Closed tanglaojames closed 4 months ago
But when I try to Provision and Deprovision using same code but in local setup in Visual Code I can provision and deprovision without any error. the only changes I made in local setup is using a "token="hvs.xxxx" in a providers.tf file.
So I tried to use the token in the Azure DevOps setup. I got no error but when I try to deprovision I still fail to successfully delete the static role in Vault. But the TF Apply stage in our pipeline returns no error
@tanglaojames Hello, I am sorry you are having trouble here! Thanks for providing the debug log. That was very useful.
It looks like the Provider's READ operation is getting a 403. I suggest you check your token has permission to perform READ on the LDAP static role endpoint.
2024-02-21T16:30:45.982Z [DEBUG] plugin.terraform-provider-vault_v3.25.0_x5: Vault API Request Details:
---[ REQUEST ]---------------------------------------
GET /v1/dir/ldap/static-role/hv-ldaps-75144-dir-p-a75144dirpadse HTTP/1.1
Host: pam-vault.accenture.com
...
-----------------------------------------------------: timestamp=2024-02-21T16:30:45.982Z
2024-02-21T16:30:46.000Z [DEBUG] plugin.terraform-provider-vault_v3.25.0_x5: Vault API Response Details:
---[ RESPONSE ]--------------------------------------
HTTP/2.0 403 Forbidden
...
It makes sense that we would see the error you are experiencing here because the Provider must be able to READ so that it can set the state appropriately.
It does look like there are a few places where we are not checking the error correctly on the Provider side which is why this error is not more obvious. We will get those fixed! Thanks again!
Closing as I believe this is resolved by fixing the token permissions and PR #2156. Please reopen another issue if you are still encountering errors.
Hi @fairclothjm can we reopen this case as we also having an issue re: deprovisioning the static role of LDAP secret engine, though the stage is successfully finished but the result is weird.
It looks like no changes have been made by terraform: it shows "Apply complete! Resources: 0 added, 0 changed, 0 destroyed."
and the static role that must be debaorded in LDAP SE is still existing in Hashi Vault.
@tanglaojames Once we do the next TFVP release with the fix your issue should be resolved -- assuming you also fix your token permission issue.
Terraform Core Version
1.7.3
Terraform Vault Provider Version
3.25.0
Vault Server Version
1.15.3
Affected Resource(s)
No response
Expected Behavior
We are expecting to onboard and offboard without this error/info that causes the pipeline to fail
Actual Behavior
We can onboard but this error is showing and also when we try to deboard the static role using pipeline we can't offboard it after removing to our tfvars.json file.
we got 0 destroyed but the stage in pipeline succeeds.
When we try our personal token to add in providers.tf the error is removed but when using azurerm in providers.tf the error persists. also, even though we can remove the error by using our own token the pipeline can't deboard automatically the static role in vault.
Relevant Error/Panic Output Snippet
No response
Terraform Configuration Files
main.tf
resource "vault_ldap_secret_backend_static_role" "role" { for_each = var.Hashi_LDAPSSE_Roles mount = each.value.ldap_secret_engine_path username = each.value.appid dn = each.value.dname role_name = each.value.role_name #"${each.value.role_name}" rotation_period = var.token_ttl }
providers.tf
terraform { backend "azurerm" {} required_providers { vault = { source = "hashicorp/vault" version = "3.25.0" } } }
provider "vault" {
Configuration options
address = var.vault_url }
variables.tf
variable "Hashi_LDAPSSE_Roles" { description = "Data From aggregated ldap static roles data, this schema should match the JSON hashi adse roles file." type = map(object( { appid_email: string, appid: string, role_name: string, environment: string, airid: string, dname: string, domain: string, ldap_secret_engine_path: string } )) }
variable "ldap_secret_engine_path" {
description = "(Required, Forces new resource) Path where the AD Secrets Engine is mounted"
type = string
sensitive = true
}
variable "token_ttl"{ description = " (Optional) The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time." type = string default = 75*86400 }
variable "token_max_ttl"{ description = "(Optional) The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time." type = string default = "8640000" }
variable "vault_url" { description = "URL of vault server to use, this needs to match Azure Devops hashiVaultEnv in the pipelines.yaml file." type = string default = "https://xxxxxxxxxxx.com" }
Steps to Reproduce
Debug Output
DebugTRACE Terraform_Error.txt
Panic Output
No response
Important Factoids
No response
References
No response
Would you like to implement a fix?
None