-
Notifications
You must be signed in to change notification settings - Fork 540
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
vault_github_team token_policies breaks policy mapping #502
Comments
I cannot seem to reproduce your issue. I added a test in 3078e3b to try and reproduce your issue but the tests passed. Can you paste your Terraform Plan output when you change your Test Debug Output
|
@lawliet89 Thanks for taking a look. Here is extra information: Code before:
Terraform Apply:
Login:
Code After:
Terraform Apply:
Login:
|
Also, |
The |
I have the same issue running vault 1.2.1.
on vault 1.2.1 this is not working correctly and |
This might be a problem with Vault itself. After applying, say, If so, then logging in with the right team mapping and not getting the right policies is probably a bug with Vault. Otherwise, can you post a debug log for the whole Terraform apply procedure (and make sure to redact sensitive information like Vault tokens and Vault addresses). |
Is this possibly related (or caused by a similar underlying issue) to: |
I just did a test and I think there's a bug with Vault: resource "vault_github_auth_backend" "example" {
organization = "<snip>"
}
resource "vault_policy" "example" {
name = "test"
policy = <<EOT
path "secret/my_app" {
policy = "write"
}
EOT
}
resource "vault_github_team" "tf_devs" {
backend = vault_github_auth_backend.example.path
team = "<snip>"
token_policies = [vault_policy.example.name]
} After applying, I can confirm that Terraform does not show a diff. Reading
Logging in with a token that belongs to the team above, however:
|
@lawliet89 I think this is an issue with the provider. The github resource is old and uses some uncommon approaches, like the team/user policy mappings. While the final token should pick up the new token fields, the internal policy maps have not changed. You can see the difference in what's stored running the command manually vs with the provider:
but after TF apply:
The specialized Github code that parses this map doesn't know about "token_policies", and I don't think we want to change Vault for that. These maps don't store any of the other fields either. I think reverting the team/user map updates that were part of the token_ update commit will probably fix this. |
Same issue here, I don't get the correct policy applied when Terraform manages the team/policy mapping, but if I manually create a mapping following the Vault docs it works:
Users in the If I rollback to v2.1.0 of this provider I get a crash, I'm guessing this is because it's getting a bunch of unexpected parameters back when refreshing the state? edit: For anyone else with this issue, workaround is to set the deprecated |
Since no one has yet to mention that it affects other auth methods, I'll throw in that AppRole (vault_approle_auth_backend_role) is also affected and the workaround @hamishforbes mentioned worked for us. If there is a way to suppress the deprecation messages, please share. |
|
I came here with the same problem, but the cause was this:
Can we update the deprecation message to state the version requirement; at the moment it does no such thing, just complains that the field is deprecated and |
Using v2.3.0 of the tf-vault plugin, and vault 1.2.2.
It is listed in the documentation - https://www.terraform.io/docs/providers/vault/r/token_auth_backend_role.html However, if it is used it will appear in the terraform diff on every TF run. It might be an issue in Vault 1.2.2 as I don't see $ vault read auth/token/roles/gke-foobar
Key Value
--- -----
allowed_entity_aliases <nil>
allowed_policies [gke-foobar]
disallowed_policies []
explicit_max_ttl 0s
name gke-foobar
orphan false
path_suffix n/a
period 0s
renewable true
token_explicit_max_ttl 0s
token_period 24h
token_type default-service TF resource: resource "vault_token_auth_backend_role" "gke-foobar" {
role_name = "gke-foobar"
token_policies = ["gke-foobar"]
allowed_policies = ["gke-foobar"]
token_period = 86400
renewable = true
} |
Are these related issues? |
Terraform Version
Terraform v0.11.13
Affected Resource(s)
vault_github_team
Terraform Configuration Files
Before:
After:
Expected Behavior
When logging in with the correct github personal access token,
Actual Behavior
Once the above code it applied to a vault instance, the "admin" policy is no longer bound to the token
Reverting back from "token_policies" to "policies" will correct the behavior.
The text was updated successfully, but these errors were encountered: