terraform-provider-vault icon indicating copy to clipboard operation
terraform-provider-vault copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

[Bug]: vault_jwt_auth_backend not added to state if error during configuration

Open nmasur opened this issue 1 year ago • 3 comments

Terraform Core Version

1.8.0

Terraform Vault Provider Version

3.23.0

Vault Server Version

1.15.4+ent

Affected Resource(s)

  • vault_jwt_auth_backend

Expected Behavior

If there is an error configuring the backend during apply/creation (such as "error checking oidc discovery URL") then either one of the following should take place:

  • The backend should remain and updated in state, while the apply is considered to have failed.
  • Or the backend should be removed completely and still considered as failed to create.

Actual Behavior

If there is an error because the OIDC URL is unreachable (due to a firewall block, say), you get the following message:

Error: error updating configuration to Vault for path myjwtbackend: Error making API request.

Namespace: mynamespace
URL: PUT https://vault.mycorp.com/v1/auth/myjwtbackend/config
Code: 400. Errors:

* error checking oidc discovery URL

However, the resource is not cleaned up, nor is it added to state. This means that the Terraform provider has left the auth backend dangling on the Vault server. If you try to run it again, you'll now see this error:

* path is already in use at myjwtbackend/

This means that somebody has to go in to Vault and manually clean up the dropped resource. Ideally, this should be added to state even if it fails. Maybe it could instead be rolled back if necessary.

Relevant Error/Panic Output Snippet

vault_jwt_auth_backend.kubernetes["myjwtbackend"]: Creating...
╷
│ Error: error writing to Vault: Error making API request.
│ 
│ Namespace: mynamespace
│ URL: POST https://vault.mycorp.com/v1/sys/auth/myjwtbackend
│ Code: 400. Errors:
│ 
│ * path is already in use at myjwtbackend/
│ 
│   with vault_jwt_auth_backend.kubernetes["myjwtbackend"],
│   on policies_handler.tf line 315, in resource "vault_jwt_auth_backend" "kubernetes":
│  315: resource "vault_jwt_auth_backend" "kubernetes" {
│ 
╵
Error: Terraform exited with code 1.
Error: Process completed with exit code 1.

Terraform Configuration Files

locals {
  all_kubernetes_clusters = {
    myjwtbackend = {
      url = "https://some.invalid.url:6300"
    }
  }
}

resource "vault_jwt_auth_backend" "kubernetes" {
  for_each           = local.all_kubernetes_clusters
  description        = "Kubernetes cluster for ${each.key}"
  path               = each.key
  oidc_discovery_url = each.value.url
  bound_issuer       = each.value.url
}

Steps to Reproduce

  1. Add a vault_jwt_auth_backend resource where the OIDC discovery URL is unreachable.
  2. Run the Terraform apply to see the error in creating the resource.
  3. Run the Terraform apply again to now see "path is already in use" error.

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

nmasur avatar Apr 15 '24 16:04 nmasur