Add provider support for connecting to Vault via Unix Domain Socket (UDS)

[111a5ab1]

trafficstars

Support for server Unix Domain Socket ("UDS") Listener was added to Vault v1.13.

The latest version of Vault provider/Terraform does not appear to support connecting via UDS. It would be great to have this functionality added.

Terraform Version

$ terraform -v
Terraform v1.4.6
on linux_arm64
+ provider registry.terraform.io/hashicorp/vault v3.15.2

Terraform Configuration File

# main.tf

terraform {
  required_providers {
    vault = {
      source  = "hashicorp/vault"
      version = ">=3.15.2"
    }
  }
}

provider "vault" {
}

resource "vault_mount" "example" {
  path = "dummy"
  type = "generic"
}

Debug Output

Terraform Debug Output

Expected Behavior

Provider is able to communicate with Vault server via the Unix socket.

Actual Behavior

Connection fails:

Error: failed to configure Vault API: attempting to specify unix:// address with non-transport transport
│ 
│   with provider["registry.terraform.io/hashicorp/vault"],
│   on main.tf line 10, in provider "vault":
│   10: provider "vault" {

Steps to Reproduce

1. Create Vault server configuration file with UDS listener:

   # vault_inmem.hcl
   
   listener "unix" {
     address = "vault.sock"
   }
   
   listener "tcp" {
     address     = "127.0.0.1:8200"
     tls_disable = true
   }
   
   storage "inmem" {}
   

2. Run Vault server:

   $ vault server -config vault_inmem.hcl
   

3. Confirm connectivity via UDS:

   $ export VAULT_ADDR="unix://vault.sock"
   $ vault status
   
   Key                Value
   ---                -----
   Seal Type          shamir
   Initialized        false
   Sealed             true
   Total Shares       0
   Threshold          0
   Unseal Progress    0/0
   Unseal Nonce       n/a
   Version            1.13.2
   Build Date         2023-04-25T13:02:50Z
   Storage Type       inmem
   HA Enabled         false
   

4. Initialise Vault:

   $ VAULT_INIT=$(vault operator init -key-shares=1 -key-threshold=1 -format=table)
   $ VAULT_UNSEAL=$(printf "${VAULT_INIT}" | grep "Unseal" | awk '{print $NF; }')
   $ vault operator unseal "${VAULT_UNSEAL}"
   $ export VAULT_TOKEN=$(printf "${VAULT_INIT}" | grep "Root" | awk '{print $NF; }')
   

5. Create main.tf file with the following contents:

   # main.tf
   
   terraform {
     required_providers {
       vault = {
         source  = "hashicorp/vault"
         version = ">=3.15.2"
       }
     }
   }
   
   provider "vault" {
   }
   
   resource "vault_mount" "example" {
     path = "dummy"
     type = "generic"
   }
   

6. Initialise Terraform:

   $ terraform init
   

7. Attempt plan and observe fails:

   $ terraform plan
   
   Error: failed to configure Vault API: attempting to specify unix:// address with non-transport transport
   │ 
   │   with provider["registry.terraform.io/hashicorp/vault"],
   │   on main.tf line 10, in provider "vault":
   │   10: provider "vault" {
   

8. However, switching to TCP works as expected:

   $ export VAULT_ADDR="http://127.0.0.1:8200"
   $ terraform plan
   
   Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the
   following symbols:
     + create
   
   Terraform will perform the following actions:
   
     # vault_mount.example will be created
     + resource "vault_mount" "example" {
         + accessor                     = (known after apply)
         + audit_non_hmac_request_keys  = (known after apply)
         + audit_non_hmac_response_keys = (known after apply)
         + default_lease_ttl_seconds    = (known after apply)
         + external_entropy_access      = false
         + id                           = (known after apply)
         + max_lease_ttl_seconds        = (known after apply)
         + path                         = "dummy"
         + seal_wrap                    = (known after apply)
         + type                         = "generic"
       }
   
   Plan: 1 to add, 0 to change, 0 to destroy.
   

References

• GH-18227