search

hashicorp / terraform-provider-vault

Terraform Vault provider
https://www.terraform.io/docs/providers/vault/
Mozilla Public License 2.0
451 stars 535 forks source link

[Bug]: MongoDB connections result in update-in-place although no changes were made #2170

Open plafue opened 4 months ago

plafue commented 4 months ago

Terraform Core Version

1.7.4

Terraform Vault Provider Version

3.25.0

Vault Server Version

1.15

Affected Resource(s)

vault_database_secrets_mount vault_database_secret_backend_connection

Expected Behavior

After applying the configuration once, applying it again shouldn't show any drift against the state.

Actual Behavior

Applying the configuration with no changes show that resources will be detroyed and recreated or updated in place.

Relevant Error/Panic Output Snippet

# vault_database_secrets_mount.databases will be updated in-place
  ~ resource "vault_database_secrets_mount" "databases" {
        id                           = "db"
        # (12 unchanged attributes hidden)

      - mongodb {
          - allowed_roles            = [
              - "role2",
            ] -> null
          - connection_url           = "mongodb://{{username}}:{{password}}@mongodb:27017/" -> null
          - data                     = {} -> null
          - max_connection_lifetime  = 0 -> null
          - max_idle_connections     = 0 -> null
          - max_open_connections     = 2 -> null
          - name                     = "db2" -> null
          - plugin_name              = "mongodb-database-plugin" -> null
          - root_rotation_statements = [] -> null
          - username                 = "root" -> null
          - verify_connection        = true -> null
        }

        # (1 unchanged block hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

### Terraform Configuration Files

https://github.com/plafue/terraform-provider-vault-mongodb-bug

### Steps to Reproduce

In the provided repository run
```shell
docker compose up -d
export VAULT_ADDR=http://127.0.0.1:8200 && \
  vault login vault-plaintext-root-token
terraform init && terraform apply

and apply/plan once (or many more times) to see how the plan always drifts from the state.

Debug Output

No response

Panic Output

No response

Important Factoids

This does not only happen with a mongodb block inside the secrets mount and a vault_database_secret_backend_connection resource: having two vault_database_secret_backend_connections with a mongo block also trigger an update in place of the database secrets mount.

References

No response

Would you like to implement a fix?

None