEnabledWithContext(context.Background(), client, path)
+// IsMountNotFoundError returns true if error is a mount not found error.
+func IsMountNotFoundError(err error) bool {
+	var respErr *api.ResponseError
+	if errors.As(err, &respErr) && respErr != nil {
+		if respErr.StatusCode == http.StatusNotFound {
+			return true
+		}
+		if respErr.StatusCode == http.StatusBadRequest {
+			for _, e := range respErr.Errors {
+				if strings.Contains(e, VaultSecretMountNotFoundErrMsg) {
+					return true
+				}
+				if strings.Contains(e, VaultAuthMountNotFoundErrMsg) {
+					return true
+				}
+			}
+		}
+	}
+
+	if errors.Is(err, ErrMountNotFound) {
+		return true
+	}
+
+	return false
 }

util/mountutil/mountutil_test.go

@@ -0,0 +1,99 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package mountutil
+
+import (
+	"net/http"
+	"testing"
+
+	"github.com/hashicorp/vault/api"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestIsMountNotFoundError(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name string
+		err  error
+		want bool
+	}{
+		{
+			name: "with-err-mount-not-found",
+			err:  ErrMountNotFound,
+			want: true,
+		},
+		{
+			name: "with-response-error-no-secret-engine-mount",
+			err: &api.ResponseError{
+				StatusCode: http.StatusBadRequest,
+				Errors: []string{
+					"No secret engine mount at auth/operator/",
+				},
+			},
+			want: true,
+		},
+		{
+			name: "with-response-error-no-auth-engine-mount",
+			err: &api.ResponseError{
+				StatusCode: http.StatusBadRequest,
+				Errors: []string{
+					"No auth engine at auth/operator/",
+				},
+			},
+			want: true,
+		},
+		{
+			name: "with-response-error-both",
+			err: &api.ResponseError{
+				StatusCode: http.StatusBadRequest,
+				Errors: []string{
+					"No secret engine mount at auth/operator/",
+					"No auth engine at auth/operator/",
+				},
+			},
+			want: true,
+		},
+		{
+			name: "with-response-error-others",
+			err: &api.ResponseError{
+				StatusCode: http.StatusBadRequest,
+				Errors: []string{
+					"Some other error",
+					"No auth engine at auth/operator/",
+				},
+			},
+			want: true,
+		},
+		{
+			name: "with-not-found-status-code",
+			err: &api.ResponseError{
+				StatusCode: http.StatusNotFound,
+				Errors: []string{
+					"some error",
+				},
+			},
+			want: true,
+		},
+		{
+			name: "with-response-error-canary",
+			err: &api.ResponseError{
+				StatusCode: http.StatusBadRequest,
+				Errors: []string{
+					"secret engine mount",
+				},
+			},
+			want: false,
+		},
+		{
+			name: "with-nil-error",
+			want: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equalf(t, tt.want, IsMountNotFoundError(tt.err), "IsMountNotFoundError(%v)", tt.err)
+		})
+	}
+}

vault/resource_ad_secret_backend.go

@@ -5,7 +5,6 @@ package vault
 
 import (
 	"context"
-	"errors"
 	"fmt"
 	"log"
 	"strings"
@@ -344,14 +343,14 @@ func readConfigResource(d *schema.ResourceData, meta interface{}) error {
 	path := d.Id()
 	log.Printf("[DEBUG] Reading %q", path)
 
-	mount, err := mountutil.GetMount(context.Background(), client, path)
-	if errors.Is(err, mountutil.ErrMountNotFound) {
-		log.Printf("[WARN] Mount %q not found, removing from state.", path)
-		d.SetId("")
-		return nil
-	}
-
+	ctx := context.Background()
+	mount, err := mountutil.GetMount(ctx, client, path)
 	if err != nil {
+		if mountutil.IsMountNotFoundError(err) {
+			log.Printf("[WARN] Mount %q not found, removing from state.", path)
+			d.SetId("")
+			return nil
+		}
 		return err
 	}
 

