terraform-provider-vault icon indicating copy to clipboard operation
terraform-provider-vault copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Setting username_template for aws secret engine does not work

Open pjastrzabek opened this issue 2 years ago • 1 comments

I am trying to set username template for AWS Secret Engin

Terraform Configuration Files

resource "vault_aws_secret_backend" "aws" {
  region = var.region
  default_lease_ttl_seconds = 12 * 60 * 60 # = 12h
  max_lease_ttl_seconds     = 12 * 60 * 60 # = 12h
  path = "mypath/aws"
  username_template = <<EOF
{{ if (eq .Type "STS") }}
{{ printf "vault-%s-%s" (unix_time) (random 20) | truncate 31 }}
{{ else }}
{{ printf "vault-%s-%s-%s" (printf "%s-%s" (.DisplayName) (.PolicyName) | truncate 42) (unix_time) (random 20) | truncate 31 }}
{{ end }}
EOF
}

Terraform is executed with success, but when I check value with CLI

vault read /mypath/aws/config/root

it shows some other values

Key                  Value
---                  -----
access_key           n/a
iam_endpoint         n/a
max_retries          -1
region               eu-central-1
sts_endpoint         n/a
username_template    {{ if (eq .Type "STS") }}
    {{ printf "vault-%s-%s-%s" (unix_time) (unix_time) (random 20) | truncate 32 }}
{{ else }}
    {{ printf "vault-%s-%s-%s" (printf "%s-%s" (.DisplayName) (.PolicyName) | truncate 42) (unix_time) (random 20) | truncate 64 }}
{{ end }}

(The values of truncate are different 64 vs 31)

Indeed when I execute terraform apply few times in a row I always see that terraform want's to apply the change in username template.

To make things worse the value 64 that is there is to big and when I try to generate new Iam user I am receiving error

the username generated by the template exceeds the IAM username length limits of 64 chars

I use: terraform v1.1.7 terraform-provider-vault_v3.3.1_x4 and vault backend is Vault 1.9.2+ent (from hashicorp cloud) and I use vault namespaces

Affected Resource(s)

  • vault_aws_secret_backend

Expected Behaviour

Setting username template should work.

Actual Behaviour

Some default value is being used and the default is 'invalid' so that I cannot request for IAM user

pjastrzabek avatar Mar 09 '22 20:03 pjastrzabek

I'm having the same issue. This forces me to recreate that aws-secret-backend. The result is revoking all aws keys provisioned by it, which is less ideal.

oacob1 avatar Jul 11 '22 18:07 oacob1

facing the same issue, this needs to be prioritized. Recreation is not a very good option for all scenarios.

raysaik avatar Apr 01 '23 13:04 raysaik

I started an PR here: https://github.com/hashicorp/terraform-provider-vault/pull/1810 If some of you can test it?

sebglon avatar Apr 02 '23 20:04 sebglon