search

hashicorp / terraform-provider-consul

Terraform Consul provider
https://www.terraform.io/docs/providers/consul/
Mozilla Public License 2.0
125 stars 112 forks source link

`consul_certificate_authority` resource doesn't support Vault auth method configuration #324

Closed krarey closed 1 year ago

krarey commented 2 years ago

Terraform Version

Terraform v1.3.1 on linux_amd64

Affected Resource(s)

Terraform Configuration Files

resource "consul_certificate_authority" "hcp_vault" {
  connect_provider = "vault"
  config = {
    address = data.hcp_vault_cluster.dev.vault_private_endpoint_url
    auth_method = {
      type       = "approle"
      mount_path = vault_auth_backend.approle.path
      params = {
        role_id   = vault_approle_auth_backend_role.consul_pki.role_id
        secret_id = vault_approle_auth_backend_role_secret_id.consul_pki.secret_id
      }
    }
    namespace             = vault_namespace.zts.path_fq
    root_pki_path         = vault_mount.pki_root.path
    intermediate_pki_path = vault_mount.pki_inter.path
  }
}

Expected Behavior

The Consul Connect certificate authority should be correctly configured with the associated Vault auth method details, in place of requiring a hardcoded token. See the Consul documentation for details on the auth_method schema.

Actual Behavior

Terraform fails to plan, citing type mismatch (expected string, received map). Attempting to work around by using jsonencode() or otherwise converting to a string fails, as the Consul API rejects the configuration.

│ Error: Incorrect attribute value type
│ 
│   on hcp-consul.tf line 105, in resource "consul_certificate_authority" "hcp_vault":
│  105:   config = {
│  106:     address = data.hcp_vault_cluster.dev.vault_private_endpoint_url
│  107:     auth_method = {
│  108:       type       = "approle"
│  109:       mount_path = vault_auth_backend.approle.path
│  110:       params = {
│  111:         role_id   = vault_approle_auth_backend_role.consul_pki.role_id
│  112:         secret_id = vault_approle_auth_backend_role_secret_id.consul_pki.secret_id
│  113:       }
│  114:     }
│  115:     namespace             = vault_namespace.zts.path_fq
│  116:     root_pki_path         = vault_mount.pki_root.path
│  117:     intermediate_pki_path = vault_mount.pki_inter.path
│  118:   }
│ 
│ Inappropriate value for attribute "config": element "auth_method": string
│ required.
remilapeyre commented 1 year ago

Hi @krarey, you are correct that this is currently an issue. This is due to the Terraform SDK that we are using and I'm working on a new version of the provider that should fix this issue and other similar that are currently present in the provider.