vault/resource_auth_backend.go

@@ -5,17 +5,16 @@ package vault
 
 import (
 	"context"
-	"errors"
-
 	"log"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/vault/api"
+
 	"github.com/hashicorp/terraform-provider-vault/internal/consts"
 	"github.com/hashicorp/terraform-provider-vault/internal/provider"
 	"github.com/hashicorp/terraform-provider-vault/util"
 	"github.com/hashicorp/terraform-provider-vault/util/mountutil"
-	"github.com/hashicorp/vault/api"
 )
 
 func AuthBackendResource() *schema.Resource {
@@ -145,13 +144,12 @@ func authBackendRead(ctx context.Context, d *schema.ResourceData, meta interface
 	path := d.Id()
 
 	mount, err := mountutil.GetAuthMount(ctx, client, path)
-	if errors.Is(err, mountutil.ErrMountNotFound) {
-		log.Printf("[WARN] Mount %q not found, removing from state.", path)
-		d.SetId("")
-		return nil
-	}
-
 	if err != nil {
+		if mountutil.IsMountNotFoundError(err) {
+			log.Printf("[WARN] Mount %q not found, removing from state.", path)
+			d.SetId("")
+			return nil
+		}
 		return diag.FromErr(err)
 	}
 
@@ -171,9 +169,9 @@ func authBackendRead(ctx context.Context, d *schema.ResourceData, meta interface
 		return diag.FromErr(err)
 	}
 	// TODO: uncomment when identity token key is being returned on the read mount endpoint
-	//if err := d.Set(consts.FieldIdentityTokenKey, mount.Config.IdentityTokenKey); err != nil {
+	// if err := d.Set(consts.FieldIdentityTokenKey, mount.Config.IdentityTokenKey); err != nil {
 	//	return diag.FromErr(err)
-	//}
+	// }
 
 	return nil
 }

vault/resource_aws_secret_backend.go

@@ -5,7 +5,6 @@ package vault
 
 import (
 	"context"
-	"errors"
 	"fmt"
 	"log"
 	"strings"
@@ -256,13 +255,12 @@ func awsSecretBackendRead(ctx context.Context, d *schema.ResourceData, meta inte
 	log.Printf("[DEBUG] Reading AWS backend mount %q from Vault", path)
 
 	mount, err := mountutil.GetMount(ctx, client, path)
-	if errors.Is(err, mountutil.ErrMountNotFound) {
-		log.Printf("[WARN] Mount %q not found, removing from state.", path)
-		d.SetId("")
-		return nil
-	}
-
 	if err != nil {
+		if mountutil.IsMountNotFoundError(err) {
+			log.Printf("[WARN] Mount %q not found, removing from state.", path)
+			d.SetId("")
+			return nil
+		}
 		return diag.FromErr(err)
 	}
 

vault/resource_azure_secret_backend.go

@@ -5,7 +5,6 @@ package vault
 
 import (
 	"context"
-	"errors"
 	"fmt"
 	"log"
 	"strings"
@@ -166,13 +165,12 @@ func azureSecretBackendRead(ctx context.Context, d *schema.ResourceData, meta in
 	log.Printf("[DEBUG] Reading Azure backend mount %q from Vault", path)
 
 	mount, err := mountutil.GetMount(ctx, client, path)
-	if errors.Is(err, mountutil.ErrMountNotFound) {
-		log.Printf("[WARN] Mount %q not found, removing from state.", path)
-		d.SetId("")
-		return nil
-	}
-
 	if err != nil {
+		if mountutil.IsMountNotFoundError(err) {
+			log.Printf("[WARN] Mount %q not found, removing from state.", path)
+			d.SetId("")
+			return nil
+		}
 		return diag.FromErr(err)
 	}
 

vault/resource_consul_secret_backend.go

@@ -5,7 +5,6 @@ package vault
 
 import (
 	"context"
-	"errors"
 	"fmt"
 	"log"
 	"strings"
@@ -201,13 +200,12 @@ func consulSecretBackendRead(ctx context.Context, d *schema.ResourceData, meta i
 	log.Printf("[DEBUG] Reading Consul backend mount %q from Vault", path)
 
