Closed onefourfive closed 4 months ago
@onefourfive Hello, I am sorry you are having trouble!
I believe the issue is that TF does not understand the dependency relationship between your two resources. In particular, vault_jwt_auth_backend_role
needs make a reference to the vault_jwt_auth_backend
's named value because the backend must be mounted before we can create the role.
Could you try updating your config. Example:
resource "vault_jwt_auth_backend_role" "oidc-default" {
- backend = "oidc"
+ backend = vault_jwt_auth_backend.oidc.path
@fairclothjm thank you for your help!
Unfortunately that causes a cycle error when implemented as such:
resource "vault_jwt_auth_backend" "oidc" {
path = "oidc"
type = "oidc"
oidc_client_id = data.vault_kv_secret_v2.vault_oidc.data.client-id
oidc_client_secret = data.vault_kv_secret_v2.vault_oidc.data.client-secret
oidc_discovery_url = "https://mydomain.myauth.com"
+ default_role = vault_jwt_auth_backend_role.oidc-default.role_name
}
resource "vault_jwt_auth_backend_role" "oidc-default" {
+ backend = vault_jwt_auth_backend.oidc.path
role_name = "oidc-default"
user_claim = "sub"
groups_claim = "groups"
oidc_scopes = ["groups"]
allowed_redirect_uris = [
"https://${local.vault_fqdn}/ui/vault/auth/oidc/oidc/callback",
"http://${local.vault_fqdn}:8250/oidc/callback",
"http://localhost:8250/oidc/callback"
]
bound_audiences = [ "${data.vault_kv_secret_v2.vault_oidc.data.client-id}" ]
token_ttl = 14400
token_max_ttl = 28800
}
Error: Cycle: vault_jwt_auth_backend_role.oidc-default, vault_jwt_auth_backend.oidc
@onefourfive What if we don't reverence the named value in the vault_jwt_auth_backend
? But instead just use the hardcoded string? Or better yet make it a variable that both resource use?
resource "vault_jwt_auth_backend" "oidc" {
// ...
+ default_role = "oidc-default"
- default_role = vault_jwt_auth_backend_role.oidc-default.role_name
}
Or use a var:
resource "vault_jwt_auth_backend" "oidc" {
// ...
+ default_role = var.oidc_default
- default_role = vault_jwt_auth_backend_role.oidc-default.role_name
}
resource "vault_jwt_auth_backend_role" "oidc-default" {
backend = vault_jwt_auth_backend.oidc.path
+ role_name = var.oidc_default
- role_name = "oidc-default"
// ...
}
That gets me past the check, but when I apply I get the same error as earlier:
locals {
...
+ oidc_default_role_name = "oidc-default"
}
resource "vault_jwt_auth_backend" "oidc" {
...
+ default_role = local.oidc_default_role_name
}
resource "vault_jwt_auth_backend_role" "oidc-default" {
...
+ role_name = local.oidc_default_role_name
}
Error: error writing JWT auth backend role "auth/oidc/role/oidc-default": Error making API request.
URL: PUT http://localhost:8200/v1/auth/oidc/role/oidc-default
Code: 404. Errors:
* no handler for route "auth/oidc/role/oidc-default". route entry not found.
with vault_jwt_auth_backend_role.oidc-default,
on vault-config.tf line 37, in resource "vault_jwt_auth_backend_role" "oidc-default":
37: resource "vault_jwt_auth_backend_role" "oidc-default" {
@onefourfive With the above setup, is vault_jwt_auth_backend_role
still referencing the backend resource's named value?
resource "vault_jwt_auth_backend_role" "oidc-default" {
backend = vault_jwt_auth_backend.oidc.path
No actually it's set explicitly:
resource "vault_jwt_auth_backend_role" "oidc-default" {
backend = "oidc"
role_name = local.oidc_default_role_name
ok, I think it should not be set explicitly. I think it should reference the named value otherwise TF can't build the appropriate dependency graph.
Putting it all together, I think you need something like:
locals {
// ...
oidc_default_role_name = "oidc-default"
}
resource "vault_jwt_auth_backend" "oidc" {
default_role = local.oidc_default_role_name
// ...
}
resource "vault_jwt_auth_backend_role" "oidc-default" {
backend = vault_jwt_auth_backend.oidc.path
role_name = local.oidc_default_role_name
// ...
}
I disabled the OIDC auth method and deployed that, and it seemed to work! Thank you.
To summarize, I deployed those resources--
vault_jwt_auth_backend.oidc.default_role
vault_jwt_auth_backend_role.oidc-default.role_name
vault_jwt_auth_backend_role.oidc-default.backend
Is this something that should be explicitly documented? Maybe a note for backend
in vault_jwt_auth_backend_role docs along the lines of
The unique name of the auth backend to configure. Defaults to `jwt`.
+If this role is provisioned as a `default_role`, refer to that backend by reference.
Glad it got resolved!
Is this something that should be explicitly documented?
It isn't only this scenario where you could run into this issue. It is always good practice to refer to a dependent resource by reference. Terraform cannot create a vault_jwt_auth_backend_role
resource without the vault_jwt_auth_backend
resource first being provisioned.
TLDR: always set backend
or path
as a reference to the backend mount resource
Terraform Core Version
1.0.11
Terraform Vault Provider Version
3.25.0
Vault Server Version
1.12.2
Affected Resource(s)
Expected Behavior
oidc
auth backend enabled.oidc/role/default-role
role provisioned.oidc
auth backend configured withoidc/role/default-role
set as default role.Actual Behavior
oidc/role/default-role
role provisioning attempted first. This attempts a write to a path that does not yet exist and results in a 404.Relevant Error/Panic Output Snippet
Terraform Configuration Files
Steps to Reproduce
Debug Output
No response
Panic Output
No response
Important Factoids
No response
References
No response
Would you like to implement a fix?
None