[Enhancement]: Support allow_empty_principals on vault_ssh_secret_backend_role

hashicorp / terraform-provider-vault

Terraform Vault provider

https://www.terraform.io/docs/providers/vault/

Mozilla Public License 2.0

467 stars 542 forks source link

[Enhancement]: Support allow_empty_principals on vault_ssh_secret_backend_role #2340

Closed Sayrus closed 2 weeks ago

Sayrus commented 1 month ago

Description

https://github.com/hashicorp/vault/pull/28466 introduces a breaking change (Vault 1.18, backported to 1.17) for SSH Backend by disallowing empty roles by default. Unfortunately, it is currently not possible to set allow_empty_principals from Terraform.

Sign done without principals return:

empty valid principals not allowed by role

Affected Resource(s) and/or Data Source(s)

vault_ssh_secret_backend_role

Potential Terraform Configuration

resource "vault_ssh_secret_backend_role" {
  # ...
  allow_empty_principals = true # defaults to false
}

References

https://github.com/hashicorp/vault/pull/28466

Would you like to implement a fix?

None

cloudplumber2000 commented 2 weeks ago

Came here after issues search for the same thing. Would be very nice to have in the next release.

lauracraciun90 commented 1 week ago

Hi @fairclothjm, I was wondering when the new version of the provider will be available please? I've noticed the allow_empty_principals field is not yet available and unfortunately, this has been causing us issues. Also, is there any workaround that we can put in place at all until the flag is released? Many thanks! :)

fairclothjm commented 1 week ago

Hi @lauracraciun90 ! I am sorry you are having issues. We try to do a release in the middle of each month. We are planning to do one within the week.

Unfortunately, I don't have any workarounds at this time.

lauracraciun90 commented 1 week ago

Hi @fairclothjm, thanks very much indeed for your reply :) That's good to know - will wait for the new release to become available in the next few days. That's ok, no problem at all. May thanks for your help!

fairclothjm commented 6 days ago

@lauracraciun90 https://github.com/hashicorp/terraform-provider-vault/releases/tag/v4.5.0 😄

lauracraciun90 commented 1 day ago

Hi @fairclothjm thanks very much for the update! :)

I've upgraded the vault provider to version 4.50 and tried to incorporate the flag in our setup, however, it still doesn't fix the problem for us.

Should the field be used within the vault_ssh_secret_backend_role resource? If so, it looks like the argument is not supported by terraform and I'm getting an "unsupported argument" error.

I've also tried to add the flag to the API call to Vault, however, this doesn't work either, and I'm still getting the empty service principals error.

Please could you give me some more info on this if possible? Many thanks!