From c01b993bd3d0a0502d277f1405a1bb6a47c7e5c8 Mon Sep 17 00:00:00 2001
From: Nick Cabatoff <ncabatoff@hashicorp.com>
Date: Tue, 23 Nov 2021 12:13:47 -0500
Subject: [PATCH] Fix regression in returning empty value for approle cidrlist.
 (#13235)

---
 builtin/credential/approle/validation.go | 5 +++++
 changelog/13235.txt                      | 3 +++
 2 files changed, 8 insertions(+)
 create mode 100644 changelog/13235.txt

diff --git a/builtin/credential/approle/validation.go b/builtin/credential/approle/validation.go
index 35403a647..3a5f93925 100644
--- a/builtin/credential/approle/validation.go
+++ b/builtin/credential/approle/validation.go
@@ -118,6 +118,11 @@ func decodeSecretIDStorageEntry(entry *logical.StorageEntry) (*secretIDStorageEn
 	}
 
 	cleanup := func(in []string) []string {
+		if len(in) == 0 {
+			// Don't change unnecessarily, if it was empty list leave as empty list
+			// instead of making it nil.
+			return in
+		}
 		var out []string
 		for _, s := range in {
 			out = append(out, parseip.TrimLeadingZeroesCIDR(s))
diff --git a/changelog/13235.txt b/changelog/13235.txt
new file mode 100644
index 000000000..50c3035e6
--- /dev/null
+++ b/changelog/13235.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+auth/approle: Fix regression where unset cidrlist is returned as nil instead of zero-length array.
+```
\ No newline at end of file