oci_psql_db_system fails to read vault secret for admin password

bassg0navy commented 6 months ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version and Provider Version

Terraform v1.8.3 on darwin_arm64

Affected Resource(s)

oci_psql_db_system
oci_vault_secret

Terraform Configuration Files

resource "oci_psql_db_system" "db_system" {
  compartment_id = var.compartment_id
  db_version     = var.db_version.min
  display_name   = var.display_name
  network_details {
    subnet_id = var.private_subnet_id
  }
  shape = var.system_shape
  storage_details {
    is_regionally_durable = true
    system_type           = var.db_system_storage_details_system_type

    # availability_domain = lookup(data.oci_identity_availability_domains.ad_list.availability_domains[0], name)
    iops = var.db_system_storage_details_iops
  }
  credentials {
    password_details {
      password_type  = var.password_type
      secret_id      = var.secret_id
      secret_version = var.secret_version

      # password = base64decode(var.db_system_password)
      # password_type = var.password_type
    }
    username = var.db_system_username
  }

  description                 = "PostgreSQL DB used to store user data ..."
  instance_memory_size_in_gbs = var.db_system_instance_memory_size_in_gbs
  instance_ocpu_count         = var.db_system_instance_ocpu_count
}

Debug Output

Gist

Expected Behavior

Vault secret should have been read successfully, and its content used as admin password for new PostgreSQL db system.

Actual Behavior

Instead, terraform fails with 400 error suggesting the following:

Error: 400-InvalidParameter, Property 'CreateDbSystemDetails.credentials.passwordSecretDetails' Failed to read secret. Please ensure that the secret exists..

Steps to Reproduce

Create oci_kms_vault resource
Create oci_kms_vault_key resource
Create oci_vault_secret_resource
Create configuration for oci_psql_db_system resource
Run terraform apply

Important Factoids

I've verified secret exists. I'm able to read secret as a data source by specifying its OCID.
I'm able to create this database system from the console, as well as in Terraform when specifying the same password with type of "PLAIN_TEXT".
In the error output, I've noticed a tenancy OCID that I do not recognize. I'm not sure why it's referenced in output and I have confirmed that I'm passing in correct compartment_id attribute for the psql_db resource.
Vault resource is a default virtual vault (not a dedicated or virtual private vault).

References

tf-oci-pub commented 6 months ago

Thank you for reporting the issue. We have raised an internal ticket to track this. Our service engineers will get back to you.

bassg0navy commented 6 months ago

Was able to resolve this, but unsure how. Possibly related to changing encoding of vault secret value.

oracle / terraform-provider-oci