 	mount, err := mountutil.GetMount(ctx, client, path)
-	if errors.Is(err, mountutil.ErrMountNotFound) {
-		log.Printf("[WARN] Mount %q not found, removing from state.", path)
-		d.SetId("")
-		return nil
-	}
-
 	if err != nil {
+		if mountutil.IsMountNotFoundError(err) {
+			log.Printf("[WARN] Mount %q not found, removing from state.", path)
+			d.SetId("")
+			return nil
+		}
 		return diag.FromErr(err)
 	}
 

vault/resource_gcp_auth_backend.go

@@ -6,7 +6,6 @@ package vault
 import (
 	"context"
 	"encoding/json"
-	"errors"
 	"fmt"
 	"log"
 	"strings"
@@ -383,13 +382,12 @@ func gcpAuthBackendRead(ctx context.Context, d *schema.ResourceData, meta interf
 	}
 
 	mount, err := mountutil.GetAuthMount(ctx, client, gcpPath)
-	if errors.Is(err, mountutil.ErrMountNotFound) {
-		log.Printf("[WARN] Mount %q not found, removing from state.", gcpPath)
-		d.SetId("")
-		return nil
-	}
-
 	if err != nil {
+		if mountutil.IsMountNotFoundError(err) {
+			log.Printf("[WARN] Mount %q not found, removing from state.", gcpPath)
+			d.SetId("")
+			return nil
+		}
 		return diag.FromErr(err)
 	}
 

vault/resource_gcp_secret_backend.go

@@ -5,7 +5,6 @@ package vault
 
 import (
 	"context"
-	"errors"
 	"fmt"
 	"log"
 	"strings"
@@ -197,13 +196,12 @@ func gcpSecretBackendRead(ctx context.Context, d *schema.ResourceData, meta inte
 	log.Printf("[DEBUG] Reading GCP backend mount %q from Vault", path)
 
 	mount, err := mountutil.GetMount(ctx, client, path)
-	if errors.Is(err, mountutil.ErrMountNotFound) {
-		log.Printf("[WARN] Mount %q not found, removing from state.", path)
-		d.SetId("")
-		return nil
-	}
-
 	if err != nil {
+		if mountutil.IsMountNotFoundError(err) {
+			log.Printf("[WARN] Mount %q not found, removing from state.", path)
+			d.SetId("")
+			return nil
+		}
 		return diag.FromErr(err)
 	}
 

vault/resource_github_auth_backend.go

@@ -5,18 +5,17 @@ package vault
 
 import (
 	"context"
-	"errors"
-
 	"log"
 	"strings"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/vault/api"
+
 	"github.com/hashicorp/terraform-provider-vault/internal/consts"
 	"github.com/hashicorp/terraform-provider-vault/internal/provider"
 	"github.com/hashicorp/terraform-provider-vault/util"
 	"github.com/hashicorp/terraform-provider-vault/util/mountutil"
-	"github.com/hashicorp/vault/api"
 )
 
 func githubAuthBackendResource() *schema.Resource {
@@ -183,14 +182,13 @@ func githubAuthBackendRead(ctx context.Context, d *schema.ResourceData, meta int
 	configPath := path + "/config"
 
 	log.Printf("[DEBUG] Reading github auth mount from '%q'", path)
-	mount, err := mountutil.GetAuthMount(context.Background(), client, d.Id())
-	if errors.Is(err, mountutil.ErrMountNotFound) {
-		log.Printf("[WARN] Mount %q not found, removing from state.", path)
-		d.SetId("")
-		return nil
-	}
-
+	mount, err := mountutil.GetAuthMount(ctx, client, d.Id())
 	if err != nil {
+		if mountutil.IsMountNotFoundError(err) {
+			log.Printf("[WARN] Mount %q not found, removing from state.", path)
+			d.SetId("")
+			return nil
+		}
 		return diag.FromErr(err)
 	}
 

vault/resource_jwt_auth_backend.go

@@ -7,18 +7,18 @@ import (
 	"context"
 	"errors"
 	"fmt"
-
 	"log"
 	"strconv"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
+	"github.com/hashicorp/vault/api"
+
 	"github.com/hashicorp/terraform-provider-vault/internal/consts"
 	"github.com/hashicorp/terraform-provider-vault/internal/provider"
 	"github.com/hashicorp/terraform-provider-vault/util"
 	"github.com/hashicorp/terraform-provider-vault/util/mountutil"
-	"github.com/hashicorp/vault/api"
 )
 
 func jwtAuthBackendResource() *schema.Resource {
@@ -276,14 +276,13 @@ func jwtAuthBackendRead(ctx context.Context, d *schema.ResourceData, meta interf
 	}
 	d.Set("path", path)
 
