terraform-provider-vault icon indicating copy to clipboard operation
terraform-provider-vault copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

[Bug]: resource `vault_identity_group_member_group_ids` does not write change?

Open rjhornsby opened this issue 1 year ago • 8 comments
trafficstars

Terraform Core Version

1.7.5

Terraform Vault Provider Version

4.0.0

Vault Server Version

1.15.6

Affected Resource(s)

Expected Behavior

The resource should populate the group membership list, and write this change to vault.

Actual Behavior

The resource appears to execute correctly, but when you plan or apply again TF says that it needs to add the same group_ids to the membership list as it supposedly just added. This happens regardless if you set exclusive to true or false.

If you do your apply, and then change the TF code to intentionally use an empty list, ie member_group_ids = [], TF will say no changes are needed.

This seems to confirm the theory that the list of ids isn't being written/committed to vault properly.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

# this is the target group that will have groups added to it
resource "vault_identity_group" "vault-users" {
  name     = "client-${var.client_abbrev}-vault-users"
  type     = "external"
  policies = concat(var.ex_vault_policies, [vault_policy.vault-users.id])
  lifecycle {
    ignore_changes = [member_entity_ids]
  }
}

# translate names of the additional groups into group_id values
data "vault_identity_group" "extra-groups" {
  for_each   = toset(var.vault_groups)
  group_name = each.value
}

# populate the member group_ids in the target group
resource vault_identity_group_member_group_ids "extra-groups" {
  group_id         = vault_identity_group.vault-users.id
  # edit: jsondecode is not necessary here as of provider 4.x(?)
  member_group_ids = [for group in data.vault_identity_group.extra-groups: group.group_id]
  exclusive        = false
}

I have verified that the group_id that's supposed to be added is a valid, existing vault group. ie it was resolved from the list of group names correctly.

Steps to Reproduce

You can use a simplified version of the above, obtaining valid group_ids of your own and hardcoding it:

resource vault_identity_group_member_group_ids "extra-groups" {
  group_id         = "98765-target-group-id"
  member_group_ids = ["012345-abcd-67890"]
  exclusive        = false
}

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

rjhornsby avatar Mar 14 '24 18:03 rjhornsby