terraform-provider-vault icon indicating copy to clipboard operation
terraform-provider-vault copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

vault_ldap_auth_backend_group is updating new groups but not destroying old groups

Open venkatakondaveti opened this issue 4 years ago • 5 comments

Hi there,

Thank you for opening an issue. Please note that we try to keep the Terraform issue tracker reserved for bug reports and feature requests. For general usage questions, please see: https://www.terraform.io/community.html.

Terraform Version

0.13.5

Affected Resource(s)

vault_ldap_auth_backend_group

If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this.

Terraform Configuration Files

  for_each = { for item in var.ldap_access_control : item["name"] => item }

  groupname = lookup(each.value, "ad-group", "default")
  policies  = [lookup(each.value, "policies", "default")]
  backend   = vault_ldap_auth_backend.ldap.path

  provider = vault.current-namespace
}

Debug Output

Please provider a link to a GitHub Gist containing the complete debug output: https://www.terraform.io/docs/internals/debugging.html. Please do NOT paste the debug output in the issue; just paste a link to the Gist.

Panic Output

If Terraform produced a panic, please provide a link to a GitHub Gist containing the output of the crash.log.

Expected Behavior

If there is change in the Group list, its expected to create new and delete removed groups

Actual Behavior

Terraform apply says its destroyed old groups, but they are still exists

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. terraform apply

venkatakondaveti avatar Feb 17 '21 13:02 venkatakondaveti

I observe the same problem

psv54 avatar Jan 23 '24 15:01 psv54

@psv54 I am sorry you are having trouble. This ticket is rather old. Would you be able to provide a TF config that reproduces the issue and any relevant output? Thanks!

Also, I am not sure if it is related to how you are using the provider, but this is similar to https://github.com/hashicorp/terraform-provider-vault/issues/836

fairclothjm avatar Jan 24 '24 16:01 fairclothjm

I am having the same issue with terraform version 1.5.2 and provider registry.terraform.io/hashicorp/vault v3.17.0 Once you remove "vault_ldap_auth_backend_group" it is marked as destroyed but the actual resources is still there and terraform loses track of it.

Below is an example terrafrom config:

resource "vault_ldap_auth_backend_group" "test_group" {
  groupname = "APUX.Jira_MyADGroup_O_AT"
  policies  = ["admin"]
  backend   = "at-work"
}

aselmi avatar Feb 14 '24 11:02 aselmi

@aselmi I am sorry you are having trouble. I tried the following and I am unable to reproduce the issue:

resource "vault_auth_backend" "ldap" {
    path = "at-work"
    type = "ldap"
}

resource "vault_ldap_auth_backend_group" "test" {
    backend   = vault_auth_backend.ldap.path
    groupname = "foo"
}

fairclothjm avatar Feb 14 '24 17:02 fairclothjm

terraform version v1.6.5 provider registry.terraform.io/hashicorp/vault v3.23.0

resource "vault_ldap_auth_backend_group" "acl_adgroup" {
  groupname = "ACL-Vault-rw"
  policies  = [admin]
}

We execute apply, after destroy. Mapping in the vault remains

psv54 avatar Feb 14 '24 17:02 psv54