-	mount, err := mountutil.GetAuthMount(context.Background(), client, path)
-	if errors.Is(err, mountutil.ErrMountNotFound) {
-		log.Printf("[WARN] Mount %q not found, removing from state.", path)
-		d.SetId("")
-		return nil
-	}
-
+	mount, err := mountutil.GetAuthMount(ctx, client, path)
 	if err != nil {
+		if mountutil.IsMountNotFoundError(err) {
+			log.Printf("[WARN] Mount %q not found, removing from state.", path)
+			d.SetId("")
+			return nil
+		}
 		return diag.FromErr(err)
 	}
 

vault/resource_kmip_secret_backend.go

@@ -4,6 +4,7 @@
 package vault
 
 import (
+	"context"
 	"fmt"
 	"log"
 	"time"
@@ -157,6 +158,7 @@ func kmipSecretBackendUpdate(d *schema.ResourceData, meta interface{}) error {
 			return fmt.Errorf("error remounting in Vault: %s", err)
 		}
 
+		ctx := context.Background()
 		// There is something similar in resource_mount.go, but in the call to TuneMount().
 		var tries int
 		for {
@@ -165,7 +167,7 @@ func kmipSecretBackendUpdate(d *schema.ResourceData, meta interface{}) error {
 					"mount %q did did not become available after %d tries, interval=1s", dest, tries)
 			}
 
-			enabled, err := mountutil.CheckMountEnabled(client, dest)
+			enabled, err := mountutil.CheckMountEnabled(ctx, client, dest)
 			if err != nil {
 				return err
 			}

vault/resource_ldap_auth_backend.go

@@ -5,7 +5,6 @@ package vault
 
 import (
 	"context"
-	"errors"
 	"log"
 	"strings"
 
@@ -319,21 +318,20 @@ func ldapAuthBackendRead(ctx context.Context, d *schema.ResourceData, meta inter
 
 	path := d.Id()
 
-	authMount, err := mountutil.GetAuthMount(ctx, client, path)
-	if errors.Is(err, mountutil.ErrMountNotFound) {
-		log.Printf("[WARN] Mount %q not found, removing from state.", path)
-		d.SetId("")
-		return nil
-	}
-
+	mount, err := mountutil.GetAuthMount(ctx, client, path)
 	if err != nil {
+		if mountutil.IsMountNotFoundError(err) {
+			log.Printf("[WARN] Mount %q not found, removing from state.", path)
+			d.SetId("")
+			return nil
+		}
 		return diag.FromErr(err)
 	}
 
 	d.Set(consts.FieldPath, path)
-	d.Set(consts.FieldDescription, authMount.Description)
-	d.Set(consts.FieldAccessor, authMount.Accessor)
-	d.Set(consts.FieldLocal, authMount.Local)
+	d.Set(consts.FieldDescription, mount.Description)
+	d.Set(consts.FieldAccessor, mount.Accessor)
+	d.Set(consts.FieldLocal, mount.Local)
 
 	path = ldapAuthBackendConfigPath(path)
 

vault/resource_mount.go

@@ -5,7 +5,6 @@ package vault
 
 import (
 	"context"
-	"errors"
 	"fmt"
 	"log"
 	"time"
@@ -383,14 +382,14 @@ func readMount(d *schema.ResourceData, meta interface{}, excludeType bool) error
 
 	log.Printf("[DEBUG] Reading mount %s from Vault", path)
 
