search

hashicorp / terraform-provider-vault

Terraform Vault provider
https://www.terraform.io/docs/providers/vault/
Mozilla Public License 2.0
457 stars 536 forks source link

vault_kv_secret_v2 perpetual diff when the word "data" is in secret name/path #2103

Closed vftaylor closed 8 months ago

vftaylor commented 9 months ago

Terraform Core Version

1.6.5

Terraform Vault Provider Version

3.23.0

Vault Server Version

1.15.3

Affected Resource(s)

vault_kv_secret_v2

Expected Behavior

Given the following terraform code, you would expect a secret backend and 2 secrets to be created.

terraform {
  required_providers {
    vault = {
      source = "hashicorp/vault"
      version = "3.23.0"
    }
  }
}

provider "vault" {
  address = "http://localhost:8200/"
  token = "hvs.foo"
}

resource "vault_mount" "kvv2" {
  path        = "kvv2"
  type        = "kv"
  options     = { version = "2" }
  description = "KV Version 2 secret engine mount"
}

resource "vault_kv_secret_v2" "test_1" {
  mount                      = vault_mount.kvv2.path
  name                       = "a/b/c/d/e"
  data_json                  = jsonencode({
    foo       = "bar"
  })
}

resource "vault_kv_secret_v2" "test_2" {
  mount                      = vault_mount.kvv2.path
  name                       = "a/b/c/data/d/e"
  data_json                  = jsonencode({
    foo       = "bar"
  })
}

Actual Behavior

The 2 secrets get created, but there is a perpetual diff in secret "test_2" because of the word "data" in the secret path. The provider attempts to delete and recreate the secret every plan/apply. The logic in the provider seems to be confusing the word "data" in the secret path, with the data prefix that KV v2 secrets have.

Relevant Error/Panic Output Snippet

> terraform plan               
vault_mount.kvv2: Refreshing state... [id=kvv2]
vault_kv_secret_v2.test_2: Refreshing state... [id=kvv2/data/a/b/c/data/d/e]
          - "created_time"    = "2023-12-03T16:26:58.608140672Z"
          - "custom_metadata" = "null"
          - "deletion_time"   = ""
          - "destroyed"       = "false"
          - "version"         = "1"
        } -> (known after apply)
      ~ mount               = "kvv2/data/a/b/c" -> "kvv2" # forces replacement
      ~ name                = "d/e" -> "a/b/c/data/d/e" # forces replacement
      ~ path                = "kvv2/data/a/b/c/data/d/e" -> (known after apply)
        # (3 unchanged attributes hidden)

      - custom_metadata {}
    }

Plan: 1 to add, 0 to change, 1 to destroy.

Terraform Configuration Files

None.

Steps to Reproduce

  1. Start a Vault dev server: ./vault server -dev -dev-listen-address="0.0.0.0:8200"
  2. Run terraform plan/apply on the code given above several times to see the behaviour.

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

fairclothjm commented 8 months ago

Thanks for reporting @vftaylor ! We should be able to get this fix in for the next release