Open soapergem opened 5 years ago
Actually, I looked into this a little further and tried to create the Vault role directly from the CLI (not using Terraform). It turns out that one does need inferencing enabled to use the bind features, so I'm going to close this.
I got this same error when using config like:
resource "vault_aws_auth_backend_role" "developer" {
backend = vault_auth_backend.aws.path
role = "developer"
auth_type = "iam"
bound_iam_role_arns = [var.some_role_arn]
token_policies = ["default", vault_policy.dev_ro.name]
}
But weirdly, if I added inferred_entity_type and inferred_aws_region it worked. Then afterwards I was able to remove inferred_entity_type, and it applied successfully.
and using the api worked as well. I think there is something weird with how terraform is using the api. Maybe something is being set to a default value that should be undefined?
I checked with vault cli, if you remove inferred_aws_region and inferred_entity_type after applying they are not removed and stay the same in the aws role. Also I am able to create the role just fine using vault cli without providing the above two fields. Can we open the issue again
We may need to make inferred_aws_region
and inferred_entity_type
Computed as well as check that all create and update paths work as they should.
I'm hitting the same issue today. I have the same results as mentioned here https://github.com/hashicorp/terraform-provider-vault/issues/378#issuecomment-1678429863
When configuring via vault-cli
everything works as expected and I can authenticate using the vault cli. However, when I do it using Terraform I get an error:
failed to verify MyRole as a valid EC2 instance in region eu-central-1: error fetching description for instance ID "MyRole"
And of course, I can't remove the parameters inferred_aws_region
or inferred_entity_type
making it impossible to configure this via Terraform.
Terraform Version
Affected Resource(s)
Terraform Configuration Files
Debug Output
Link to a GitHub Gist containing the complete debug output
Expected Behavior
It should have created the
vault_aws_auth_backend_role
resource without problems.Actual Behavior
It failed to create the resource, giving this error:
Steps to Reproduce
terraform apply
Important Factoids
Obviously you need to point it to a real Vault server and use a real (root) token.
I noticed that if I add in both of these fields:
...then it saves the resource successfully. However I specifically don't want to add these fields. Looking at the Vault API code, it should be able to work without them. Since I already do specify two bindings (
bound_iam_role_arns
andbound_iam_instance_profile_arns
), this would lead me to believe that this Terraform provider is calling the Vault API in a weird way.