vault_gcp_auth_backend_role doesn't create IAM Service accounts as 'vault write' does

[mukesh-panigrahi]

Terraform Version

Terraform v0.11.11
+ provider.vault v1.5.0

Terraform Configuration Files

resource "vault_gcp_auth_backend_role" "gcp" {
    role                   = "sample-vault-role"
    type                   = "iam"
    backend                = "gcp"
    project_id             = "${var.project_id}"
    bound_service_accounts = ["vault-managed@xxxxx-sandbox.iam.gserviceaccount.com"]
    policies               = ["${vault_policy.agent-policy.name}"]
    ttl                    = "3600"
}

Expected Behavior

It should work similar to below vault commands:-

vault write gcp/roleset/my-key-roleset \
    project="my-project" \
    secret_type="service_account_key"  \
    bindings=-<<EOF
      resource "//cloudresourcemanager.googleapis.com/projects/my-project" {
        roles = ["roles/viewer"]
      }
    EOF

where it creates Google IAM service accounts with keys and manages it. May be the working of the tf resource is different. Would like to know what are the prerequisites on gcp iam side before tf apply of this resource. Do we need to create the service accounts in advance n mention the same in bound_service accounts?

Actual Behavior

No error!! tf apply goes well. Cant read from 'vault read' commands after vault changes are done.

Steps to Reproduce

Please list the full steps required to reproduce the issue, for example:

1. terraform init
2. terraform apply

Additional Context

Even couldn't find a way to attach role-set bindings from external files to the resource just as we can with below vault write command

vault write gcp/roleset/my-roleset
    bindings=@mybindings.hcl

Plz update the https://www.terraform.io/docs/providers/vault/r/gcp_auth_backend_role.html#role accordingly with better samples. and links for integrating the vault services along with sample applications.

References

Would like the tf resource to work similar to below vault configuration page. https://www.vaultproject.io/docs/secrets/gcp/index.html

Raised a issue before as well but was closed after moved to wrong provider (gcp). https://github.com/hashicorp/terraform/issues/20474

[cvbarros]

@mukesh-panigrahi if I understand correctly, your terraform configuration example lists a vault_gcp_auth_backend_role. This is related to GCP Auth Method and not the GCP secret engine.

From the rest of your description, I understand that your use case would be to dynamically generate credentials for GCP, so you would need to use the secret engine resources, which unfortunately are not yet implemented in this provider.

For further reference: GCP Secret Engine: https://www.vaultproject.io/api/secret/gcp/index.html

GCP Auth Method: https://www.vaultproject.io/api/auth/gcp/index.html

[cvbarros]

@tyrannosaurus-becks Recommendation: Close

[mukesh-panigrahi]

@cvbarros I guess the vault_gcp_secret_backend resource is available now, but still it seems that it lacks many of the actual vault write features like role binding to generated service-accounts. Plus the sample on the website for the resource is very poor. I am finding a hardtime to understand the functionality.

Can you please explain, how can i make the tf resource work similar to the link given below- https://codelabs.developers.google.com/codelabs/hashicorp-vault-secrets-generate-service-account-credentials/index.html?index=..%2F..hashiconf-us-18#5

I am assuming that I have to use both resource i.e vault_gcp_secret_backend + vault_gcp_auth_backend_role

My vault_gcp_secret_backend resource looks like below along with vault_gcp_auth_backend_role mentioned above.

resource "vault_gcp_secret_backend" "gcp" {
  path = "gcp/config"
  default_lease_ttl_seconds = "3600"
}

[howsTricks]

@mukesh-panigrahi Did you ever get this to work? We are going down the same path and anything you've got to work would be really helpful.

[mukesh-panigrahi]

@howsTricks No not yet. I am working on it now, as I can see few more terraform resources has been added to the list related to gcp secret.

Will update as I get it done.