terraform-provider-consul
terraform-provider-consul copied to clipboard
hashicorp
Consul Provider token rotation issue
Terraform Version
Tested with 0.12.31 & 1.1.7
Affected Resource(s)
- consul_key_prefix
Terraform Configuration Files
provider "consul" {
version = "~> 2.14"
address = "https://<consul_url>"
datacenter = "<consul_datacenter>"
}
resource "consul_key_prefix" "subnet_nums" {
token = "<token>"
path_prefix = "terraform/path/path/"
subkey {
path = "nums"
value = "val"
}
}
Debug Output
N/A
Panic Output
N/A
Expected Behavior
When token changes it should pick up the new one
Actual Behavior
It tries to use whatever token is in the state file and thus fails as it no longer exists
Steps to Reproduce
-
terraform init -
terraform plan -
terraform apply - Delete old consul token and replace with new one (alternatively, just update the state file to change the token to some bogus value)
-
terraform planOutput:
Error: Failed to list Consul keys under prefix 'terraform/path/path/': Unexpected response code: 403
Important Factoids
N/A
References
N/A
Hi @askmike1, thanks for opening this issue.
Sadly the issue here lies in how Terraform interact with providers, when reading a resource the provider only gets the current state as input, not the current user-configuration: https://github.com/hashicorp/terraform/blob/e6dbb7faf0407f6f98a451bbe8b0eb5fc160b4ec/docs/plugin-protocol/tfplugin6.2.proto#L249-L254.
The token argument in the consul_key_prefix resource has been here for 8 years, before this kind of issue was well understood.
The best way forward is to use the token argument in the provider configuration: https://registry.terraform.io/providers/hashicorp/consul/latest/docs#token, that way the client will always use the token you are expecting.
I will probably mark the token attributes and other similar attributes as deprecated and remove them in a major release, they have too much drawbacks and complicated needlessly the design of the provider.
