terraform-provider-vault
terraform-provider-vault copied to clipboard
hashicorp
Documentation of data source "vault_aws_access_credentials" doesn't list "region" as a parameter
As it says in the subject... the vault_aws_access_credentials data source supports a region argument that isn't documented. It's in the source code, just not in the docs (as of today). Please fix it to spare potential pain to your users.
This has caused me to waste several days trying to get something to work that should have taken 5 minutes... I was pretty sure I knew what the issue was all along, but since that argument wasn't documented, I kept circling back, starting from scratch, testing outside of Terraform, trying slightly different approaches...
First: you don't have to read this long explanation if you don't feel like it, since all that matters is for someone to fix the documentation.
Nevertheless, I want to provide some context in case it's helpful to some: I have a very basic use case where I want to authenticate Terraform Enterprise workspaces to AWS. The TFE workspace logs in to Vault, reads from a Vault role that requests to assume a pre-set AWS role via STS, obtains credentials (access key, secret key, session token) and passes them to the TF AWS provider to manage infrastructure.
I have a working setup with regular non-GovCloud AWS, all set up via Terraform and this provider, so I just copy-pasted that code and tweaked it as needed for GovCloud. It all worked up to the point of obtaining the credentials.
During troubleshooting, I proved that the GovCloud setup was working as far as Vault was concerned, because I could do everything via CLI and obtain functional AWS GovCloud credentials. So I knew nothing was wrong with TFE or with Vault and it had to be my code or this provider.
But when moving the workflow entirely to TF, I kept getting this error:
Terraform v0.13.5
Configuring remote state backend...
Initializing Terraform configuration...
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.
data.vault_aws_access_credentials.creds_govcloud: Refreshing state...
Error: InvalidClientTokenId: The security token included in the request is invalid
status code: 403, request id: 1229951a-aa13-4522-afa2-96725dea140c
on main.tf line 50, in data "vault_aws_access_credentials" "creds_govcloud":
50: data "vault_aws_access_credentials" "creds_govcloud" {
That error is coming from AWS, not Vault. You can get it in a few scenarios, but the relevant scenario here is when you try to use AWS non-GovCloud credentials with GovCloud and vice versa. So I was pretty sure what the issue was: the AWS region wasn't getting set correctly (IAM doesn't require you to set a region, but because GovCloud uses non-standard endpoints, you must set the region when using GovCloud). I just couldn't figure out a way to set the region at the TF level (setting the AWS_DEFAULT_REGION env variable didn't work), and since the region argument wasn't documented for the aforementioned data source, I took the docs at face value and never even tried it.
Finally after trying to get this working for days, I decided I must be doing something wrong or there's a horrible, glaring bug that, somehow, nobody has noticed. So I went looking at the source code... and sure enough, there it is. Of course my GovCloud setup worked fine after I added that.
So I don't know how you generate your docs (I thought it was automatic), but clearly you've got a problem there.
Terraform Version
TF v0.13.5 Vault provider v2.15.0
Affected Resource(s)
Please list the resources as a list, for example:
- data source: vault_aws_access_credentials
Terraform Configuration Files
I don't think it matters but here's an example anyway:
I have a TFE workspace that only manages Vault configuration, here's the relevant bit of code:
variable "aws_govcloud_access_key" {
type = string
}
variable "aws_govcloud_secret_key" {
type = string
}
resource "vault_aws_secret_backend" "aws_govcloud" {
description = "AWS GovCloud secrets backend"
path = "aws_govcloud"
region = "us-gov-west-1"
access_key = var.aws_govcloud_access_key
secret_key = var.aws_govcloud_secret_key
}
resource "vault_aws_secret_backend_role" "aws_govcloud_test" {
backend = vault_aws_secret_backend.aws_govcloud.path
name = "role-terraform-aws-govcloud-test"
credential_type = "assumed_role"
role_arns = ["arn:aws-us-gov:iam::xxxxxxxxxxxx:role/vault-test-role"]
}
And then in the workspace that's supposed to manage infrastructure:
data "vault_aws_access_credentials" "creds_govcloud" {
backend = "aws_govcloud"
role = "role-terraform-aws-govcloud-test"
type = "sts"
}
provider "aws" {
region = "us-gov-west-1"
access_key = data.vault_aws_access_credentials.creds_govcloud.access_key
secret_key = data.vault_aws_access_credentials.creds_govcloud.secret_key
token = data.vault_aws_access_credentials.creds_govcloud.security_token
}
If you do that, you should get the error I was getting. And if you tweak the creds data source like so:
data "vault_aws_access_credentials" "creds_govcloud" {
backend = "aws_govcloud"
role = "role-terraform-aws-govcloud-test"
type = "sts"
region = "us-gov-west-1"
}
...then it works fine.
Please fix the documentation :)
