Open lvets opened 4 years ago
I'm sorry for the problem you are facing. This is a problem with trying to support both the old and new behaviour.
I am trying to figure out how to fix this. The behaviour is implemented in these lines. Could you try running terraform state show module.common-approles.vault_approle_auth_backend_role.xsmobile
and posting the result?
Please strip out any sensitive information.
Hi @lawliet89, no worries :) As requested:
➜ terraform state show module.common-approles.vault_approle_auth_backend_role.xsmobile
# module.common-approles.vault_approle_auth_backend_role.xsmobile:
resource "vault_approle_auth_backend_role" "xsmobile" {
backend = "approle"
bind_secret_id = true
bound_cidr_list = []
id = "auth/approle/role/xsmobile"
period = 1209600
policies = []
role_id = "7b745a1e-343d-2be9-c8ad-6475694a9e00"
role_name = "xsmobile"
secret_id_bound_cidrs = []
secret_id_num_uses = 0
secret_id_ttl = 0
token_bound_cidrs = []
token_explicit_max_ttl = 0
token_max_ttl = 0
token_no_default_policy = false
token_num_uses = 0
token_period = 1209600
token_policies = [
"service-mobile-cpms",
]
token_ttl = 0
token_type = "default"
}
I think that the behaviour is to show both if the approle was created before the upgrade and only show token_period if the approle was created after?
I also have the same issue w/ Vault Enterprise.
$ terraform version
Terraform v0.12.10
+ provider.template v2.1.2
+ provider.vault v2.5.0
$ vault status
Key Value
--- -----
Recovery Seal Type shamir
Initialized true
Sealed false
Total Recovery Shares 5
Threshold 3
Version 1.2.3+prem
Cluster Name vault-cluster-XXXX
Cluster ID XXXXX
HA Enabled true
HA Cluster https://XXXXX:8201
HA Mode active
Last WAL 849703
$ terraform state show module.approle-legacy-bot.vault_approle_auth_backend_role.approle_auth[0]
# module.approle-legacy-bot.vault_approle_auth_backend_role.approle_auth[0]:
resource "vault_approle_auth_backend_role" "approle_auth" {
backend = "approle"
bind_secret_id = true
bound_cidr_list = []
id = "auth/approle/role/myapp"
period = 3600
policies = []
role_id = "69b27498-8d69-3a77-46eb-82c15bff6777"
role_name = "myapp"
secret_id_bound_cidrs = []
secret_id_num_uses = 0
secret_id_ttl = 600
token_bound_cidrs = []
token_explicit_max_ttl = 0
token_max_ttl = 0
token_no_default_policy = false
token_num_uses = 0
token_period = 3600
token_policies = [
"myapp-generic",
]
token_ttl = 0
token_type = "default"
}
$ terraform plan
# module.approle-legacy-bot.vault_approle_auth_backend_role.approle_auth[0] will be updated in-place
~ resource "vault_approle_auth_backend_role" "approle_auth" {
backend = "approle"
bind_secret_id = true
bound_cidr_list = []
id = "auth/approle/role/myapp"
- period = 3600 -> null
policies = []
role_id = "69b27498-8d69-3a77-46eb-82c15bff6777"
role_name = "myapp"
secret_id_bound_cidrs = []
secret_id_num_uses = 0
secret_id_ttl = 600
token_bound_cidrs = []
token_explicit_max_ttl = 0
token_max_ttl = 0
token_no_default_policy = false
token_num_uses = 0
~ token_period = 0 -> 3600
token_policies = [
"myapp-generic",
]
token_ttl = 0
token_type = "default"
}
$ vault read auth/approle/role/myapp-bot
Key Value
--- -----
bind_secret_id true
local_secret_ids false
period 1h
secret_id_bound_cidrs <nil>
secret_id_num_uses 0
secret_id_ttl 10m
token_bound_cidrs []
token_explicit_max_ttl 0s
token_max_ttl 0s
token_no_default_policy false
token_num_uses 0
token_period 1h
token_policies [myapp-bot-generic]
token_ttl 0s
token_type default
Trying to figure out a fix (WIP) here.
A question for @kalafut and @tyrannosaurus-becks: Does Vault generally ignore unknown fields? Would it be OK if the provider always sends token_x
and x
fields to a version of Vault < 1.2?
@lawliet89 The API will ignore them so I that should be fine. Note that some of the CLI commands do know about the allowed parameters and will raise errors, but not at the API level.
@lawliet89 what's the status of the fix?
Same issue for me, Following...
Hello,
Whenever we run a plan/apply, Terraform wants to change the
period
andtoken_period
value for every approle resource we have. However, after a plan/apply, it still wants to do it again on the next run. We're not sure what's going on.Terraform Version
Updated Terraform, still the same error message.
Vault version:
Affected Resource(s)
vault_approle_auth_backend_role
resource.Terraform Configuration Files
This is the configuration for for the AppRole, note that the approle was created in vault < 1.2.
Debug Output
This shows both the
period
andtoken_period
values. I think this is the default behavior until vault 1.4. However, when we now want to plan/apply, we see the following on every plan:As we have a high number of approles (+1200), this is really annoying.
Expected Behavior
I would expect the provider to start using
token_period
and leaveperiod
alone?Actual Behavior
The provider is trying to remove
period
and addingtoken_period
on every run.Important Factoids
Not that I know of.