terraform-provider-vault icon indicating copy to clipboard operation
terraform-provider-vault copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

[Bug]: Make algorith_signer in ssh_secret_backend_role nullable

Open OfficerKoo opened this issue 5 months ago • 0 comments
trafficstars

Terraform Core Version

1.7.5

Terraform Vault Provider Version

5.0.0

Vault Server Version

1.16.3

Affected Resource(s)

vault ssh_secret_backend_role

Expected Behavior

algorithm_signer = null or algorithm_signer = default remove already set up value

Actual Behavior

Provision role with algorithm_signer set to some value, then remove it or set to null, Plan will show no changes in configuration.

Relevant Error/Panic Output Snippet

Waiting for the plan to start...

Terraform v1.7.5
on linux_amd64
Initializing plugins and modules...
vault_mount.ssh: Refreshing state... [id=ssh]
vault_ssh_secret_backend_ca.ssh: Refreshing state... [id=ssh]
vault_ssh_secret_backend_role.this["admin"]: Refreshing state... [id=ssh/roles/admin]

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.

------------------------------------------------------------------------

Cost Estimation:

Resources: 0 of 3 estimated
           $0.0/mo +$0.0

──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run "terraform apply"
now.

Terraform Configuration Files


resource "vault_ssh_secret_backend_role" "this" {
  for_each                = { for role in var.roles : role.name => role }
  name                    = each.key
  backend                 = vault_mount.ssh.path
  key_type                = "ca"
  default_user            = each.value.default_user
  allowed_users           = join(",", each.value.allowed_users)
  cidr_list               = join(",", each.value.cidr_list)
  allowed_extensions      = join(",", each.value.allowed_extensions)
  default_extensions      = each.value.default_extensions
  ttl                     = each.value.ttl
  max_ttl                 = each.value.max_ttl
  # algorithm_signer        = "rsa-sha2-512" Initially i provisioned role with rsa keys to test, after it i decided to switch to more secure key types, which only supports default signer
  allow_user_certificates = true
  allowed_user_key_config {
    type    = "ed25519"
    lengths = [0]
  }
  allowed_user_key_config {
    type    = "ssh-ed25519"
    lengths = [0]
  }
}

Steps to Reproduce

Provision role with algorithm_signer set to some value, then remove it or set to null, Plan will show no changes in configuration.

Debug Output

No response

Panic Output

No response

Important Factoids

For any key type except rsa, algoritm_signer must be empty. https://github.com/hashicorp/vault/issues/10067

References

No response

Would you like to implement a fix?

None

OfficerKoo avatar Jun 11 '25 07:06 OfficerKoo