Update vault_identity_entity to exclude policies from Vault request if external_policies = true.

[ian-d]

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request

Closes #1942

Release note for CHANGELOG:

Updates vault_identity_entity to ensure externally managed policies are unchanged if external_policies = true

Output from acceptance testing:

$ make testacc TESTARGS='-test.run TestAccIdentityEntity'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test -test.run TestAccIdentityEntity -timeout 30m ./...
?   	github.com/hashicorp/terraform-provider-vault	[no test files]
?   	github.com/hashicorp/terraform-provider-vault/cmd/coverage	[no test files]
?   	github.com/hashicorp/terraform-provider-vault/cmd/generate	[no test files]
ok  	github.com/hashicorp/terraform-provider-vault/codegen	(cached) [no tests to run]
?   	github.com/hashicorp/terraform-provider-vault/generated	[no test files]
ok  	github.com/hashicorp/terraform-provider-vault/generated/datasources/transform/decode	(cached) [no tests to run]
ok  	github.com/hashicorp/terraform-provider-vault/generated/datasources/transform/encode	(cached) [no tests to run]
ok  	github.com/hashicorp/terraform-provider-vault/generated/resources/transform/alphabet	(cached) [no tests to run]
ok  	github.com/hashicorp/terraform-provider-vault/generated/resources/transform/role	(cached) [no tests to run]
ok  	github.com/hashicorp/terraform-provider-vault/generated/resources/transform/template	(cached) [no tests to run]
ok  	github.com/hashicorp/terraform-provider-vault/generated/resources/transform/transformation	(cached) [no tests to run]
?   	github.com/hashicorp/terraform-provider-vault/helper	[no test files]
?   	github.com/hashicorp/terraform-provider-vault/internal/consts	[no test files]
ok  	github.com/hashicorp/terraform-provider-vault/internal/identity/entity	(cached) [no tests to run]
?   	github.com/hashicorp/terraform-provider-vault/internal/identity/group	[no test files]
?   	github.com/hashicorp/terraform-provider-vault/internal/identity/mfa	[no test files]
?   	github.com/hashicorp/terraform-provider-vault/internal/pki	[no test files]
ok  	github.com/hashicorp/terraform-provider-vault/internal/provider	(cached) [no tests to run]
?   	github.com/hashicorp/terraform-provider-vault/schema	[no test files]
ok  	github.com/hashicorp/terraform-provider-vault/testutil	(cached) [no tests to run]
ok  	github.com/hashicorp/terraform-provider-vault/util	(cached) [no tests to run]
ok  	github.com/hashicorp/terraform-provider-vault/vault	611.600s

As an additional note / maybe a needed change, the acceptance test was added to resource_identity_entity_policies_test.go because the symptoms of the underlying error were already being tested there as part of the testAccIdentityEntityPoliciesCheckLogical check. I'm not sure it's the most natural place for the tests but it is the simplest.

With the updated test but before the change to vault_identity_entity you'd get this, which reflects the problem described in #1942:

2023/07/24 12:49:57 [INFO] Using Vault token with the following policies: root
--- FAIL: TestAccIdentityEntityPoliciesNonExclusive (63.73s)
    resource_identity_entity_policies_test.go:48: Step 3/3 error: Check failed: Check 1/5 error: expected entity 74be4bbd-193a-e262-1f3b-e29d790da279 to have 2 policies, has 0
FAIL
FAIL	github.com/hashicorp/terraform-provider-vault/vault	115.320s
FAIL

[hashicorp-cla]

All committers have signed the CLA.

[fairclothjm]

Thanks!