search

hashicorp / terraform-provider-vault

Terraform Vault provider
https://www.terraform.io/docs/providers/vault/
Mozilla Public License 2.0
467 stars 542 forks source link

Vault provider should not connect to server during initialization phase #192

Open CharlieC3 opened 6 years ago

CharlieC3 commented 6 years ago

In the event where a Terraform script is designed to first deploy a Vault server, then configure it using this Vault provider, the plan creation step will fail because the Vault provider attempts to connect to the Vault server when it does not exist yet.

The Vault provider should not attempt to establish a connection with a destination Vault server during the provider's initialization phase in order to avoid a failure in the scenario where the Vault server does not yet exist because Terraform hasn't deployed it yet.

The actual line causing the issue is here: https://github.com/terraform-providers/terraform-provider-vault/blob/master/vault/provider.go#L193

Terraform Version

Terraform v0.11.8

Affected Resource(s)

Terraform Configuration Files

provider "vault" {
  address = "https://127.0.0.1:8200"
  token   = "${data.external.vault_root_token.result.data}"
}

resource "helm_release" "vault" {
  depends_on = ["helm_release.consul"]
  name       = "vault"
  repository = "${helm_repository.incubator.name}"
  chart      = "incubator/vault"
  version    = "${var.vault_chart_version}"
  namespace  = "${var.k8s_namespace}"

  values = [<<-EOF
    fullnameOverride = vault
    image:
      tag: ${var.vault_version}
    consulAgent:
      tag: ${var.consul_version}
      pullPolicy: IfNotPresent
      join: ${local.consul_url}
      gossipKeySecretName: consul-gossip-key
    vault:
      dev: false
      customSecrets:
        - secretName: ${kubernetes_secret.tls_cert_and_key.metadata.0.name}
          mountPath: /vault/tls
      extraEnv:
        - name: VAULT_API_ADDR
          value: ${local.vault_url}
        - name: VAULT_CLUSTER_ADDR
          value: ${local.vault_url}
      config:
        listener:
          tcp:
            tls_disable: false
            tls_cert_file: /vault/tls/tls.crt
            tls_key_file: /vault/tls/tls.key
        storage:
          consul:
            address: ${local.consul_url}
            path: vault
    EOF
  ]

  // Initialize and unseal Vault
  provisioner "local-exec" {
    command = "${path.module}/tf-scripts/unseal_vault.sh -k ${path.module}/kube/kubeconfig_${local.cluster_name} -m ${var.vault_secret_name}"
  }
}

resource "null_resource" "vault_port_forward" {
  depends_on = ["helm_release.vault"]

  provisioner "local-exec" {
    command = "nohup kubectl port-forward vault ${var.vault_port} &"
  }
}

resource "vault_auth_backend" "vault_enable_kubernetes" {
  depends_on = ["null_resource.vault_port_forward"]

  type = "kubernetes"
}

Debug Output

https://gist.github.com/CharlieC3/a928e735bbe266057c0a5dbc6c25553a

Expected Behavior

I expected a Terraform plan to be generated.

Actual Behavior

The Vault provider attempted to establish a connection with the destination Vault server during a planning phase, causing the plan to fail to create because Vault was not yet deployed.

Like many other providers, the Vault provider should not attempt to establish a connection with the destination Vault server during the provider initialization phase in order to avoid failure in such where the Terraform script using the Vault provider is also the one deploying the Vault server.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. terraform plan
joemiller commented 5 years ago

I am also very interested in this feature. Looking at the code, it seems the issue is due to the attempt to fetch a child token during the execution of the provider's ConfigureFunc - https://github.com/terraform-providers/terraform-provider-vault/blob/master/vault/provider.go#L242

What would be the best approach to delaying this call? Or, perhaps a flag like use_child_token = false could be introduced as a tradeoff to achieve the desired functionality.

stuart-c-moore commented 5 years ago

Just leaving a comment to say this issue still exists in v2.0 of the vault provider, on terraform v0.12.0

stuart-c-moore commented 5 years ago

Hi, can we get a comment from the developers on this please?

Is this recognised as a bug that can be fixed?

eytanhanig commented 2 years ago

This issue is still a problem. Are there any plans to fix this?