-
Notifications
You must be signed in to change notification settings - Fork 540
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug with vault_approle_auth_backend_role token_policies #533
Comments
+1 |
|
@lawliet89 |
seeing the same bug - any progress? |
+1 |
+1 |
Adding commentary in case it helps anyone... I set the deprecated policies field rather than the recommended token_policies field, and that resolved a gnarly issue I was having (by way of Vault Agent auto-auth) with the https://github.com/hashicorp/vault-plugin-auth-gcp. |
+1 Also, as @StephenWithPH noted, using the deprecated policies field throws a warning, but works, where the recommended token_policies field does not. |
This looks like an issue when using Vault < 1.2.0 with I was unable to reproduce this with Vault 1.2.0 and provider 2.3.0. However, I decided to try this with Vault 1.1.2 and was able to reproduce the error you were seeing. I also tried using Vault 1.1.2 with provider 2.0.0 but got an error:
The |
Facing this bug too:
Terraform v0.11.14
|
@yermulnik I can't seem to reproduce this locally. Here's what I've done: Run vault 1.3.1 in dev mode (pulled from the
I've also run this locally in non-dev mode. Manually enabled approle auth method:
Here's my provider "vault" {
version = "2.7.1"
}
resource "vault_approle_auth_backend_role" "tcs" {
role_name = "tcs"
token_policies = ["default", "tcs_app"]
} (no other files in the folder) Terraform:
I'm struggling to find what is different from your example. |
@pcman312 Hmm, interesting… Thanks for giving it a try. resource "vault_auth_backend" "approle" {
type = "approle"
}
resource "vault_policy" "tcs_app" {
name = "tcs_app"
policy = <<EOT
path "tcs/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
EOT
} |
@yermulnik I keep getting issues with the If I remove the |
what was the actual error? (so that I can paste code snippet for you to fix) |
I tried ordering the Here's my
|
@pcman312 Hmm, looks strange. resource "vault_approle_auth_backend_role" "tcs" {
backend = "${vault_auth_backend.approle.path}"
role_name = "tcs"
token_policies = ["default", "tcs_app"]
} |
@yermulnik That seems to have fixed it. Unfortunately I'm still not able to replicate the issue:
Second run:
|
@pcman312 Interesting. Thanks for giving it a go. |
Weird that I cannot re-deploy my vault clusters from the scratch to see if it would fix the issue since these are under heavy use at the moment =( |
@yermulnik that seems like a likely explanation for the problem that you and others have been seeing. I'm using Terraform 0.11.14, provider 2.7.1, and Vault 1.3.1, but I am using a completely fresh setup. What version did you upgrade from? I can try using the old version and then upgrading to see if it can be replicated. |
@pcman312 We upgraded from vault provider 1.9.* to 2.7.1 and vault 1.1.3 to 1.3.1 |
@yermulnik I've managed to partially reproduce this issue. Running Vault 1.1.3 (not in dev mode), TF 0.11.14, Provider 2.7.1, I performed a
If I then shut down vault and start up v1.3.1 and run I'm going to try the same procedure but comparing Vault 1.1.3 & Provider 1.9.0 to Vault 1.3.1 & Provider 2.7.1 to see how the provider plays a role in this. |
Oh, I saw this behaviour as well. So basically once |
@yermulnik Ah, okay. I thought you had applied those changes and were still seeing the issue. Based on the diff, I'm reasonably confident it's going to remove |
@pcman312 I might had put myself not quite clear. Despite tf configuration having |
@yermulnik I think I've reproduced the perpetual diff problem but want to confirm that this is the same steps you took:
resource "vault_approle_auth_backend_role" "tcs" {
backend = "${vault_auth_backend.approle.path}"
role_name = "tcs"
policies = ["default", "tcs_app"]
}
resource "vault_approle_auth_backend_role" "tcs" {
backend = "${vault_auth_backend.approle.path}"
role_name = "tcs"
token_policies = ["default", "tcs_app"]
}
Is this an accurate description of the steps you took? |
@pcman312 Looks very similar to what I can recall. Apart from using |
@yermulnik Sorry for the delayed update. I looked into the code for this but haven't come up with a solution to it yet. In the meantime you can look into using |
@pcman312 no problem. thanks for looking into this anyways. it's not very vital for us apart from having either back and forth with |
@yermulnik That's my current thought. |
As some additional information which may help identify what's going on here... We have some AppRoles which were created with an old version of Vault (I think around v0.9.6, but it's from before the change from We're now on Vault v1.4.0, and provider v2.10.0. What I have found is that AppRoles created in the older version of Vault actually do have both the old
Removing the AppRole from the Terraform state with
i.e. Terraform detects that the Newly created AppRoles do not have this issue. When I read those from Vault, they do not have the As another interesting data point, we do NOT see this issue with the
Note from above that the As I look into this further, it appears that the Whereas |
Hello - I opened #744 to address this. Thanks to @lucymhdavies for pointing me in the right direction for the fix. If you have the ability to checkout the repo, compile it, and give it a try, please let us know if it works out. |
…om `policies` to `token_policies` (hashicorp#744) * add regression test for hashicorp#533 * conditionally set policies and period
Terraform Version
Terraform v0.11.14
Affected Resource(s)
Please list the resources as a list, for example:
Terraform Configuration Files
My module resources:
Configuration:
Expected Behavior
token_policies
argument is assigned with policies afterapply
and reflected in state.Actual Behavior
terraform apply
Apply complete! Resources: 6 added, 0 changed, 0 destroyed.
Next subsequents
apply
shows difference in state:Beggining from provider version 2.0.0
policies
argument was changed totoken_policies
and I wonder why it's present here. Actually, no values are being assigned totoken_policies
and each subsequentapply
show a difference andvault_approle_auth_backend_role
token_policies
argument is now working at all.Steps to Reproduce
Please list the steps required to reproduce the issue, for example:
terraform apply
vault_approle_auth_backend_role
resource withtoken_policies
argument defined.terraform apply
againImportant Factoids
Everything works perfect with provider version
2.0.0
andpolicies
argument instead oftoken_policies
Thanks in advance!
The text was updated successfully, but these errors were encountered: