terraform-provider-vault icon indicating copy to clipboard operation
terraform-provider-vault copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

[Bug]: vault_kv_secret (v1) doesn't refresh `data_json` and doesn't detect drift

Open joey-squid opened this issue 1 year ago • 1 comments

Terraform Core Version

v1.6.2, v1.7.3

Terraform Vault Provider Version

v3.25.0

Vault Server Version

v1.15.5 (on HCP)

Affected Resource(s)

vault_kv_secret

Expected Behavior

Expected the change to be detected as drift and a plan to be in place to correct it back to joey1.

Actual Behavior

vault_kv_secret.test_secrets: Refreshing state... [id=joey/supersecret]

No changes. Your infrastructure matches the configuration.

I have also provided the full output of terraform state pull as a snippet, below. Note the discrepancy between data and data_json.

Relevant Error/Panic Output Snippet

{
  "version": 4,
  "terraform_version": "1.7.3",
  "serial": 4,
  "lineage": "83627fd8-5369-2b3a-747b-1500de8377de",
  "outputs": {},
  "resources": [
    {
      "mode": "managed",
      "type": "vault_kv_secret",
      "name": "test_secrets",
      "provider": "provider[\"registry.terraform.io/hashicorp/vault\"]",
      "instances": [
        {
          "schema_version": 0,
          "attributes": {
            "data": {
              "value": "joey2"
            },
            "data_json": "{\"value\":\"joey1\"}",
            "id": "joey/supersecret",
            "namespace": null,
            "path": "joey/supersecret"
          },
          "sensitive_attributes": [],
          "private": "bnVsbA=="
        }
      ]
    }
  ],
  "check_results": null
}

Terraform Configuration Files

provider "vault" {
  address   = "REDACTED"
  namespace = "admin"
}

resource "vault_kv_secret" "test_secrets" {
  path = "joey/supersecret"
  data_json = jsonencode({
    value : "joey1",
  })
}

Steps to Reproduce

Created a resource:

resource "vault_kv_secret" "test_secrets" {
  path = "joey/supersecret"
  data_json = jsonencode({
    value : "joey1",
  })
}

Ran Terraform, then changed the secret to joey2 in the Vault UI. Ran terraform refresh, then terraform plan.

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

joey-squid avatar Feb 15 '24 04:02 joey-squid

I'm no expert but I think this might be as simple as the following patch:

diff --git a/vault/resource_kv_secret.go b/vault/resource_kv_secret.go
index 0d666d6f..1e10c6b2 100644
--- a/vault/resource_kv_secret.go
+++ b/vault/resource_kv_secret.go
@@ -108,6 +108,15 @@ func kvSecretRead(_ context.Context, d *schema.ResourceData, meta interface{}) d
 		return diag.FromErr(err)
 	}
 
+	jsonData, err := json.Marshal(data)
+	if err != nil {
+		return diag.Errorf("error marshaling JSON for %q: %s", path, err)
+	}
+
+	if err := d.Set(consts.FieldDataJSON, string(jsonData)); err != nil {
+		return diag.FromErr(err)
+	}
+
 	return nil
 }

joey-squid avatar Feb 15 '24 04:02 joey-squid

Closed by https://github.com/hashicorp/terraform-provider-vault/pull/2207

fairclothjm avatar Mar 25 '24 20:03 fairclothjm