terraform-provider-vault
terraform-provider-vault copied to clipboard
Published
20 hours ago •
hashicorp
hashicorp
Should vault_token be hard coded to filter out the default policy?
Affected Resource(s)
Please list the resources as a list, for example:
- vault_token
Terraform Configuration Files
resource "vault_token" "example" {
policies = ["default"]
ttl = "1d"
metadata = {
"purpose" = "service-account"
}
}
Output
Forced resource replacement occurs on every TF apply because the default policy is filtered out
# vault_token.example must be replaced
-/+ resource "vault_token" "example" {
~ client_token = (sensitive value)
~ id = "zI0h1gAwWm6YgnOqeo2jA1U6" -> (known after apply)
~ lease_duration = 299 -> (known after apply)
~ lease_started = "2022-09-12T19:26:11-04:00" -> (known after apply)
~ no_parent = false -> (known after apply)
~ num_uses = 0 -> (known after apply)
~ policies = [ # forces replacement
+ "default",
]
~ renewable = true -> (known after apply)
+ wrapped_token = (sensitive value)
+ wrapping_accessor = (sensitive value)
# (4 unchanged attributes hidden)
}
Expected Behavior
A default policy is able to be specified in TF.
Actual Behavior
A default policy can not be specified in TF.
Steps to Reproduce
-
terraform apply
References
The explicit filtering is happening here.
The behavior here seems well intentioned and may be the most user-friendly thing possible, but it's prescriptiveness still gives me pause. Would it be worth considering changing given the hassle involved (doc updates, notes on the implications for upgrades, etc)?