terraform-provider-vault
terraform-provider-vault copied to clipboard
hashicorp
change to vault_rabbitmq_secret_backend_role while not needed
Terraform Version
Terraform v0.13.6 Vault v1.6.1 (6d2db3f033e02e70202bef9ec896360062b88b03)
Affected Resource(s)
- vault_rabbitmq_secret_backend_role
Terraform Configuration Files
terraform {
required_providers {
vault = {
source = "hashicorp/vault"
version = "~> 2.18.0"
}
}
required_version = ">= 0.13"
}
resource "vault_rabbitmq_secret_backend_role" "my_role" {
backend = "rabbitmq"
name = "my_role"
tags = "management"
vhost {
host = "cosmos"
read = "^toto$"
write = "^toto$"
configure = "^toto$"
}
vhost {
host = "customer"
read = "^toto$"
write = "^toto$"
configure = "^toto$"
}
vhost {
host = "demand"
read = "^toto$"
write = "^toto$"
configure = "^toto$"
}
vhost {
host = "ei"
read = "^toto$"
write = "^toto$"
configure = "^toto$"
}
vhost {
host = "es"
read = "^toto$"
write = "^toto$"
configure = "^toto$"
}
vhost {
host = "leg"
read = "^toto$"
write = "^toto$"
configure = "^toto$"
}
vhost {
host = "mulan"
read = "^toto$"
write = "^toto$"
configure = "^toto$"
}
vhost {
host = "mulan_test"
read = "^toto$"
write = "^toto$"
configure = "^toto$"
}
vhost {
host = "op-t"
read = "^toto$"
write = "^toto$"
configure = "^toto$"
}
vhost {
host = "pub"
read = "^toto$"
write = "^toto$"
configure = "^toto$"
}
vhost {
host = "ship"
read = "^toto$"
write = "^toto$"
configure = "^toto$"
}
}
Expected Behavior
No change should be planned by Terraform.
Actual Behavior
Terraform is trying to replace the vHosts while they're the same as the currently running configuration.
It feels like Terraform is trying to reorder the vHosts alphabetically.
They are returned alphabetically by Vault: https://gist.github.com/FinweVI/e2906fb9c42048c13637fd215b7cd063
And stored unordered in the state: https://gist.github.com/FinweVI/32d2b0df972ec199beee6499301b0699
Even if I apply, I'll run into the same issue.
Terraform will perform the following actions:
# vault_rabbitmq_secret_backend_role.my_role will be updated in-place
~ resource "vault_rabbitmq_secret_backend_role" "my_role" {
backend = "rabbitmq"
id = "rabbitmq/roles/my_role"
name = "my_role"
tags = "management"
~ vhost {
configure = "^toto$"
~ host = "customer" -> "cosmos"
read = "^toto$"
write = "^toto$"
}
~ vhost {
configure = "^toto$"
~ host = "demand" -> "customer"
read = "^toto$"
write = "^toto$"
}
~ vhost {
configure = "^toto$"
~ host = "ei" -> "demand"
read = "^toto$"
write = "^toto$"
}
~ vhost {
configure = "^toto$"
~ host = "mulan" -> "ei"
read = "^toto$"
write = "^toto$"
}
~ vhost {
configure = "^toto$"
~ host = "mulan_test" -> "es"
read = "^toto$"
write = "^toto$"
}
~ vhost {
configure = "^toto$"
~ host = "op-t" -> "leg"
read = "^toto$"
write = "^toto$"
}
~ vhost {
configure = "^toto$"
~ host = "pub" -> "mulan"
read = "^toto$"
write = "^toto$"
}
~ vhost {
configure = "^toto$"
~ host = "cosmos" -> "mulan_test"
read = "^toto$"
write = "^toto$"
}
~ vhost {
configure = "^toto$"
~ host = "leg" -> "op-t"
read = "^toto$"
write = "^toto$"
}
~ vhost {
configure = "^toto$"
~ host = "ship" -> "pub"
read = "^toto$"
write = "^toto$"
}
~ vhost {
configure = "^toto$"
~ host = "es" -> "ship"
read = "^toto$"
write = "^toto$"
}
}
Steps to Reproduce
- Create the config' file and
terraform apply - Then, plan
terraform plan - You'll see that Terraform want to perform some modification which are not needed It's harmless regarding your production, as things are "just reordered", but this doesn't reflect reality and can be confusing.
Unfortunately no. I haven't touched this stack for a while, but my only solution so far is to be very cautious at every change.