zatarra
commented
4 years ago Hey @bernardogza, have you tried to use policies instead of token_policies?
I had a similar issue using the vault_kubernetes_auth_backend_role and I got it working again when I switched to the deprecated attribute. (tested with vault provider version 2.10).
Terraform Version
v0.12.24
Affected Resource(s)
Terraform Configuration Files
provider "vault" { address = var.address token = var.token namespace= var.namespace }
resource "vault_auth_backend" "approle-yp" { type = "approle" path = "approleyp/${var.service_id}"
tune { default_lease_ttl = "60s" } }
resource "vault_policy" "approle-yp" { name = "approleyp/team-${var.service_id}"
policy = <<EOT
path "auth/approle/login" { capabilities = [ "create", "read" ] }
path "kv/data/${var.service_id}/*" { capabilities = [ "read" ] }
path "kv/metadata" { capabilities = [ "list", "read"] } EOT }
resource "vault_approle_auth_backend_role" "approle-yp" { depends_on = [ vault_policy.approle-yp, ] backend = vault_auth_backend.approle-yp.path role_name = "team-${var.service_id}" token_policies = ["default", "approleyp/team-${var.service_id}"] }
resource "vault_approle_auth_backend_role_secret_id" "id" { backend = vault_auth_backend.approle-yp.path role_name = vault_approle_auth_backend_role.approle-yp.role_name wrapping_ttl = "60s" }
Debug Output
n/a
Panic Output
n/a
Expected Behavior
The resource should create an approle with the corresponding token policies specified
Actual Behavior
The approle is created but the role id that comes with it does not have the correct policies attached. It only attaches the default policy.
Steps to Reproduce
Please list the steps required to reproduce the issue, for example:
provide vault address, vault token, namespace and service-id value(can be any value for testing purposes)terraform applyGrab the role id and secret idLogin into vault using the role id and secret idYou will see the policies attached and only the default policy will be attachedImportant Factoids
n/a
References
n/a