terraform-provider-vault icon indicating copy to clipboard operation
terraform-provider-vault copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

[New Resource]: `vault_ldap_auth_backend_group_policy_attachment` to work around policy overriding

Open jonatas-lima opened this issue 6 months ago • 0 comments
trafficstars

Description

The problem

Use case: Policy management in different Terraform projects.

The default behaviour of the vault_ldap_auth_backend_group is to override the policies attribute. This causes a problem when the same LDAP group is managed by multiple Terraform projects: the policies set by one project can unintentionally overwrite those set by another.

To work around this, we need to retrieve the existing attached policies externally before applying changes. For example:

locals {
  existing_policies = { "LDAP-GROUP" = try(jsondecode(data.http.ldap_groups.response_body).data.policies, [])}
}

data "http" "ldap_groups" {
  url = "${var.vault_url}/v1/auth/ldap/groups/LDAP-GROUP"
  request_headers = {
    "X-Vault-Token" = local.vault_token
  }
}

resource "vault_policy" "sample" {
  name   = "example"
  policy = <<-EOT
  path "sample-mount/*" {
    capabilities = ["read", "list", "create", "delete", "update"]
  }
  EOT
}

resource "vault_ldap_auth_backend_group" "sample" {
  backend   = local.vault_ldap_auth_backend
  groupname = "LDAP-GROUP"

  policies = toset(concat(
    local.existing_policies,
    [vault_policy.sample.name],
  ))

  lifecycle {
    prevent_destroy = true
  }
}

Suggestion

It would be much cleaner if the provider supported managing policy attachments independently instead of always overwriting the full list of policies.

This could be implemented similarly to how the Kubernetes provider models resources like kubernetes_config_map_v1_data, where each update modifies specific keys without overwriting the entire object.

A resource like vault_ldap_auth_backend_group_policy_attachment would allow Terraform to manage single policy attachments safely across different projects, without the need for external reads or manual merging.

Potential Terraform Configuration

resource "vault_ldap_auth_backend_group_policy_attachment" "sample" {
  backend   = local.vault_ldap_auth_backend
  groupname = "LDAP-GROUP"

  policies = [vault_policy.sample.name]
}

References

  • https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map_v1_data
  • https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret_v1_data

Would you like to implement a fix?

Yes

jonatas-lima avatar Apr 28 '25 15:04 jonatas-lima