search

hashicorp / terraform-provider-vault

Terraform Vault provider
https://www.terraform.io/docs/providers/vault/
Mozilla Public License 2.0
451 stars 535 forks source link

[Bug]: Error 404: Unsupported Path for IdentityOidcRole API Request when using email as name #2252

Open Moep90 opened 1 month ago

Moep90 commented 1 month ago

Terraform Core Version

1.5.7

Terraform Vault Provider Version

4.2.0

Vault Server Version

1.16.1

Affected Resource(s)

Expected Behavior

A identity_oidc_role would be created

Actual Behavior

Terraform fails to create a role with an e-mail as a name.

Relevant Error/Panic Output Snippet

│ Error: error writing IdentityOidcRole identity/oidc/role/group@example.com: Error making API request.
│
│ URL: PUT http://localhost:8200/v1/identity/oidc/role/group@example.com
│ Code: 404. Errors:
│
│ * 1 error occurred:
│   * unsupported path

### Terraform Configuration Files

```hcl
resource "vault_identity_oidc_key" "this" {
  name               = "xxx-oidc-key"
  algorithm          = "RS256"
}

resource "vault_identity_oidc_role" "this" {

  name      = "group@example.com"
  key       = vault_identity_oidc_key.this.name
}

Steps to Reproduce

Debug Output

No response

Panic Output

No response

Important Factoids

My groups get fetched by GCP + Google Workspace, which has the email as an identifier.

It seems like the role name is directly mapped 1:1, which causes this: https://github.com/hashicorp/terraform-provider-vault/blob/main/vault/resource_identity_oidc_role.go#L81

However it works with the CLI:

vault write identity/group name="group@example.com" type="external" \
        policies="role-admin" \
        metadata=responsibility="Admin Group"

This would be represented as:

$ vault write -output-curl-string identity/group name="group@example.com" type="external" \
        policies="role-admin" \
        metadata=responsibility="Admin Group"
# Respective CURL
$ curl -X PUT -H "X-Vault-Request: true" \
  -H "X-Vault-Token: $(vault print token)" \
  -d '{"metadata":"responsibility=Admin Group","name":"group@example.com","policies":"role- 
 admin","type":"external"}' \
 http://localhost:8200/v1/identity/group

References

No response

Would you like to implement a fix?

No

fairclothjm commented 1 month ago

@Moep90 Hello, the Vault CLI command you are using is creating an identity group which would map to the Providers vault_identity_group resource