search

hashicorp / terraform-provider-vault

Terraform Vault provider
https://www.terraform.io/docs/providers/vault/
Mozilla Public License 2.0
451 stars 535 forks source link

[Bug]: 405s on terraform plan reading resource for `vault_mount` with version 4.0 #2193

Closed rednap closed 3 months ago

rednap commented 3 months ago

Terraform Core Version

1.5.5

Terraform Vault Provider Version

4.0.0

Vault Server Version

1.9.2

Affected Resource(s)

vault_mount

Expected Behavior

expected that it mounts the new vault secret engine (cert authority).

Actual Behavior

fails on GET with a 405

Relevant Error/Panic Output Snippet

2024-03-14T08:51:14.033-0600 [DEBUG] [aws-sdk-go]
2024-03-14T08:51:14.034-0600 [ERROR] vertex "digitalocean_droplet.mitto" error: file provisioner error
2024-03-14T08:51:14.035-0600 [DEBUG] states/remote: state read serial is: 2; serial is: 2
2024-03-14T08:51:14.036-0600 [DEBUG] states/remote: state read lineage is: 07631810-bc30-cb50-65ef-a1ffb14510f0; lineage is: 07631810-bc30-cb50-65ef-a1ffb14510f0
╷
│ Error: file provisioner error
│ 
│   with digitalocean_droplet.mitto,
│   on mitto.tf line 56, in resource "digitalocean_droplet" "mitto":
│   56:   provisioner "file" {
│ 
│ stat instance-for-vault-bug-ca.pub: no such file or directory
╵
╷
│ Error: error reading from Vault: Error making API request.
│ 
│ URL: GET https://vault.zuarbase.net:8200/v1/sys/mounts/instance-for-vault-bug-runner-ca
│ Code: 405. Errors:
│ 
│ * 1 error occurred:
│   * unsupported operation
│ 
│ 
│ 
│   with vault_mount.customer-ssh,
│   on vault.tf line 21, in resource "vault_mount" "customer-ssh":
│   21: resource "vault_mount" "customer-ssh" {
│ 
╵
2024-03-14T08:51:14.043-0600 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"
2024-03-14T08:51:14.043-0600 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"
2024-03-14T08:51:14.043-0600 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"
2024-03-14T08:51:14.043-0600 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"
2024-03-14T08:51:14.045-0600 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/null/3.2.2/darwin_arm64/terraform-provider-null_v3.2.2_x5 pid=83141
2024-03-14T08:51:14.045-0600 [DEBUG] provider: plugin exited
2024-03-14T08:51:14.045-0600 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/digitalocean/digitalocean/2.36.0/darwin_arm64/terraform-provider-digitalocean_v2.36.0 pid=83144
2024-03-14T08:51:14.045-0600 [DEBUG] provider: plugin exited
2024-03-14T08:51:14.046-0600 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/vault/4.0.0/darwin_arm64/terraform-provider-vault_v4.0.0_x5 pid=83143
2024-03-14T08:51:14.046-0600 [DEBUG] provider: plugin exited
2024-03-14T08:51:14.048-0600 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.40.0/darwin_arm64/terraform-provider-aws_v5.40.0_x5 pid=83147
2024-03-14T08:51:14.048-0600 [DEBUG] provider: plugin exited

Terraform Configuration Files

resource "vault_policy" "customer" {
  provider = vault

  name       = "${var.hostname_base}-runner"
  policy     = data.vault_policy_document.permissions.hcl
}

data "vault_policy_document" "permissions" {
  rule {
     path         = "${var.hostname_base}-runner-ca/*"
     capabilities = ["read", "list"]
     description  = "allow read and list oidc-ca path under customer/"
  }
  rule {
     path         = "${var.hostname_base}-runner-ca/sign/user"
     capabilities = ["create", "update", "delete", "read", "list"]
     description  = "allow managing options into customer Vault role"
  }
}

resource "vault_mount" "customer-ssh" {
  path       = "${var.hostname_base}-runner-ca"
  type       = "ssh"
  depends_on = [vault_policy.customer]
}

Steps to Reproduce

just try to mount a new CA secret engine with 4.0.0

Debug Output

2024-03-14T08:51:14.033-0600 [DEBUG] [aws-sdk-go]
2024-03-14T08:51:14.034-0600 [ERROR] vertex "digitalocean_droplet.mitto" error: file provisioner error
2024-03-14T08:51:14.035-0600 [DEBUG] states/remote: state read serial is: 2; serial is: 2
2024-03-14T08:51:14.036-0600 [DEBUG] states/remote: state read lineage is: 07631810-bc30-cb50-65ef-a1ffb14510f0; lineage is: 07631810-bc30-cb50-65ef-a1ffb14510f0
╷
│ Error: file provisioner error
│ 
│   with digitalocean_droplet.mitto,
│   on mitto.tf line 56, in resource "digitalocean_droplet" "mitto":
│   56:   provisioner "file" {
│ 
│ stat instance-for-vault-bug-ca.pub: no such file or directory
╵
╷
│ Error: error reading from Vault: Error making API request.
│ 
│ URL: GET https://vault.zuarbase.net:8200/v1/sys/mounts/instance-for-vault-bug-runner-ca
│ Code: 405. Errors:
│ 
│ * 1 error occurred:
│   * unsupported operation
│ 
│ 
│ 
│   with vault_mount.customer-ssh,
│   on vault.tf line 21, in resource "vault_mount" "customer-ssh":
│   21: resource "vault_mount" "customer-ssh" {
│ 
╵
2024-03-14T08:51:14.043-0600 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"
2024-03-14T08:51:14.043-0600 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"
2024-03-14T08:51:14.043-0600 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"
2024-03-14T08:51:14.043-0600 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"
2024-03-14T08:51:14.045-0600 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/null/3.2.2/darwin_arm64/terraform-provider-null_v3.2.2_x5 pid=83141
2024-03-14T08:51:14.045-0600 [DEBUG] provider: plugin exited
2024-03-14T08:51:14.045-0600 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/digitalocean/digitalocean/2.36.0/darwin_arm64/terraform-provider-digitalocean_v2.36.0 pid=83144
2024-03-14T08:51:14.045-0600 [DEBUG] provider: plugin exited
2024-03-14T08:51:14.046-0600 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/vault/4.0.0/darwin_arm64/terraform-provider-vault_v4.0.0_x5 pid=83143
2024-03-14T08:51:14.046-0600 [DEBUG] provider: plugin exited
2024-03-14T08:51:14.048-0600 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.40.0/darwin_arm64/terraform-provider-aws_v5.40.0_x5 pid=83147
2024-03-14T08:51:14.048-0600 [DEBUG] provider: plugin exited

Panic Output

No response

Important Factoids

i locked the version to 3.25.0 and it works fine.

References

No response

Would you like to implement a fix?

None

fairclothjm commented 3 months ago

Hello @rednap. I am sorry you are having trouble!

As per the v4.0.0 Upgrade Guide, the Terraform Vault Provider only supports Vault server version 1.11.x and greater. We recommend you upgrade your Vault server.

fairclothjm commented 3 months ago

Closing as Vault server version 1.9 is no longer supported.