search

hashicorp / terraform-provider-vault

Terraform Vault provider
https://www.terraform.io/docs/providers/vault/
Mozilla Public License 2.0
451 stars 535 forks source link

[Bug]: vault_jwt_auth_backend sends request to false API path #2271

Closed niklas-beck closed 3 weeks ago

niklas-beck commented 3 weeks ago

Terraform Core Version

1.8.2

Terraform Vault Provider Version

4.2.0

Vault Server Version

1.16.2

Affected Resource(s)

resource "vault_jwt_auth_backend" with type "oidc"

Expected Behavior

Create a new auth engine at the given path "oidc"

Actual Behavior

Terraform plan fails after sending an API GET request to /v1/sys/mounts/auth/oidc The correct API path should be /v1/sys/auth/oidc

Relevant Error/Panic Output Snippet

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: error reading from Vault: Error making API request.
│ 
│ URL: GET https://vault-lb-XXX.elb.eu-west-3.amazonaws.com/v1/sys/mounts/auth/oidc
│ Code: 400. Errors:
│ 
│ * No secret engine mount at auth/oidc/
│ 
│   with vault_jwt_auth_backend.azure,
│   on auth.tf line 10, in resource "vault_jwt_auth_backend" "azure":
│   10: resource "vault_jwt_auth_backend" "azure" {
│ 
╵

Terraform Configuration Files

resource "vault_jwt_auth_backend" "azure" {
    description         = "Login with Azure Entra ID"
    path                = "oidc"
    type                = "oidc"
    oidc_discovery_url  = "https://login.microsoftonline.com/${var.AZURE_TENANT_ID}/v2.0"
    bound_issuer        = "https://login.microsoftonline.com/${var.AZURE_TENANT_ID}/v2.0"
    oidc_client_id      = var.AZURE_CLIENT_ID
    oidc_client_secret  = var.AZURE_CLIENT_SECRET
    default_role = "azure"
    tune {
        listing_visibility = "unauth"
        token_type = "default-service"
    }
}

Steps to Reproduce

add the resource "vault_jwt_auth_backend" with type "oidc" to terraform deployment and run terraform plan

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

fairclothjm commented 3 weeks ago

@niklas-beck Hello, thanks for reporting and I am sorry you are having issues.

The sys/mounts/auth/{path} endpoint is a valid endpoint and is documented here. I am unable to reproduce this. Could you please provide debug output with the TF_LOG=DEBUG env variable set?

niklas-beck commented 3 weeks ago

@fairclothjm Thank you for your answer. After digging deeper, I resolved the issue. The root cause was a faulty terraform state. I renamed the resource vault_jwt_auth_backend and for some reason the old resource remained in the state and was interpreted by Terraform and tried to access the sys/mounts/auth/oidc path. I am still not exactly sure how and why the API request failed. Nonetheless, sorry for my self-made issue :)