search

hashicorp / terraform-provider-vault

Terraform Vault provider
https://www.terraform.io/docs/providers/vault/
Mozilla Public License 2.0
458 stars 538 forks source link

[Bug]: Changing KV path gives error but it actually does the change #2078

Open CiucurDaniel opened 10 months ago

CiucurDaniel commented 10 months ago

Terraform Core Version

1.4.6

Terraform Vault Provider Version

3.21.0

Vault Server Version

1.2.4

Affected Resource(s)

vault_mount

Expected Behavior

If I change the path on KV, I expected terraform to change the path (which does) and not error out.

Actual Behavior

Terraform throws and error (while it did the change) and on next apply tries to create the resource as it does not exist.

Relevant Error/Panic Output Snippet

resource "vault_mount" "kvv2" {
  path        = "kvchanged" # I changed this name and try to apply
  type        = "kv"
  options     = { version = "2" }
  description = "KV Version 2 secret engine mount"
}
terraform apply # first apply to update path
data.kubernetes_secret_v1.vault_token: Reading...                                                                                                [30/1801]
data.kubernetes_secret_v1.vault_token: Read complete after 0s [id=key-management/vault-token]                                                             
vault_kubernetes_auth_backend_config.main: Refreshing state... [id=auth/kubernetes/config]                                                                

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:                
  ~ update in-place                                                                                                                                       

Terraform will perform the following actions:                                                                                                             

  # vault_mount.kvv2 will be updated in-place                                                                                                             
  ~ resource "vault_mount" "kvv2" {                                                                                                                       
        id                           = "kvtest"                                                                                                           
      ~ path                         = "kvtest" -> "kvchanged"                                                                                            
        # (12 unchanged attributes hidden)                                                                                                                
    }                                                                                                                                                     

Plan: 0 to add, 1 to change, 0 to destroy.                                                                                                                

Do you want to perform these actions?                                                                                                                     
  Terraform will perform the actions described above.                                                                                                     
  Only 'yes' will be accepted to approve.                                                                                                                 

  Enter a value: yes                                                                                                                                      

vault_mount.kvv2: Modifying... [id=kvtest]                                                                                                                
╷                                                                                                                                                         
│ Error: error remounting in Vault: data from server response is empty                                                                                    
│                                                                                                                                                         
│   with vault_mount.kvv2,                                                                                                                                
│   on main.tf line 55, in resource "vault_mount" "kvv2":                                                                                                 
│   55: resource "vault_mount" "kvv2" {

But if I check on the Vault server, the change was successfully done.

And if if try to do terraform apply again, it tries to create a new resource and fails because it exists.

terraform apply # second apply to see what provider does
data.kubernetes_secret_v1.vault_token: Reading...
data.kubernetes_secret_v1.vault_token: Read complete after 1s [id=key-management/vault-token]
vault_kubernetes_auth_backend_config.main: Refreshing state... [id=auth/kubernetes/config]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # vault_mount.kvv2 will be created
  + resource "vault_mount" "kvv2" {
      + accessor                     = (known after apply)
      + audit_non_hmac_request_keys  = (known after apply)
      + audit_non_hmac_response_keys = (known after apply)
      + default_lease_ttl_seconds    = (known after apply)
      + description                  = "KV Version 2 secret engine mount"
      + external_entropy_access      = false
      + id                           = (known after apply)
      + max_lease_ttl_seconds        = (known after apply)
      + options                      = {
          + "version" = "2"
        }
      + path                         = "kvchanged"
      + seal_wrap                    = (known after apply)
      + type                         = "kv"
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

vault_mount.kvv2: Creating...
╷
│ Error: error writing to Vault: Error making API request.
│ 
│ URL: POST http://my-vault.com/v1/sys/mounts/kvchanged
│ Code: 400. Errors:
│ 
│ * path is already in use at kvchanged/
│ 
│   with vault_mount.kvv2,
│   on main.tf line 55, in resource "vault_mount" "kvv2":
│   55: resource "vault_mount" "kvv2" {

Terraform Configuration Files

terraform {
  required_providers {
    vault = {
      source  = "hashicorp/vault"
      version = "3.21.0"
    }
  }

}

provider "vault" {
  # configure me
}

resource "vault_mount" "kvv2" {
  path        = "kvchanged"
  type        = "kv"
  options     = { version = "2" }
  description = "KV Version 2 secret engine mount"
}

Steps to Reproduce

Create a KV version 2 apply and then try to update the path value.

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

NightOwl998 commented 9 months ago

Hi @CiucurDaniel I was unable to reproduce the error, I am using Terraform v1.6.0 , Terraform Vault Provider Version 3.23.0 and Vault server v1.15.0, changing the path runs correctly and produce no error.