terraform-provider-vault icon indicating copy to clipboard operation
terraform-provider-vault copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

[Bug]: vault_pki_secret_backend_config_ca returns wrong ID

Open tobsval opened this issue 1 year ago • 3 comments

Terraform Core Version

1.5.7

Terraform Vault Provider Version

3.23.0

Vault Server Version

1.15.2

Affected Resource(s)

https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/pki_secret_backend_config_ca

Expected Behavior

The resource should return the actual ID and not the mount point of the secret engine.

The ID should look something like: fea6b09f-40a2-178a-eb34-9b3a139b2825

Actual Behavior

When we try to access the id of pki_secret_backend_config_ca, the provider returns "pki" instead of the actual ID of the resource on Vault

Relevant Error/Panic Output Snippet

# module.aspi-pki.vault_pki_secret_backend_issuer.main-issuers["test-other-certificate"] will be updated in-place
  ~ resource "vault_pki_secret_backend_issuer" "main-issuers" {
        id                      = "pki/issuer/fea6b09f-40a2-178a-eb34-9b3a139b2825"
      ~ issuer_ref              = "fea6b09f-40a2-178a-eb34-9b3a139b2825" -> "pki" #<-- ! Wrong ID from the config_ca resource !
        # (10 unchanged attributes hidden)
    }
 
Plan: 0 to add, 2 to change, 0 to destroy.

Terraform Configuration Files

https://gist.github.com/tobsval/09e698a9a5a876c272248c34b17a7ee3

Steps to Reproduce

See attached code

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

No

tobsval avatar Nov 20 '23 16:11 tobsval

Looking at the Go code, perhaps the issue is at this line? https://github.com/hashicorp/terraform-provider-vault/blob/e3f8bc994c895ec7a7538cee9cf0b30cf9368975/vault/resource_pki_secret_backend_config_ca.go#L63C2-L63C18

The Id seems set to "backend" rather than the actual Vault-side ID of the issuer.

tobsval avatar Nov 20 '23 16:11 tobsval

We're running into this problem as well. Our state demonstrates the issue pretty clearly, I feel:

resource "vault_pki_secret_backend_config_ca" "ca" {
    backend    = "pki"
    id         = "pki"
    pem_bundle = (sensitive value)
}

We can't chain this into setting the issuer name and setting it as the default issuer on the mount. This is a pretty big problem.

hariscodes avatar Dec 13 '23 19:12 hariscodes

+1, I am also affected by this issue. It doesn't seem to be possible to name the resultant issuer, or set it as default, as I have no way to access the issuer.

It may be related or a different issue, but when deleting the vault_pki_secret_config_ca resource, the issuer is not correctly removed from Vault.

kwohlfahrt avatar Dec 15 '23 12:12 kwohlfahrt