search

hashicorp / terraform-provider-vault

Terraform Vault provider
https://www.terraform.io/docs/providers/vault/
Mozilla Public License 2.0
451 stars 535 forks source link

[Bug]: ##[error]provider "registry.terraform.io/hashicorp/vault" produced an unexpected new value: Root resource was present, but now absent. #2155

Closed tanglaojames closed 4 months ago

tanglaojames commented 4 months ago

Terraform Core Version

1.7.3

Terraform Vault Provider Version

3.25.0

Vault Server Version

1.15.3

Affected Resource(s)

No response

Expected Behavior

We are expecting to onboard and offboard without this error/info that causes the pipeline to fail

Actual Behavior

We can onboard but this error is showing and also when we try to deboard the static role using pipeline we can't offboard it after removing to our tfvars.json file.

we got 0 destroyed but the stage in pipeline succeeds.

When we try our personal token to add in providers.tf the error is removed but when using azurerm in providers.tf the error persists. also, even though we can remove the error by using our own token the pipeline can't deboard automatically the static role in vault.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

main.tf

resource "vault_ldap_secret_backend_static_role" "role" { for_each = var.Hashi_LDAPSSE_Roles mount = each.value.ldap_secret_engine_path username = each.value.appid dn = each.value.dname role_name = each.value.role_name #"${each.value.role_name}" rotation_period = var.token_ttl }

providers.tf

terraform { backend "azurerm" {} required_providers { vault = { source = "hashicorp/vault" version = "3.25.0" } } }

provider "vault" {

Configuration options

address = var.vault_url }

variables.tf

variable "Hashi_LDAPSSE_Roles" { description = "Data From aggregated ldap static roles data, this schema should match the JSON hashi adse roles file." type = map(object( { appid_email: string, appid: string, role_name: string, environment: string, airid: string, dname: string, domain: string, ldap_secret_engine_path: string } )) }

variable "ldap_secret_engine_path" {

description = "(Required, Forces new resource) Path where the AD Secrets Engine is mounted"

type = string

sensitive = true

}

variable "token_ttl"{ description = " (Optional) The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time." type = string default = 75*86400 }

variable "token_max_ttl"{ description = "(Optional) The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time." type = string default = "8640000" }

variable "vault_url" { description = "URL of vault server to use, this needs to match Azure Devops hashiVaultEnv in the pipelines.yaml file." type = string default = "https://xxxxxxxxxxx.com" }

Steps to Reproduce

  1. Pipeline in YAML to aggregate data into tfvars.json file and perform terraform apply.
  2. run pipeline to onboard or deboard account.

Debug Output

DebugTRACE Terraform_Error.txt

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

tanglaojames commented 4 months ago

But when I try to Provision and Deprovision using same code but in local setup in Visual Code I can provision and deprovision without any error. the only changes I made in local setup is using a "token="hvs.xxxx" in a providers.tf file.

image

image

image image

image

So I tried to use the token in the Azure DevOps setup. I got no error but when I try to deprovision I still fail to successfully delete the static role in Vault. But the TF Apply stage in our pipeline returns no error

image

fairclothjm commented 4 months ago

@tanglaojames Hello, I am sorry you are having trouble here! Thanks for providing the debug log. That was very useful.

It looks like the Provider's READ operation is getting a 403. I suggest you check your token has permission to perform READ on the LDAP static role endpoint.

 2024-02-21T16:30:45.982Z [DEBUG] plugin.terraform-provider-vault_v3.25.0_x5: Vault API Request Details:
 ---[ REQUEST ]---------------------------------------
 GET /v1/dir/ldap/static-role/hv-ldaps-75144-dir-p-a75144dirpadse HTTP/1.1
 Host: pam-vault.accenture.com
...

 -----------------------------------------------------: timestamp=2024-02-21T16:30:45.982Z
 2024-02-21T16:30:46.000Z [DEBUG] plugin.terraform-provider-vault_v3.25.0_x5: Vault API Response Details:
 ---[ RESPONSE ]--------------------------------------
 HTTP/2.0 403 Forbidden
...

It makes sense that we would see the error you are experiencing here because the Provider must be able to READ so that it can set the state appropriately.

It does look like there are a few places where we are not checking the error correctly on the Provider side which is why this error is not more obvious. We will get those fixed! Thanks again!

fairclothjm commented 4 months ago

Closing as I believe this is resolved by fixing the token permissions and PR #2156. Please reopen another issue if you are still encountering errors.

tanglaojames commented 4 months ago

Hi @fairclothjm can we reopen this case as we also having an issue re: deprovisioning the static role of LDAP secret engine, though the stage is successfully finished but the result is weird. image

It looks like no changes have been made by terraform: it shows "Apply complete! Resources: 0 added, 0 changed, 0 destroyed."

image

image and the static role that must be debaorded in LDAP SE is still existing in Hashi Vault.

fairclothjm commented 4 months ago

@tanglaojames Once we do the next TFVP release with the fix your issue should be resolved -- assuming you also fix your token permission issue.