terraform-provider-vault icon indicating copy to clipboard operation
terraform-provider-vault copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

data.vault_kv_secret_v2 version arg urlencodes "?"

Open snatella opened this issue 2 years ago • 0 comments

Terraform Version

v1.3.0

Affected Resource(s)

  • data.vault_kv_secret_v2

Terraform Configuration Files

data "vault_kv_secret_v2" "secret_data" {
  mount   = "secret"
  name    = "my/secret"
  version = 8
}

Debug Output

https://gist.github.com/snatella/69bc930ba11d1b44e2a56a0ab7502ffa

Apologies this has been cut down, but there was lots of sensitive details in the original, this should fully illustrate the issue however.

Expected Behavior

Plan success, and a data structure like

{"request_id":"XXX","lease_id":"","renewable":false,"lease_duration":0,"data":{"data"....

should be visible in the debug output if it is on.

Actual Behavior

| Error: no secret found at "secret/data/my/secret?version=8"
|
|   on test.tf line 1, in data "vault_kv_secret_v2" "secret_data":
|    1: data "vault_kv_secret_v2" "secret_data" {
|

Important Factoids

When passed a version argument, it looks like data.vault_kv_secret_v2 erroneously encodes the ? in the generated request URI, which means the request fails.

The gist output can be verified by emulating the bug with curl:

$ curl --header "X-Vault-Token: $VAULT_TOKEN" $VAULT_ADDR/v1/secret/data/my/secret?version=8
{"request_id":"XXX","lease_id":"","renewable":false,"lease_duration":0,"data":{"data"....

$ curl --header "X-Vault-Token: $VAULT_TOKEN" $VAULT_ADDR/v1/secret/data/my/secret%3Fversion=8
{"errors":[]}

snatella avatar Sep 21 '22 15:09 snatella