search

hashicorp / terraform-provider-vault

Terraform Vault provider
https://www.terraform.io/docs/providers/vault/
Mozilla Public License 2.0
453 stars 533 forks source link

Cannot create Vault Auth Backend Role without also enabling inferencing #378

Open soapergem opened 5 years ago

soapergem commented 5 years ago

Terraform Version

Terraform v0.11.11
+ provider.aws v2.4.0
+ provider.vault v1.6.0

Affected Resource(s)

Terraform Configuration Files

provider "aws" {
  region  = "us-east-1"
}

provider "vault" {
  address = "https://vault.REDACTED.com"
  token = "REDACTED"
}

resource "vault_policy" "envconfig" {
  name   = "envconfig-reader"
  policy = "${file("envconfig-policy.hcl")}"
}

resource "vault_aws_auth_backend_role" "envconfig" {
  backend                         = "aws"
  role                            = "${vault_policy.envconfig.name}"
  auth_type                       = "iam"
  bound_iam_role_arns             = ["${aws_iam_role.envconfig.arn}"]
  bound_iam_instance_profile_arns = ["${aws_iam_instance_profile.envconfig.arn}"]
  ttl                             = 60
  max_ttl                         = 120
  policies                        = ["${vault_policy.envconfig.name}"]
}

data "aws_iam_policy_document" "assume_role" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type = "Service"

      identifiers = [
        "ec2.amazonaws.com",
        "ecs.amazonaws.com",
        "lambda.amazonaws.com",
      ]
    }
  }
}

resource "aws_iam_role" "envconfig" {
  name               = "envconfig-reader"
  assume_role_policy = "${data.aws_iam_policy_document.assume_role.json}"
}

resource "aws_iam_instance_profile" "envconfig" {
  name = "${aws_iam_role.envconfig.name}"
  role = "${aws_iam_role.envconfig.name}"
}

resource "aws_iam_role_policy_attachment" "envconfig-basic" {
  role       = "${aws_iam_role.envconfig.name}"
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
}

resource "aws_iam_role_policy_attachment" "envconfig-vpc" {
  role       = "${aws_iam_role.envconfig.name}"
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
}

Debug Output

Link to a GitHub Gist containing the complete debug output

Expected Behavior

It should have created the vault_aws_auth_backend_role resource without problems.

Actual Behavior

It failed to create the resource, giving this error:

at least one bound parameter should be specified on the role

Steps to Reproduce

  1. terraform apply

Important Factoids

Obviously you need to point it to a real Vault server and use a real (root) token.

I noticed that if I add in both of these fields:

inferred_entity_type = "ec2_instance"
inferred_aws_region  = "us-east-1"

...then it saves the resource successfully. However I specifically don't want to add these fields. Looking at the Vault API code, it should be able to work without them. Since I already do specify two bindings (bound_iam_role_arns and bound_iam_instance_profile_arns), this would lead me to believe that this Terraform provider is calling the Vault API in a weird way.

soapergem commented 5 years ago

Actually, I looked into this a little further and tried to create the Vault role directly from the CLI (not using Terraform). It turns out that one does need inferencing enabled to use the bind features, so I'm going to close this.

tmccombs commented 1 year ago

I got this same error when using config like:

resource "vault_aws_auth_backend_role" "developer" {
  backend             = vault_auth_backend.aws.path
  role                = "developer"
  auth_type           = "iam"
  bound_iam_role_arns = [var.some_role_arn]
  token_policies      = ["default", vault_policy.dev_ro.name]
}

But weirdly, if I added inferred_entity_type and inferred_aws_region it worked. Then afterwards I was able to remove inferred_entity_type, and it applied successfully.

and using the api worked as well. I think there is something weird with how terraform is using the api. Maybe something is being set to a default value that should be undefined?

mt-milind commented 11 months ago

I checked with vault cli, if you remove inferred_aws_region and inferred_entity_type after applying they are not removed and stay the same in the aws role. Also I am able to create the role just fine using vault cli without providing the above two fields. Can we open the issue again

fairclothjm commented 11 months ago

We may need to make inferred_aws_region and inferred_entity_type Computed as well as check that all create and update paths work as they should.

Conacious commented 10 months ago

I'm hitting the same issue today. I have the same results as mentioned here https://github.com/hashicorp/terraform-provider-vault/issues/378#issuecomment-1678429863

When configuring via vault-cli everything works as expected and I can authenticate using the vault cli. However, when I do it using Terraform I get an error:

failed to verify MyRole as a valid EC2 instance in region eu-central-1: error fetching description for instance ID "MyRole"

And of course, I can't remove the parameters inferred_aws_region or inferred_entity_type making it impossible to configure this via Terraform.