If I change the path on KV, I expected terraform to change the path (which does) and not error out.
Actual Behavior
Terraform throws and error (while it did the change) and on next apply tries to create the resource as it does not exist.
Relevant Error/Panic Output Snippet
resource "vault_mount" "kvv2" {
path = "kvchanged" # I changed this name and try to apply
type = "kv"
options = { version = "2" }
description = "KV Version 2 secret engine mount"
}
terraform apply # first apply to update path
data.kubernetes_secret_v1.vault_token: Reading... [30/1801]
data.kubernetes_secret_v1.vault_token: Read complete after 0s [id=key-management/vault-token]
vault_kubernetes_auth_backend_config.main: Refreshing state... [id=auth/kubernetes/config]
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
# vault_mount.kvv2 will be updated in-place
~ resource "vault_mount" "kvv2" {
id = "kvtest"
~ path = "kvtest" -> "kvchanged"
# (12 unchanged attributes hidden)
}
Plan: 0 to add, 1 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
vault_mount.kvv2: Modifying... [id=kvtest]
╷
│ Error: error remounting in Vault: data from server response is empty
│
│ with vault_mount.kvv2,
│ on main.tf line 55, in resource "vault_mount" "kvv2":
│ 55: resource "vault_mount" "kvv2" {
But if I check on the Vault server, the change was successfully done.
And if if try to do terraform apply again, it tries to create a new resource and fails because it exists.
terraform apply # second apply to see what provider does
data.kubernetes_secret_v1.vault_token: Reading...
data.kubernetes_secret_v1.vault_token: Read complete after 1s [id=key-management/vault-token]
vault_kubernetes_auth_backend_config.main: Refreshing state... [id=auth/kubernetes/config]
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# vault_mount.kvv2 will be created
+ resource "vault_mount" "kvv2" {
+ accessor = (known after apply)
+ audit_non_hmac_request_keys = (known after apply)
+ audit_non_hmac_response_keys = (known after apply)
+ default_lease_ttl_seconds = (known after apply)
+ description = "KV Version 2 secret engine mount"
+ external_entropy_access = false
+ id = (known after apply)
+ max_lease_ttl_seconds = (known after apply)
+ options = {
+ "version" = "2"
}
+ path = "kvchanged"
+ seal_wrap = (known after apply)
+ type = "kv"
}
Plan: 1 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
vault_mount.kvv2: Creating...
╷
│ Error: error writing to Vault: Error making API request.
│
│ URL: POST http://my-vault.com/v1/sys/mounts/kvchanged
│ Code: 400. Errors:
│
│ * path is already in use at kvchanged/
│
│ with vault_mount.kvv2,
│ on main.tf line 55, in resource "vault_mount" "kvv2":
│ 55: resource "vault_mount" "kvv2" {
Terraform Configuration Files
terraform {
required_providers {
vault = {
source = "hashicorp/vault"
version = "3.21.0"
}
}
}
provider "vault" {
# configure me
}
resource "vault_mount" "kvv2" {
path = "kvchanged"
type = "kv"
options = { version = "2" }
description = "KV Version 2 secret engine mount"
}
Steps to Reproduce
Create a KV version 2 apply and then try to update the path value.
Hi @CiucurDaniel I was unable to reproduce the error, I am using Terraform v1.6.0 , Terraform Vault Provider Version 3.23.0 and Vault server v1.15.0, changing the path runs correctly and produce no error.
Terraform Core Version
1.4.6
Terraform Vault Provider Version
3.21.0
Vault Server Version
1.2.4
Affected Resource(s)
vault_mount
Expected Behavior
If I change the path on KV, I expected terraform to change the path (which does) and not error out.
Actual Behavior
Terraform throws and error (while it did the change) and on next apply tries to create the resource as it does not exist.
Relevant Error/Panic Output Snippet
But if I check on the Vault server, the change was successfully done.
And if if try to do terraform apply again, it tries to create a new resource and fails because it exists.
Terraform Configuration Files
Steps to Reproduce
Create a KV version 2 apply and then try to update the path value.
Debug Output
No response
Panic Output
No response
Important Factoids
No response
References
No response
Would you like to implement a fix?
None