`vault_ad_secret_backend` fails in terraform

[faseyiks]

Describe the bug I am currently facing a situation where the resource definition above is failing when I use terraform to configure AD secret engine with the error

16:38:12  │ Error: error mounting to "secrets/ad/<redacted>": Error making API request.
16:38:12  │ 
16:38:12  │ URL: POST https://<redacted>:8200/v1/sys/mounts/secrets/ad/<redacted>
16:38:12  │ Code: 400. Errors:
16:38:12  │ 
16:38:12  │ * path is already in use at secrets/ad/<redacted>/

So I tried to then create the configuration using Vault CLI. I succeeded but similarly experienced the following

vault write -f -ns=<redacted>  secrets/ad/<redacted>/config case_sensitive_names=true \
>     deny_null_bind=true     discoverdn=true   groupattr="cn"     insecure_tls=true    last_rotation_tolerance=5   max_ttl=9600 \
>     password_policy="<redacted>_policy"    request_timeout="90s"    starttls=true     tls_max_version="tls12"  tls_min_version="tls12" \
>     ttl=9600  use_pre111_group_cn_behavior=true    use_token_groups=false  userattr="cn"   binddn="<redacted>" \
>     bindpass="<redacted>"   url="<redacted>"     userdn"<redacted>"
Error writing data to secrets/ad/<redacted>/config: Error making API request.

URL: PUT https://<redacted>:8200/v1/secrets/ad/<redacted>/config
Code: 500. Errors:
* 1 error occurred:
        * cannot set password_policy and either length or formatter

$ vault write -f -ns=<redacted>  secrets/ad/<redacted>/config case_sensitive_names=true     deny_null_bind=true     discoverdn=true     groupattr="cn"     insecure_tls=true     last_rotation_tolerance=5     max_ttl=9600     password_policy="<redacted>_policy"     request_timeout="90s"     starttls=true     tls_max_version="tls12"     tls_min_version="tls12"     ttl=9600     use_pre111_group_cn_behavior=true     use_token_groups=false     userattr="cn"     binddn="<redacted>"     bindpass="<redacted>"     url="<redacted>"  length=20   userdn"<redacted>"
Error writing data to secrets/ad/<redacted>/config: Error making API request.

URL: PUT https://<redacted>:8200/v1/secrets/ad/<redacted>/config
Code: 500. Errors:

* 1 error occurred:
        * cannot set password_policy and either length or formatter

 MINGW64 ~
$ vault write -f -ns=<redacted>  secrets/ad/<redacted>/config case_sensitive_names=true deny_null_bind=true  discoverdn=true     groupattr="cn"     insecure_tls=true     last_rotation_tolerance=5     max_ttl=9600     password_policy="<redacted>_policy"     request_timeout="90s"     starttls=true     tls_max_version="tls12"     tls_min_version="tls12"     ttl=9600     use_pre111_group_cn_behavior=true     use_token_groups=false     userattr="cn"     binddn="<redacted>"     bindpass="<redacted>"     url="<redacted>"  length=0   userdn"<redacted>"
Success! Data written to: secrets/ad/<redacted>/config

The two errors are conflicting. When length is set to a number higher than 0, you get error that both cannot be set. But if you do not set length then it doesn't work at all and say you need to set either length or formatter. Would this be why it is not working with Terraform because both length and formatter are not set in the terraform files because the documentation says they are deprecated.

To Reproduce Steps to reproduce the behavior:

1. Run vault write ...
2. Run vault login....
3. See error

Expected behavior Expected behaviour should be that

• everything works in Terraform
• It also works in Vault CLI without setting length or formatter

Environment:

• Vault Server Version (retrieve with vault status):

  $ vault status
  Key                      Value
  ---                      -----
  Recovery Seal Type       shamir
  Initialized              true
  Sealed                   false
  Total Recovery Shares    5
  Threshold                3
  Version                  1.8.1+ent.hsm
  Build Date               n/a
  Storage Type             consul
  Cluster Name             <redacted>
  Cluster ID               <redacted>
  HA Enabled               true
  HA Cluster               <redacted>
  HA Mode                  active
  Active Since             2022-06-13T14:50:27.504565265Z
  Last WAL                 <redacted>

• Vault CLI Version (retrieve with vault version): Vault v1.11.1 (0f634755745f4adf62ec0723a0b93d6dce5bc33e), built 2022-07-19T20:16:47Z1
• Server Operating System/Architecture: RedHat Linux 8.2 x64

Vault server configuration file(s):

# Paste your Vault config here.
# Be sure to scrub any sensitive values

Additional context Terraform is OSS

[calvn]

* path is already in use at secrets/ad/<redacted>/

The Terraform-specific error that you're getting looks to be different and unrelated from the other error that you're observing. The error above usually means that there's already an engine enabled in that same path.

* cannot set password_policy and either length or formatter

We fixed an issue that's now available in Vault 1.11.1 where the engine was not correctly disregarding length (or formatter) if password_policy was provided. Can you give this a try after updating the Vault server(s) to 1.11.1?

[heatherezell]

There should also be a fix coming in the terraform provider, in 3.9.0. :)

[benashz]

Related fix to the Vault Provider fix which makes password_policy conflict with length and formatter https://github.com/hashicorp/terraform-provider-vault/pull/1557

[benashz]

@faseyiks you may want to try a terraform import if you want to bring a non-terraform managed Vault resource into your state.

See https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/ad_secret_backend#import for more details.

[Zlaticanin]

Hello @faseyiks 👋 Were you able to test this again after the update? Can you please confirm if this is still an issue for you? Thank you!

[heatherezell]

I'm going to go ahead and close this issue as completed for now. Please feel free to re-open it if you need. Thanks!