search

hashicorp / terraform-provider-vault

Terraform Vault provider
https://www.terraform.io/docs/providers/vault/
Mozilla Public License 2.0
465 stars 542 forks source link

Error using `vault_generic_endpoint` to register a custom plugin #1975

Open anthonyralston opened 1 year ago

anthonyralston commented 1 year ago

Terraform Version

v1.3.2

Affected Resource(s)

Terraform Configuration Files

locals {
  plugin_config = {
    name    = "some-custom-plugin"
    command = "some-custom-plugin-${var.config.tag}"
    sha256  = var.config.sha256
    version = var.config.version
    builtin = false
  }
}

resource "vault_generic_endpoint" "register_custom_plugin" {
  path      = "sys/plugins/catalog/secret/some-custom-plugin"
  data_json = jsonencode(local.plugin_config)

  ignore_absent_fields = true
}

Expected Behavior

Apply is successful.

Actual Behavior

--
  | │ Error: Provider produced inconsistent result after apply
  | │
  | │ When applying changes to
  | │ module.custom_plugin.vault_generic_endpoint.register_custom_plugin, provider
  | │ "provider[\"registry.terraform.io/hashicorp/vault\"]" produced an
  | │ unexpected new value: Root resource was present, but now absent.
  | │
  | │ This is a bug in the provider, which should be reported in the provider's
  | │ own issue tracker.
  | ╵

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. terraform apply
tomhjp commented 1 year ago

Thanks for the report. What are the input variables please? The API accepts tags with or without a leading 'v', but normalises to including the leading 'v', so I wonder if that might be causing the issue here.

anthonyralston commented 1 year ago

Config looks like the below, so no leading v.

config = {
  tag     = "8588d498fb0e241dccf92b59dc5732b116906de2"
  sha256  = "f5801170e8a3575268e32bfdce9c7a1c323ffc610793da8ead14680fd0596e68"
  version = "0.1.2"
}
anthonyralston commented 1 year ago

If it is helpful, this happens when using v3.19.0 of the Vault Terraform provider.

fairclothjm commented 1 year ago

@anthonyralston Hello! Can you confirm that the plugin failed to register? When I use the config you provided I am able to register the plugin successfully despite receiving the error from the provider. You can check with:

vault plugin list --detailed secret | grep "some-custom-plugin"

I think the error is occurring because the GET plugin endpoint requires the version if the plugin was registered with a version. In that case you may want to set disable_read and disable_delete in vault_generic_endpoint

  disable_read   = true
  disable_delete = true
fairclothjm commented 1 year ago

@anthonyralston Hello! Is there any recent update on this issue? Are you still experiencing this issue?