Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vault_pki_secret_backend_role server_flag is being ignored in 3.17.0 #1932

Closed
plieberg opened this issue Jul 10, 2023 · 0 comments · Fixed by #1933
Closed

vault_pki_secret_backend_role server_flag is being ignored in 3.17.0 #1932

plieberg opened this issue Jul 10, 2023 · 0 comments · Fixed by #1933

Comments

@plieberg
Copy link

plieberg commented Jul 10, 2023
edited
Loading

Hi there,

Thank you for opening an issue. Please note that we try to keep the Terraform issue tracker reserved for bug reports and feature requests. For general usage questions, please see: https://www.terraform.io/community.html.

Terraform Version

1.0.4

registry.terraform.io/hashicorp/vault v3.17.0

Affected Resource(s)

Please list the resources as a list, for example:

  • vault_pki_secret_backend_role

If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this.

Terraform Configuration Files

resource "vault_pki_secret_backend_role" "main" {
  for_each = local.create_pki

  allow_bare_domains = true
  allow_ip_sans      = false
  allow_localhost    = false
  allowed_domains    = [local.pki_allowed_domain]
  backend            = "pki-internal"
  key_usage          = ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]
  name               = local.backend_k8s_role_name
  max_ttl            = var.pki_ttl
  no_store           = true
  organization       = ["Redacted Company Name"]
  ou                 = ["Information Technology"]
  require_cn         = true
  server_flag        = false
}

Debug Output

Please provider a link to a GitHub Gist containing the complete debug output: https://www.terraform.io/docs/internals/debugging.html. Please do NOT paste the debug output in the issue; just paste a link to the Gist.

Panic Output

If Terraform produced a panic, please provide a link to a GitHub Gist containing the output of the crash.log.

Expected Behavior

Resource is created with server_flag set to false.

Actual Behavior

Resource is created with server_flag set to true.

Note, plan indicates server_flag will be false:

# module.test_01.vault_pki_secret_backend_role.main["pki"] will be created
  + resource "vault_pki_secret_backend_role" "main" {
      + allow_any_name                     = false
      + allow_bare_domains                 = true
      + allow_glob_domains                 = false
      + allow_ip_sans                      = false
      + allow_localhost                    = false
      + allow_subdomains                   = false
      + allow_wildcard_certificates        = true
      + allowed_domains                    = (known after apply)
      + allowed_domains_template           = false
      + allowed_uri_sans_template          = (known after apply)
      + backend                            = "pki-internal"
      + basic_constraints_valid_for_non_ca = false
      + client_flag                        = true
      + code_signing_flag                  = false
      + email_protection_flag              = false
      + enforce_hostnames                  = true
      + generate_lease                     = false
      + id                                 = (known after apply)
      + issuer_ref                         = (known after apply)
      + key_bits                           = 2048
      + key_type                           = "rsa"
      + key_usage                          = [
          + "DigitalSignature",
          + "KeyAgreement",
          + "KeyEncipherment",
        ]
      + max_ttl                            = "86400"
      + name                               = (known after apply)
      + no_store                           = true
      + not_before_duration                = (known after apply)
      + organization                       = [
          + "C.H. Robinson Worldwide",
        ]
      + ou                                 = [
          + "Information Technology",
        ]
      + require_cn                         = true
      + server_flag                        = false
      + ttl                                = (known after apply)
      + use_csr_common_name                = true
      + use_csr_sans                       = true
    }

Running plan again (which we do as part of our module build tests) shows server_flag is true and needs to be updated to false:

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.test_01.vault_pki_secret_backend_role.main["pki"] will be updated in-place
  ~ resource "vault_pki_secret_backend_role" "main" {
        id                                 = "pki-internal/roles/tfm_k8s_build-test-oqpenhxlln_dev_role"
        name                               = "tfm_k8s_build-test-oqpenhxlln_dev_role"
      ~ server_flag                        = true -> false
        # (37 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. terraform plan
    2.terraform apply

Important Factoids

Are there anything atypical about your accounts that we should know? For example: Running in EC2 Classic? Custom version of OpenStack? Tight ACLs?

References
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

secrets/pki: fix server_flag being ignored hashicorp/terraform-provider-vault
1 participant
@plieberg