terraform-provider-terracurl icon indicating copy to clipboard operation
terraform-provider-terracurl copied to clipboard

Published 20 hours ago verified publisher icon devops-rob

Unable to use dynamic token authentication with Vault

Open junchytata opened this issue 1 year ago • 2 comments

Describe the issue Setting a dynamic token in X-Vault-Token leads to authentication failure when running Terraform apply.

To Reproduce

  1. Use the vault token create command to create a token with a validity of 1 hour.
  2. Set this token in X-Vault-Token of TerraCurl.
  3. Run Terraform apply and resources are created successfully.
  4. After 1 hour, the previous token expires. Create a new vault token and set it in X-Vault-Token.
  5. Run Terraform plan, the result shows that the value of X-Vault-Token will be updated and the resource(aws engine) will be re-created.
  # terracurl_request.aws_engine must be replaced
-/+ resource "terracurl_request" "aws_engine" {
      ~ destroy_headers        = {
          ~ "X-Vault-Token" = "hvs.XXXXXXXXXX" -> "hvs.YYYYYYYYYY"
        }
      ~ headers                = { # forces replacement
          ~ "X-Vault-Token" = "hvs.XXXXXXXXXX" -> "hvs.YYYYYYYYYY"
        }
      ~ id                     = "aws" -> (known after apply)
        name                   = "aws"
      ~ request_url_string     = "http://172.XXX.XXX.XXX:8201/v1/sys/mounts/aws" -> (known after apply)
      + response               = (known after apply)
      ~ status_code            = "204" -> (known after apply)
        # (9 unchanged attributes hidden)
    }

Plan: 1 to add, 0 to change, 1 to destroy.
  1. When running Terraform apply, a request error occurred.
terracurl_request.aws_engine: Destroying... [id=aws]
terracurl_request.aws_engine: Still destroying... [id=aws, 10s elapsed]
?
x Error: unable to make request: request failed, retries exceeded: %!s(<nil>)
  1. After manually updating the token value of X-Vault-Token in the terraform-state file, Terraform executed successfully.

Expected behavior

  1. The new token set in X-Vault-Token should authenticate with Vault successfully.
  2. The resource should be updated without being deleted and recreated.

Environment

  • Vault Server 1.12.4
  • TerraForm 1.4.6
  • TerraCurl 1.1.0

Additional context After the first run of terraCurl, the X-Vault-Token value is recorded in Terraform's state file and will be used for authentication with Vault the next time. When the token on the Vault side expires, the X-Vault-Token value fails to authenticate with Vault and cannot be updated any more.

junchytata avatar Jun 09 '23 00:06 junchytata

Hi, I think I have fixed this in the new version. When you have a moment, can you please test this and let me know? thanks @junchytata

devops-rob avatar Mar 04 '24 16:03 devops-rob

Hello @devops-rob, this issue looks simmilar to the one i just created https://github.com/devops-rob/terraform-provider-terracurl/issues/83

amuware avatar Aug 30 '24 17:08 amuware