search

hashicorp / terraform-provider-vault

Terraform Vault provider
https://www.terraform.io/docs/providers/vault/
Mozilla Public License 2.0
457 stars 538 forks source link

jwt_validation_pubkeys detects a whitespace diff when key hasn't changed #1055

Open mark-at-nuna opened 3 years ago

mark-at-nuna commented 3 years ago

Terraform Version

0.15.4 with Vault provider 2.20.0

Affected Resource(s)

Terraform Configuration Files

locals {
  jwt_pubkey = <<-KEY
-----BEGIN PUBLIC KEY-----
MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA48gxynfRHxFzXl0ZS5+/
vqOuLOlEx9hODOfN0SQdBw6k8O4PX2U8mnLi22ljMrhaMi6p02B7El0mz3M800/h
Dr7nZOaI+5rkGRXaxRHwP3G4gNfLZO9FX7fdpOxuQmdKamNG311A49W+Vj2f5g00
l9vyDXMV3YTdqacL9erN7dUMyOcHjx4WMdZUV3gj49El7Lu1nE1Sz1feY1hTexiJ
JoAFQqOsuqb8RgvlPkZc3j6dGPWPnUbJlahqUmtFClEZ2RTtDwfMtXv7tDG7Q4Qa
7WBOihyRDbovj26kp4H27X96qS6/oH/B3ze5xL+pUXD5El5FYSlOmnIizqQgypeC
bkECX7c62LXEbCTrDYmEAbONGDevWWWXSNw8h1XdwZ1XGSKuD+OobvE9M2ObTCIM
MO6TQOhS3TqJ5/ZN7HDQG6sM7z77P3AO8Kgogt5fQnkVolQbC3Z0xaKYXQuBmgAH
qwY+frdLZa0rIV9Aqnic92RcNrA4724b/nZ9eq7dnvVRAgMBAAE=
-----END PUBLIC KEY-----
KEY
}

resource "vault_jwt_auth_backend" "jwt_test" {
  type        = "jwt"
  path        = "mark_testing_please_delete"
  description = "mark is trying to reproduce a bug"

  jwt_validation_pubkeys = [local.jwt_pubkey]
}

Expected Behavior

I expected that, after applying this configuration, terraform plan would have nothing to do.

Actual Behavior

  # vault_jwt_auth_backend.jwt_test will be updated in-place
  ~ resource "vault_jwt_auth_backend" "jwt_test" {
        id                     = "mark_testing_please_delete"
      ~ jwt_validation_pubkeys = [
          - <<-EOT
                -----BEGIN PUBLIC KEY-----
                MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA48gxynfRHxFzXl0ZS5+/
                vqOuLOlEx9hODOfN0SQdBw6k8O4PX2U8mnLi22ljMrhaMi6p02B7El0mz3M800/h
                Dr7nZOaI+5rkGRXaxRHwP3G4gNfLZO9FX7fdpOxuQmdKamNG311A49W+Vj2f5g00
                l9vyDXMV3YTdqacL9erN7dUMyOcHjx4WMdZUV3gj49El7Lu1nE1Sz1feY1hTexiJ
                JoAFQqOsuqb8RgvlPkZc3j6dGPWPnUbJlahqUmtFClEZ2RTtDwfMtXv7tDG7Q4Qa
                7WBOihyRDbovj26kp4H27X96qS6/oH/B3ze5xL+pUXD5El5FYSlOmnIizqQgypeC
                bkECX7c62LXEbCTrDYmEAbONGDevWWWXSNw8h1XdwZ1XGSKuD+OobvE9M2ObTCIM
                MO6TQOhS3TqJ5/ZN7HDQG6sM7z77P3AO8Kgogt5fQnkVolQbC3Z0xaKYXQuBmgAH
                qwY+frdLZa0rIV9Aqnic92RcNrA4724b/nZ9eq7dnvVRAgMBAAE=
                -----END PUBLIC KEY-----
            EOT,
          + <<-EOT
                -----BEGIN PUBLIC KEY-----
                MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA48gxynfRHxFzXl0ZS5+/
                vqOuLOlEx9hODOfN0SQdBw6k8O4PX2U8mnLi22ljMrhaMi6p02B7El0mz3M800/h
                Dr7nZOaI+5rkGRXaxRHwP3G4gNfLZO9FX7fdpOxuQmdKamNG311A49W+Vj2f5g00
                l9vyDXMV3YTdqacL9erN7dUMyOcHjx4WMdZUV3gj49El7Lu1nE1Sz1feY1hTexiJ
                JoAFQqOsuqb8RgvlPkZc3j6dGPWPnUbJlahqUmtFClEZ2RTtDwfMtXv7tDG7Q4Qa
                7WBOihyRDbovj26kp4H27X96qS6/oH/B3ze5xL+pUXD5El5FYSlOmnIizqQgypeC
                bkECX7c62LXEbCTrDYmEAbONGDevWWWXSNw8h1XdwZ1XGSKuD+OobvE9M2ObTCIM
                MO6TQOhS3TqJ5/ZN7HDQG6sM7z77P3AO8Kgogt5fQnkVolQbC3Z0xaKYXQuBmgAH
                qwY+frdLZa0rIV9Aqnic92RcNrA4724b/nZ9eq7dnvVRAgMBAAE=
                -----END PUBLIC KEY-----
            EOT,
        ]
        # (7 unchanged attributes hidden)
    }

I can't see the difference there.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. terraform apply
  2. terraform plan

Important Factoids

Changing the configuration to define the public key all on line makes it work perfectly:

  jwt_pubkey = "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA48gxynfRHxFzXl0ZS5+/\nvqOuLOlEx9hODOfN0SQdBw6k8O4PX2U8mnLi22ljMrhaMi6p02B7El0mz3M800/h\nDr7nZOaI+5rkGRXaxRHwP3G4gNfLZO9FX7fdpOxuQmdKamNG311A49W+Vj2f5g00\nl9vyDXMV3YTdqacL9erN7dUMyOcHjx4WMdZUV3gj49El7Lu1nE1Sz1feY1hTexiJ\nJoAFQqOsuqb8RgvlPkZc3j6dGPWPnUbJlahqUmtFClEZ2RTtDwfMtXv7tDG7Q4Qa\n7WBOihyRDbovj26kp4H27X96qS6/oH/B3ze5xL+pUXD5El5FYSlOmnIizqQgypeC\nbkECX7c62LXEbCTrDYmEAbONGDevWWWXSNw8h1XdwZ1XGSKuD+OobvE9M2ObTCIM\nMO6TQOhS3TqJ5/ZN7HDQG6sM7z77P3AO8Kgogt5fQnkVolQbC3Z0xaKYXQuBmgAH\nqwY+frdLZa0rIV9Aqnic92RcNrA4724b/nZ9eq7dnvVRAgMBAAE=\n-----END PUBLIC KEY-----"
}

That makes me think that it's a whitespace issue caused by the multiline string I used above.

chdeliens commented 1 year ago

Same issue here! I'm storing the keys in an array and I have a foreach loop, and every time I do a "plan" command, it marks the keys as changed although it's the same.

Thanks @mark-at-nuna for the oneliner tip, I'll use that instead until this can be further investigated 👍

alexeiser commented 1 year ago

One other thing you can try is to use chomp to remove any trailing / leading newlines from the strings.