search

hashicorp / terraform-provider-vault

Terraform Vault provider
https://www.terraform.io/docs/providers/vault/
Mozilla Public License 2.0
457 stars 538 forks source link

Terraform keeps changing period and token_period on AppRoles. #584

Open lvets opened 4 years ago

lvets commented 4 years ago

Hello,

Whenever we run a plan/apply, Terraform wants to change the period and token_period value for every approle resource we have. However, after a plan/apply, it still wants to do it again on the next run. We're not sure what's going on.

Terraform Version

➜ terraform -v
Terraform v0.12.7
+ provider.http v1.1.1
+ provider.vault v2.5.0

Your version of Terraform is out of date! The latest version
is 0.12.12. You can update by downloading from www.terraform.io/downloads.html

Updated Terraform, still the same error message.

➜ terraform -v
Terraform v0.12.12
+ provider.http v1.1.1
+ provider.vault v2.5.0

Vault version:

➜ vault status
Key                    Value
---                    -----
Seal Type              shamir
Initialized            true
Sealed                 false
Total Shares           7
Threshold              2
Version                1.2.3
Cluster Name           vault-cluster-3fa358d5
Cluster ID             dae9a982-ea90-3438-d375-fa7ff8e2d82f
HA Enabled             true
HA Cluster             https://<IP>:8201
HA Mode                standby
Active Node Address    https://<IP>:8200

Affected Resource(s)

Terraform Configuration Files

This is the configuration for for the AppRole, note that the approle was created in vault < 1.2.

resource "vault_approle_auth_backend_role" "xsmobile" {
  backend             = "approle"
  role_name           = "xsmobile"
  token_period        = 1209600
  token_policies      = [ "service-mobile-cpms" ]
  secret_id_num_uses  = 0
  secret_id_ttl       = 0
  token_max_ttl       = 0
  token_num_uses      = 0
  token_ttl           = 0
}

Debug Output

➜ vault read /auth/approle/role/xsmobile
Key                        Value
---                        -----
bind_secret_id             true
local_secret_ids           false
period                     336h
secret_id_bound_cidrs      <nil>
secret_id_num_uses         0
secret_id_ttl              0s
token_bound_cidrs          []
token_explicit_max_ttl     0s
token_max_ttl              0s
token_no_default_policy    false
token_num_uses             0
token_period               336h
token_policies             [service-mobile-cpms]
token_ttl                  0s
token_type                 default

This shows both the period and token_period values. I think this is the default behavior until vault 1.4. However, when we now want to plan/apply, we see the following on every plan:

  # module.common-approles.vault_approle_auth_backend_role.xsmobile will be updated in-place
  ~ resource "vault_approle_auth_backend_role" "xsmobile" {
        backend                 = "approle"
        bind_secret_id          = true
        bound_cidr_list         = []
        id                      = "auth/approle/role/xsmobile"
      - period                  = 1209600 -> null
        policies                = []
        role_id                 = "7b745a1e-343d-2be9-c8ad-6475694a9e00"
        role_name               = "xsmobile"
        secret_id_bound_cidrs   = []
        secret_id_num_uses      = 0
        secret_id_ttl           = 0
        token_bound_cidrs       = []
        token_explicit_max_ttl  = 0
        token_max_ttl           = 0
        token_no_default_policy = false
        token_num_uses          = 0
      ~ token_period            = 0 -> 1209600
        token_policies          = [
            "service-mobile-cpms",
        ]
        token_ttl               = 0
        token_type              = "default"
    }

As we have a high number of approles (+1200), this is really annoying.

Expected Behavior

I would expect the provider to start using token_period and leave period alone?

Actual Behavior

The provider is trying to remove period and adding token_period on every run.

Important Factoids

Not that I know of.

lawliet89 commented 4 years ago

I'm sorry for the problem you are facing. This is a problem with trying to support both the old and new behaviour.

I am trying to figure out how to fix this. The behaviour is implemented in these lines. Could you try running terraform state show module.common-approles.vault_approle_auth_backend_role.xsmobile and posting the result?

