[Enhancement]: Combine short-live (child)-tokens with long-running provisionings

[slm0n87]

Description

We are using Hashicorp Vault with kv2 storage and userpass auth.
Our security policy defines an expiration of inactive sessions after 15min. In context of Vault we configured a token ttl of 15min and a max_ttl of 24hours.
We want to provision infrastructure by other terraform providers and store resulting credentials into vault.
The provisioning takes longer than 15min.

The current implementation of the terraform-provider-vault authenticates to vault at the beginning of the provisioning of the infrastructure. (terraform apply > yes) and does never renew the resulting token.
Therefore the token expires before the infra provisioning has finished and terraform can not write the resulting secrets to vault (permission denied due to expired token).

Possible solutions:

1. Authenticate to vault just before the secret is written to vault, not at the beginning of infra provisioning
2. Implement token renewal
   #965

Regards Simon

Affected Resource(s) and/or Data Source(s)

terraform-provider-vault

Potential Terraform Configuration

Backend Vault configuration is configured with secure, short living tokens, e.g. auth userpass:

vault auth tune -default-lease-ttl=900 -max-lease-ttl=86400 userpass

Initial token expires after 15min, but could be renewed up to 24hours

References

No response

Would you like to implement a fix?

None