terraform-provider-vault
terraform-provider-vault copied to clipboard
hashicorp
"Root resource was present, but now absent" on resource "vault_token".
Hi there,
Terraform Version
Terraform v1.1.9
on darwin_arm64
Affected Resource(s)
Please list the resources as a list, for example:
-
vault_token
Terraform Configuration Files
terraform {
required_providers {
vault = {
source = "hashicorp/vault"
version = "3.5.0"
}
}
}
provider "vault" {
address = "http://127.0.0.1:8200"
token = "hvs.REDACTED"
}
data "vault_policy_document" "dr" {
rule {
path = "sys/replication/dr/secondary/promote"
capabilities = ["update"]
description = "Create and manage ACL policies"
}
rule {
path = "sys/replication/dr/secondary/update-primary"
capabilities = ["update"]
description = "To update the primary to connect"
}
rule {
path = "sys/storage/raft/autopilot/state"
capabilities = ["read", "update"]
description = "To read the current autopilot status"
}
}
resource "vault_policy" "dr" {
name = "dr-secondary-promotion"
policy = data.vault_policy_document.dr.hcl
}
resource "vault_token_auth_backend_role" "dr" {
role_name = "failover-handler"
allowed_policies = [vault_policy.dr.name]
orphan = true
renewable = false
token_type = "batch" # <- I can reproduce it when `batch` is used...
}
resource "vault_token" "dr" {
role_name = vault_token_auth_backend_role.dr.role_name
display_name = "dr-secondary-promotion"
ttl = "8h"
}
Debug Output
Expected Behavior
Was hoping a token would have been created. Manually creating a token works:
vault token create -role=failover-handler -ttl=8h
Actual Behavior
│ Error: Provider produced inconsistent result after apply
│
│ When applying changes to vault_token.dr, provider "provider[\"registry.terraform.io/hashicorp/vault\"]"
│ produced an unexpected new value: Root resource was present, but now absent.
│
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.
Steps to Reproduce
-
terraform init -
terraform apply
Important Factoids
This issue can be reproduced when vault_token_auth_backend_role .dr.token_type = "batch".
References
I can confirm this is still happening in 2023, on
Terraform v1.4.6 on windows_amd64 provider registry.terraform.io/hashicorp/vault v3.15.2
Executing the following Terraform
provider "vault" {
address = "redacted"
auth_login {
path = "auth/approle/login"
parameters = {
role_id = "redacted"
secret_id = "redacted"
}
}
}
resource vault_token "periodic_token" {
ttl = "2m"
renewable = true
no_parent = true
period = "1m"
}
output "token" {
value = nonsensitive(vault_token.periodic_token.client_token)
}
Results in the following output
╷
│ Error: Provider produced inconsistent result after apply
│
│ When applying changes to vault_token.periodic_token, provider "provider[\"registry.terraform.io/hashicorp/vault\"]"
│ produced an unexpected new value: Root resource was present, but now absent.
│
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.
╵
The type of token doesn't matter. I've confirmed this exact behavior no matter what kind of token is being created.
Looking at the code, this seems very likely to happen when you've got a slightly slow storage system. The token create looks like this:
func tokenCreate(d *schema.ResourceData, meta interface{}) error {
....
< create token>
....
return tokenRead(d, meta)
}
I had the same error as well, and found out that in the end the token used by terraform was lacking POST permission on /auth/token/lookup-accessor which is used by tokenRead().
(provider version 3.18.0, vault version 1.13.1)
Vault 1.14.2 provider 3.21.0
Exact same conditions leads to exact same results.
I'm using the root token to apply my terraform code, so that should not be an issue around permissions.
Also, with only changing (in the code example of the issue statement) the vault_token_auth_backend_role.dr.token_type to service : the code can be applied without error.
Taking all hints. Thanks.