Please strip out any sensitive information.

lvets commented 4 years ago

Hi @lawliet89, no worries :) As requested:

 ➜ terraform state show module.common-approles.vault_approle_auth_backend_role.xsmobile
# module.common-approles.vault_approle_auth_backend_role.xsmobile:
resource "vault_approle_auth_backend_role" "xsmobile" {
    backend                 = "approle"
    bind_secret_id          = true
    bound_cidr_list         = []
    id                      = "auth/approle/role/xsmobile"
    period                  = 1209600
    policies                = []
    role_id                 = "7b745a1e-343d-2be9-c8ad-6475694a9e00"
    role_name               = "xsmobile"
    secret_id_bound_cidrs   = []
    secret_id_num_uses      = 0
    secret_id_ttl           = 0
    token_bound_cidrs       = []
    token_explicit_max_ttl  = 0
    token_max_ttl           = 0
    token_no_default_policy = false
    token_num_uses          = 0
    token_period            = 1209600
    token_policies          = [
        "service-mobile-cpms",
    ]
    token_ttl               = 0
    token_type              = "default"
}

I think that the behaviour is to show both if the approle was created before the upgrade and only show token_period if the approle was created after?

mliang2 commented 4 years ago

I also have the same issue w/ Vault Enterprise.

$ terraform version
Terraform v0.12.10
+ provider.template v2.1.2
+ provider.vault v2.5.0

$ vault status
Key                      Value
---                      -----
Recovery Seal Type       shamir
Initialized              true
Sealed                   false
Total Recovery Shares    5
Threshold                3
Version                  1.2.3+prem
Cluster Name             vault-cluster-XXXX
Cluster ID               XXXXX
HA Enabled               true
HA Cluster               https://XXXXX:8201
HA Mode                  active
Last WAL                 849703

$ terraform state show module.approle-legacy-bot.vault_approle_auth_backend_role.approle_auth[0]
# module.approle-legacy-bot.vault_approle_auth_backend_role.approle_auth[0]:
resource "vault_approle_auth_backend_role" "approle_auth" {
    backend                 = "approle"
    bind_secret_id          = true
    bound_cidr_list         = []
    id                      = "auth/approle/role/myapp"
    period                  = 3600
    policies                = []
    role_id                 = "69b27498-8d69-3a77-46eb-82c15bff6777"
    role_name               = "myapp"
    secret_id_bound_cidrs   = []
    secret_id_num_uses      = 0
    secret_id_ttl           = 600
    token_bound_cidrs       = []
    token_explicit_max_ttl  = 0
    token_max_ttl           = 0
    token_no_default_policy = false
    token_num_uses          = 0
    token_period            = 3600
    token_policies          = [
        "myapp-generic",
    ]
    token_ttl               = 0
    token_type              = "default"
}

$ terraform plan
  # module.approle-legacy-bot.vault_approle_auth_backend_role.approle_auth[0] will be updated in-place
  ~ resource "vault_approle_auth_backend_role" "approle_auth" {
        backend                 = "approle"
        bind_secret_id          = true
        bound_cidr_list         = []
        id                      = "auth/approle/role/myapp"
      - period                  = 3600 -> null
        policies                = []
        role_id                 = "69b27498-8d69-3a77-46eb-82c15bff6777"
        role_name               = "myapp"
        secret_id_bound_cidrs   = []
        secret_id_num_uses      = 0
        secret_id_ttl           = 600
        token_bound_cidrs       = []
        token_explicit_max_ttl  = 0
        token_max_ttl           = 0
        token_no_default_policy = false
        token_num_uses          = 0
      ~ token_period            = 0 -> 3600
        token_policies          = [
            "myapp-generic",
        ]
        token_ttl               = 0
        token_type              = "default"
    }

$ vault read auth/approle/role/myapp-bot
Key                        Value
---                        -----
bind_secret_id             true
local_secret_ids           false
period                     1h
secret_id_bound_cidrs      <nil>
secret_id_num_uses         0
secret_id_ttl              10m
token_bound_cidrs          []
token_explicit_max_ttl     0s
token_max_ttl              0s
token_no_default_policy    false
token_num_uses             0
token_period               1h
token_policies             [myapp-bot-generic]
token_ttl                  0s
token_type                 default
lawliet89 commented 4 years ago

Trying to figure out a fix (WIP) here.

A question for @kalafut and @tyrannosaurus-becks: Does Vault generally ignore unknown fields? Would it be OK if the provider always sends token_x and x fields to a version of Vault < 1.2?

kalafut commented 4 years ago

@lawliet89 The API will ignore them so I that should be fine. Note that some of the CLI commands do know about the allowed parameters and will raise errors, but not at the API level.

fd commented 4 years ago

@lawliet89 what's the status of the fix?

omers commented 4 years ago

Same issue for me, Following...