terraform-provider-consul icon indicating copy to clipboard operation
terraform-provider-consul copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

`consul_certificate_authority` resource doesn't support Vault auth method configuration

Open krarey opened this issue 3 years ago • 0 comments

Terraform Version

Terraform v1.3.1 on linux_amd64

Affected Resource(s)

  • consul_certificate_authority

Terraform Configuration Files

resource "consul_certificate_authority" "hcp_vault" {
  connect_provider = "vault"
  config = {
    address = data.hcp_vault_cluster.dev.vault_private_endpoint_url
    auth_method = {
      type       = "approle"
      mount_path = vault_auth_backend.approle.path
      params = {
        role_id   = vault_approle_auth_backend_role.consul_pki.role_id
        secret_id = vault_approle_auth_backend_role_secret_id.consul_pki.secret_id
      }
    }
    namespace             = vault_namespace.zts.path_fq
    root_pki_path         = vault_mount.pki_root.path
    intermediate_pki_path = vault_mount.pki_inter.path
  }
}

Expected Behavior

The Consul Connect certificate authority should be correctly configured with the associated Vault auth method details, in place of requiring a hardcoded token. See the Consul documentation for details on the auth_method schema.

Actual Behavior

Terraform fails to plan, citing type mismatch (expected string, received map). Attempting to work around by using jsonencode() or otherwise converting to a string fails, as the Consul API rejects the configuration.

│ Error: Incorrect attribute value type
│ 
│   on hcp-consul.tf line 105, in resource "consul_certificate_authority" "hcp_vault":
│  105:   config = {
│  106:     address = data.hcp_vault_cluster.dev.vault_private_endpoint_url
│  107:     auth_method = {
│  108:       type       = "approle"
│  109:       mount_path = vault_auth_backend.approle.path
│  110:       params = {
│  111:         role_id   = vault_approle_auth_backend_role.consul_pki.role_id
│  112:         secret_id = vault_approle_auth_backend_role_secret_id.consul_pki.secret_id
│  113:       }
│  114:     }
│  115:     namespace             = vault_namespace.zts.path_fq
│  116:     root_pki_path         = vault_mount.pki_root.path
│  117:     intermediate_pki_path = vault_mount.pki_inter.path
│  118:   }
│ 
│ Inappropriate value for attribute "config": element "auth_method": string
│ required.

krarey avatar Oct 12 '22 14:10 krarey