terraform-provider-vault icon indicating copy to clipboard operation
terraform-provider-vault copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Cannot import jwt_auth_backend resource

Open agaudreault opened this issue 2 years ago • 0 comments

Description

I tried to create a jwt_auth_backend with the jwt type, but it failed. After the failure, the state was not updated, but the backend was partially created in Vault (first problem). When I tried to import the resource in the terraform state, I could not because the id of the terraform import command is the type, which is not unique in our case (second problem). I think the id should be the path of the backend.

Terraform Version

Terraform v1.0.6

Affected Resource(s)

Please list the resources as a list, for example:

  • jwt_auth_backend

Debug Output

First time with the error, which was valid:

vault_jwt_auth_backend.backend: Creating...
╷
│ Error: error updating configuration to Vault for path k8s/backend-1: Error making API request.
│ 
│ URL: PUT ****/v1/auth/k8s/backend-1/config
│ Code: 400. Errors:
│ 
│ * error checking jwks URL: fetching keys oidc: get keys failed: 404 Not Found {"code":"ObjectNotFound","message":"The object 'openid/v1/jwks' was not found in the bucket 'backend-1'"}
│ 
│   with vault_jwt_auth_backend.backend,
│   on main.tf line 1, in resource "vault_jwt_auth_backend" "backend":
│    1: resource "vault_jwt_auth_backend" "backend" {
│ 
╵
Releasing state lock. This may take a few moments...

Retying with the proper jwks_url The plan gives

vault_jwt_auth_backend.backend: Refreshing state... [id=k8s/backend-1]

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the
last "terraform apply":

  # vault_jwt_auth_backend.backend has been deleted
  - resource "vault_jwt_auth_backend" "backend" {
      - bound_issuer       = "<REDACTED>" -> null
      - description        = "<REDACTED>" -> null
      - id                 = "k8s/backend-1" -> null
      - jwks_url           = "<REDACTED>" -> null
      - local              = false -> null
      - namespace_in_state = true -> null
      - path               = "k8s/backend-1" -> null
      - tune               = [] -> null
      - type               = "jwt" -> null
    }
[...]
# vault_jwt_auth_backend.backend will be created
[...]
Plan: 1 to add, 0 to change, 0 to destroy.

The apply returns

vault_jwt_auth_backend.backend: Creating...
╷
│ Error: error writing to Vault: Error making API request.
│ 
│ URL: POST ****/v1/sys/auth/k8s/backend-1
│ Code: 400. Errors:
│ 
│ * path is already in use at k8s/backend-1/
│ 
│   with vault_jwt_auth_backend.backend,
│   on main.tf line 1, in resource "vault_jwt_auth_backend" "backend":
│    1: resource "vault_jwt_auth_backend" "backend" {
│ 
╵

When trying to import the backend

$ terraform import vault_jwt_auth_backend.backend k8s/backend-1
Acquiring state lock. This may take a few moments...
vault_jwt_auth_backend.backend: Importing from ID "k8s/backend-1"...
vault_jwt_auth_backend.backend: Import prepared!
  Prepared vault_jwt_auth_backend for import
vault_jwt_auth_backend.backend: Refreshing state... [id=k8s/backend-1]
╷
│ Error: Cannot import non-existent remote object
│ 
│ While attempting to import an existing object to "vault_jwt_auth_backend.backend", the provider detected that no object exists with the given id.
│ Only pre-existing objects can be imported; check that the id is correct and that it is associated with the provider's configured region or endpoint,
│ or use "terraform apply" to create a new remote object for this resource.

The output of vault

$ vault read sys/auth/k8s/backend-1/
Key                        Value
---                        -----
accessor                   REDACTED
config                     REDACTED
description                REDACTED
external_entropy_access    false
local                      false
options                    <nil>
seal_wrap                  false
type                       jwt
uuid                       REDACTED

Expected Behavior

What should have happened?

  • The backend should have either been deleted if a failure happens during the creation, or it should have been added to the state in the state it exists.
  • Regardless of the first issue, the documentation at https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/jwt_auth_backend mention that "JWT auth backend can be imported using the type. The type is not unique. The backend should be imported by the path

Actual Behavior

What actually happened?

  • The partially created backend was not in the state
  • It was impossible to import the state with the path. We have multiple backends with the same type in Vault.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. create a jwt_auth_backend with an invalid jwks_url
  2. try to create the backend again with a valid value.

agaudreault avatar Aug 02 '22 21:08 agaudreault