terraform-provider-oci icon indicating copy to clipboard operation
terraform-provider-oci copied to clipboard

Published 20 hours ago verified publisher icon oracle

oci_psql_db_system fails to read vault secret for admin password

Open bassg0navy opened this issue 9 months ago • 1 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version and Provider Version

Terraform v1.8.3 on darwin_arm64

Affected Resource(s)

  • oci_psql_db_system
  • oci_vault_secret

Terraform Configuration Files

resource "oci_psql_db_system" "db_system" {
  compartment_id = var.compartment_id
  db_version     = var.db_version.min
  display_name   = var.display_name
  network_details {
    subnet_id = var.private_subnet_id
  }
  shape = var.system_shape
  storage_details {
    is_regionally_durable = true
    system_type           = var.db_system_storage_details_system_type
    iops = var.db_system_storage_details_iops
  }
  credentials {
    password_details {
      password_type = var.db_system_credentials_password_details_password_type
      password      = var.db_system_credentials_password_details_password
    }
    username = var.db_system_credentials_username
  }

  instance_memory_size_in_gbs = var.db_system_instance_memory_size_in_gbs
  instance_ocpu_count         = var.db_system_instance_ocpu_count
  defined_tags = {
    "default.app" = "XXX"
  }

Debug Output

Gist

Expected Behavior

Vault secret should have been read successfully, and its content used as admin password for new PostgreSQL db system.

Actual Behavior

Instead, terraform fails with 400 error suggesting the following:

Error: 400-InvalidParameter, Property 'CreateDbSystemDetails.credentials.passwordSecretDetails' Failed to read secret. Please ensure that the secret exists..

Steps to Reproduce

  1. Create oci_kms_vault resource
  2. Create oci_kms_vault_key resource
  3. Create oci_vault_secret_resource
  4. Create configuration for oci_psql_db_system resource
  5. Run terraform apply

Important Factoids

  • I've verified secret exists. I'm able to read secret as a data source by specifying its OCID.
  • I'm able to create this database system from the console, as well as in Terraform when specifying a password type of "PLAIN_TEXT".
  • In the error output, I've noticed a tenancy OCID that I do not recognize. I'm not sure why it's referenced in output and I have confirmed that I'm passing in correct compartment_id attribute for the psql_db resource.
  • Vault resource is a default virtual vault (not a dedicated or virtual private vault).

References

bassg0navy avatar May 16 '24 21:05 bassg0navy

Thank you for reporting the issue. We have raised an internal ticket to track this. Our service engineers will get back to you.

tf-oci-pub avatar May 17 '24 06:05 tf-oci-pub

Was able to resolve this, but unsure how. Possibly related to changing encoding of vault secret value.

bassg0navy avatar May 20 '24 20:05 bassg0navy