Open Moep90 opened 1 month ago
1.5.7
4.2.0
1.16.1
A identity_oidc_role would be created
Terraform fails to create a role with an e-mail as a name.
│ Error: error writing IdentityOidcRole identity/oidc/role/group@example.com: Error making API request. │ │ URL: PUT http://localhost:8200/v1/identity/oidc/role/group@example.com │ Code: 404. Errors: │ │ * 1 error occurred: │ * unsupported path
### Terraform Configuration Files ```hcl resource "vault_identity_oidc_key" "this" { name = "xxx-oidc-key" algorithm = "RS256" } resource "vault_identity_oidc_role" "this" { name = "group@example.com" key = vault_identity_oidc_key.this.name }
No response
My groups get fetched by GCP + Google Workspace, which has the email as an identifier.
It seems like the role name is directly mapped 1:1, which causes this: https://github.com/hashicorp/terraform-provider-vault/blob/main/vault/resource_identity_oidc_role.go#L81
However it works with the CLI:
vault write identity/group name="group@example.com" type="external" \ policies="role-admin" \ metadata=responsibility="Admin Group"
This would be represented as:
$ vault write -output-curl-string identity/group name="group@example.com" type="external" \ policies="role-admin" \ metadata=responsibility="Admin Group" # Respective CURL $ curl -X PUT -H "X-Vault-Request: true" \ -H "X-Vault-Token: $(vault print token)" \ -d '{"metadata":"responsibility=Admin Group","name":"group@example.com","policies":"role- admin","type":"external"}' \ http://localhost:8200/v1/identity/group
No
@Moep90 Hello, the Vault CLI command you are using is creating an identity group which would map to the Providers vault_identity_group resource
Terraform Core Version
1.5.7
Terraform Vault Provider Version
4.2.0
Vault Server Version
1.16.1
Affected Resource(s)
Expected Behavior
A identity_oidc_role would be created
Actual Behavior
Terraform fails to create a role with an e-mail as a name.
Relevant Error/Panic Output Snippet
Steps to Reproduce
Debug Output
No response
Panic Output
No response
Important Factoids
My groups get fetched by GCP + Google Workspace, which has the email as an identifier.
It seems like the role name is directly mapped 1:1, which causes this: https://github.com/hashicorp/terraform-provider-vault/blob/main/vault/resource_identity_oidc_role.go#L81
However it works with the CLI:
This would be represented as:
References
No response
Would you like to implement a fix?
No