search

hashicorp / terraform-provider-vault

Terraform Vault provider
https://www.terraform.io/docs/providers/vault/
Mozilla Public License 2.0
458 stars 540 forks source link

[Bug]: Create KV2 secret fails if the KV2 mount parent is just created #2322

Open radup123 opened 1 week ago

radup123 commented 1 week ago

Terraform Core Version

1.3.3

Terraform Vault Provider Version

4.4.0

Vault Server Version

1.16.5

Affected Resource(s)

No response

Expected Behavior

Create KV2 secret works even if the KV2 mount parent is just created.

Actual Behavior

The kv2 mount is created but when creating the secret I get this error: │ * no handler for route "kv2_mount/data/secret/my-secret". route entry not found.

If I reapply, it the secret gets created.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

main.tf.zip

Steps to Reproduce

Issue is not always reproducible.

  1. Create KV2 mount point
  2. Create secret under the mount created at step 1.
  3. Observe error : │ * no handler for route "kv2_mount/data/secret/my-secret". route entry not found.

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

fairclothjm commented 7 hours ago

Hello @radup123! I am sorry you are having trouble!

Thanks for providing the TF config. I took a look and the issue is that TF does not understand the dependency relationship between the two resources. In particular, vault_kv_secret_v2 needs to make a reference to the vault_mount's named value because the backend must be mounted before we can create the secret.

So change the vault_kv_secret_v2 resource to this

 resource "vault_kv_secret_v2" "secret" {
   name = "secret/my-secret"
-  mount = "kv2_mount"
+  mount = vault_mount.kv2_mount.path
   data_json = jsonencode(
   {
     "key" = "value",