-	mount, err := mountutil.GetMount(context.Background(), client, path)
-	if errors.Is(err, mountutil.ErrMountNotFound) {
-		log.Printf("[WARN] Mount %q not found, removing from state.", path)
-		d.SetId("")
-		return nil
-	}
-
+	ctx := context.Background()
+	mount, err := mountutil.GetMount(ctx, client, path)
 	if err != nil {
+		if mountutil.IsMountNotFoundError(err) {
+			log.Printf("[WARN] Mount %q not found, removing from state.", path)
+			d.SetId("")
+			return nil
+		}
 		return err
 	}
 
@@ -457,9 +456,9 @@ func readMount(d *schema.ResourceData, meta interface{}, excludeType bool) error
 	}
 
 	// @TODO add this back in when Vault 1.16.3 is released
-	//if err := d.Set(consts.FieldDelegatedAuthAccessors, mount.Config.DelegatedAuthAccessors); err != nil {
+	// if err := d.Set(consts.FieldDelegatedAuthAccessors, mount.Config.DelegatedAuthAccessors); err != nil {
 	//	return err
-	//}
+	// }
 	if err := d.Set(consts.FieldListingVisibility, mount.Config.ListingVisibility); err != nil {
 		return err
 	}

vault/resource_nomad_secret_backend.go

@@ -5,7 +5,6 @@ package vault
 
 import (
 	"context"
-	"errors"
 	"fmt"
 	"log"
 	"strings"
@@ -201,14 +200,14 @@ func readNomadAccessConfigResource(d *schema.ResourceData, meta interface{}) err
 	path := d.Id()
 	log.Printf("[DEBUG] Reading %q", path)
 
-	mount, err := mountutil.GetMount(context.Background(), client, path)
-	if errors.Is(err, mountutil.ErrMountNotFound) {
-		log.Printf("[WARN] Mount %q not found, removing from state.", path)
-		d.SetId("")
-		return nil
-	}
-
+	ctx := context.Background()
+	mount, err := mountutil.GetMount(ctx, client, path)
 	if err != nil {
+		if mountutil.IsMountNotFoundError(err) {
+			log.Printf("[WARN] Mount %q not found, removing from state.", path)
+			d.SetId("")
+			return nil
+		}
 		return err
 	}
 

vault/resource_okta_auth_backend.go

@@ -315,13 +315,12 @@ func oktaAuthBackendRead(ctx context.Context, d *schema.ResourceData, meta inter
 	log.Printf("[DEBUG] Reading auth %s from Vault", path)
 
 	mount, err := mountutil.GetAuthMount(ctx, client, path)
-	if errors.Is(err, mountutil.ErrMountNotFound) {
-		log.Printf("[WARN] Mount %q not found, removing from state.", path)
-		d.SetId("")
-		return nil
-	}
-
 	if err != nil {
+		if mountutil.IsMountNotFoundError(err) {
+			log.Printf("[WARN] Mount %q not found, removing from state.", path)
+			d.SetId("")
+			return nil
+		}
 		return diag.FromErr(err)
 	}
 

vault/resource_pki_secret_backend_cert.go

@@ -5,7 +5,6 @@ package vault
 
 import (
 	"context"
-	"errors"
 	"fmt"
 	"log"
 	"strings"
@@ -336,13 +335,12 @@ func pkiSecretBackendCertRead(ctx context.Context, d *schema.ResourceData, meta
 	path := d.Get(consts.FieldBackend).(string)
 
 	_, err := mountutil.GetMount(ctx, client, path)
-	if errors.Is(err, mountutil.ErrMountNotFound) {
-		log.Printf("[WARN] Mount %q not found, removing from state.", path)
-		d.SetId("")
-		return nil
-	}
-
 	if err != nil {
+		if mountutil.IsMountNotFoundError(err) {
+			log.Printf("[WARN] Mount %q not found, removing from state.", path)
+			d.SetId("")
+			return nil
+		}
 		return diag.FromErr(err)
 	}
 

vault/resource_rabbitmq_secret_backend.go

@@ -5,7 +5,6 @@ package vault
 
 import (
 	"context"
-	"errors"
 	"fmt"
 	"log"
 	"strings"
@@ -155,14 +154,14 @@ func rabbitMQSecretBackendRead(d *schema.ResourceData, meta interface{}) error {
 	path := d.Id()
 
