search

devops-rob / terraform-provider-terracurl

A flexible Terraform provider for making API calls
https://www.hashicorp.com/blog/writing-terraform-for-unsupported-resources
Mozilla Public License 2.0
133 stars 10 forks source link

Unable to use dynamic token authentication with Vault #67

Open junchytata opened 1 year ago

junchytata commented 1 year ago

Describe the issue Setting a dynamic token in X-Vault-Token leads to authentication failure when running Terraform apply.

To Reproduce

  1. Use the vault token create command to create a token with a validity of 1 hour.
  2. Set this token in X-Vault-Token of TerraCurl.
  3. Run Terraform apply and resources are created successfully.
  4. After 1 hour, the previous token expires. Create a new vault token and set it in X-Vault-Token.
  5. Run Terraform plan, the result shows that the value of X-Vault-Token will be updated and the resource(aws engine) will be re-created. 
    
# terracurl_request.aws_engine must be replaced
-/+ resource "terracurl_request" "aws_engine" {
  ~ destroy_headers        = {
      ~ "X-Vault-Token" = "hvs.XXXXXXXXXX" -> "hvs.YYYYYYYYYY"
    }
  ~ headers                = { # forces replacement
      ~ "X-Vault-Token" = "hvs.XXXXXXXXXX" -> "hvs.YYYYYYYYYY"
    }
  ~ id                     = "aws" -> (known after apply)
    name                   = "aws"
  ~ request_url_string     = "http://172.XXX.XXX.XXX:8201/v1/sys/mounts/aws" -> (known after apply)
  + response               = (known after apply)
  ~ status_code            = "204" -> (known after apply)
    # (9 unchanged attributes hidden)
}

Plan: 1 to add, 0 to change, 1 to destroy.


6. When running Terraform apply, a request error occurred.

terracurl_request.aws_engine: Destroying... [id=aws] terracurl_request.aws_engine: Still destroying... [id=aws, 10s elapsed] ? x Error: unable to make request: request failed, retries exceeded: %!s()



7. After manually updating the token value of X-Vault-Token in the terraform-state file, Terraform executed successfully.

**Expected behavior**
1. The new token set in X-Vault-Token should authenticate with Vault successfully.
2. The resource should be updated without being deleted and recreated.

**Environment**
- Vault Server 1.12.4
- TerraForm 1.4.6
- TerraCurl 1.1.0

**Additional context**
After the first run of terraCurl, the X-Vault-Token value is recorded in Terraform's state file and will be used for authentication with Vault the next time. 
When the token on the Vault side expires, the X-Vault-Token value fails to authenticate with Vault and cannot be updated any more.
devops-rob commented 8 months ago

Hi, I think I have fixed this in the new version. When you have a moment, can you please test this and let me know? thanks @junchytata

amuware commented 2 months ago

Hello @devops-rob, this issue looks simmilar to the one i just created https://github.com/devops-rob/terraform-provider-terracurl/issues/83