search

hashicorp / terraform-provider-vault

Terraform Vault provider
https://www.terraform.io/docs/providers/vault/
Mozilla Public License 2.0
451 stars 535 forks source link

[Bug]: vault_kv_secret (v1) doesn't refresh `data_json` and doesn't detect drift #2143

Closed joey-squid closed 3 months ago

joey-squid commented 5 months ago

Terraform Core Version

v1.6.2, v1.7.3

Terraform Vault Provider Version

v3.25.0

Vault Server Version

v1.15.5 (on HCP)

Affected Resource(s)

vault_kv_secret

Expected Behavior

Expected the change to be detected as drift and a plan to be in place to correct it back to joey1.

Actual Behavior

vault_kv_secret.test_secrets: Refreshing state... [id=joey/supersecret]

No changes. Your infrastructure matches the configuration.

I have also provided the full output of terraform state pull as a snippet, below. Note the discrepancy between data and data_json.

Relevant Error/Panic Output Snippet

{
  "version": 4,
  "terraform_version": "1.7.3",
  "serial": 4,
  "lineage": "83627fd8-5369-2b3a-747b-1500de8377de",
  "outputs": {},
  "resources": [
    {
      "mode": "managed",
      "type": "vault_kv_secret",
      "name": "test_secrets",
      "provider": "provider[\"registry.terraform.io/hashicorp/vault\"]",
      "instances": [
        {
          "schema_version": 0,
          "attributes": {
            "data": {
              "value": "joey2"
            },
            "data_json": "{\"value\":\"joey1\"}",
            "id": "joey/supersecret",
            "namespace": null,
            "path": "joey/supersecret"
          },
          "sensitive_attributes": [],
          "private": "bnVsbA=="
        }
      ]
    }
  ],
  "check_results": null
}

Terraform Configuration Files

provider "vault" {
  address   = "REDACTED"
  namespace = "admin"
}

resource "vault_kv_secret" "test_secrets" {
  path = "joey/supersecret"
  data_json = jsonencode({
    value : "joey1",
  })
}

Steps to Reproduce

Created a resource:

resource "vault_kv_secret" "test_secrets" {
  path = "joey/supersecret"
  data_json = jsonencode({
    value : "joey1",
  })
}

Ran Terraform, then changed the secret to joey2 in the Vault UI. Ran terraform refresh, then terraform plan.

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

joey-squid commented 5 months ago

I'm no expert but I think this might be as simple as the following patch:

diff --git a/vault/resource_kv_secret.go b/vault/resource_kv_secret.go
index 0d666d6f..1e10c6b2 100644
--- a/vault/resource_kv_secret.go
+++ b/vault/resource_kv_secret.go
@@ -108,6 +108,15 @@ func kvSecretRead(_ context.Context, d *schema.ResourceData, meta interface{}) d
        return diag.FromErr(err)
    }

+   jsonData, err := json.Marshal(data)
+   if err != nil {
+       return diag.Errorf("error marshaling JSON for %q: %s", path, err)
+   }
+
+   if err := d.Set(consts.FieldDataJSON, string(jsonData)); err != nil {
+       return diag.FromErr(err)
+   }
+
    return nil
 }
fairclothjm commented 3 months ago

Closed by https://github.com/hashicorp/terraform-provider-vault/pull/2207