 	log.Printf("[DEBUG] Reading RabbitMQ secret backend mount %q from Vault", path)
-	mount, err := mountutil.GetMount(context.Background(), client, path)
-	if errors.Is(err, mountutil.ErrMountNotFound) {
-		log.Printf("[WARN] Mount %q not found, removing from state.", path)
-		d.SetId("")
-		return nil
-	}
-
+	ctx := context.Background()
+	mount, err := mountutil.GetMount(ctx, client, path)
 	if err != nil {
+		if mountutil.IsMountNotFoundError(err) {
+			log.Printf("[WARN] Mount %q not found, removing from state.", path)
+			d.SetId("")
+			return nil
+		}
 		return err
 	}
 
@@ -249,12 +248,12 @@ func rabbitMQSecretBackendExists(d *schema.ResourceData, meta interface{}) (bool
 	path := d.Id()
 	log.Printf("[DEBUG] Checking if RabbitMQ backend exists at %q", path)
 
-	_, err := mountutil.GetMount(context.Background(), client, path)
-	if errors.Is(err, mountutil.ErrMountNotFound) {
-		return false, nil
-	}
+	if _, err := mountutil.GetMount(context.Background(), client, path); err != nil {
+		if mountutil.IsMountNotFoundError(err) {
+			return false, nil
+		}
 
-	if err != nil {
+		// TODO: returning true here is probably wrong. We should move existence checks to the Read function.
 		return true, err
 	}
 

vault/resource_secrets_sync_association.go

@@ -6,7 +6,6 @@ package vault
 import (
 	"context"
 	"encoding/json"
-	"errors"
 	"fmt"
 	"log"
 	"regexp"
@@ -251,11 +250,10 @@ func getMountAccessor(ctx context.Context, d *schema.ResourceData, meta interfac
 	log.Printf("[DEBUG] Reading mount %s from Vault", mount)
 
 	m, err := mountutil.GetMount(ctx, client, mount)
-	if errors.Is(err, mountutil.ErrMountNotFound) {
-		return "", fmt.Errorf("expected mount at %s; no mount found", mount)
-	}
-
 	if err != nil {
+		if mountutil.IsMountNotFoundError(err) {
+			return "", fmt.Errorf("expected mount at %s; no mount found: %w", mount, err)
+		}
 		return "", err
 	}
 

vault/resource_terraform_cloud_secret_backend.go

@@ -5,7 +5,6 @@ package vault
 
 import (
 	"context"
-	"errors"
 	"fmt"
 	"log"
 	"strings"
@@ -150,14 +149,14 @@ func terraformCloudSecretBackendRead(d *schema.ResourceData, meta interface{}) e
 
 	log.Printf("[DEBUG] Reading Terraform Cloud backend mount %q from Vault", backend)
 
-	mount, err := mountutil.GetMount(context.Background(), client, backend)
-	if errors.Is(err, mountutil.ErrMountNotFound) {
-		log.Printf("[WARN] Mount %q not found, removing from state.", backend)
-		d.SetId("")
-		return nil
-	}
-
+	ctx := context.Background()
+	mount, err := mountutil.GetMount(ctx, client, backend)
 	if err != nil {
+		if mountutil.IsMountNotFoundError(err) {
+			log.Printf("[WARN] Mount %q not found, removing from state.", backend)
+			d.SetId("")
+			return nil
+		}
 		return err
 	}
 
@@ -257,11 +256,11 @@ func terraformCloudSecretBackendExists(d *schema.ResourceData, meta interface{})
 	log.Printf("[DEBUG] Checking if Terraform Cloud backend exists at %q", backend)
 
 	_, err := mountutil.GetMount(context.Background(), client, backend)
-	if errors.Is(err, mountutil.ErrMountNotFound) {
-		return false, nil
-	}
-
 	if err != nil {
+		if mountutil.IsMountNotFoundError(err) {
+			return false, nil
+		}
+
 		return true, fmt.Errorf("error retrieving list of mounts: %s", err)
 	}