[Bug]: Resource "vault_generic_endpoint" - Code: 405. Error: "unsupported operation"

[ivankatliarchuk]

Terraform Core Version

1.5.5

Terraform Vault Provider Version

3.23.0

Vault Server Version

1.15.1

Affected Resource(s)

• vault_generic_endpoint

Expected Behavior

The resource will get deleted from state file

Actual Behavior

 Error: error deleting "transit-example/config/keys" from Vault: "Error making API request.\n\nURL: DELETE https://vault.tools-sandbox.xxxxxxxx.com/v1/transit-example/config/keys\nCode: 405. Errors:\n\n* 1 error occurred:\n\t* unsupported operation\n\n"

Why using vault_generic_endpoint for disalbe_upsert . #2091

Relevant Error/Panic Output Snippet

Plan


Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  - destroy

Terraform will perform the following actions:

  # vault_generic_endpoint.disable_upsert["transit"] will be destroyed
  # (because vault_generic_endpoint.disable_upsert is not in configuration)
  - resource "vault_generic_endpoint" "disable_upsert" {
      - data_json            = (sensitive value) -> null
      - disable_delete       = false -> null
      - disable_read         = false -> null
      - id                   = "transit-example/config/keys" -> null
      - ignore_absent_fields = false -> null
      - path                 = "transit-example/config/keys" -> null
      - write_data           = {} -> null
      - write_data_json      = jsonencode({})
    }

Plan: 0 to add, 0 to change, 1 to destroy.

On apply

vault_generic_endpoint.disable_upsert["transit"]: Destroying... [id=transit/config/keys]
╷
│ Error: error deleting "transit/config/keys" from Vault: "Error making API request.\n\nURL: DELETE https://vault.tools-sandbox.xxxxxxxxxx.com/v1/transit/config/keys\nCode: 405. Errors:\n\n* 1 error occurred:\n\t* unsupported operation\n\n"
│
│
╵
ERRO[0010] terraform invocation failed

### Terraform Configuration Files

```hcl
resource "vault_mount" "this" {
  path                      = "transit-example"
  type                      = "transit"
}

resource "vault_generic_endpoint" "this" {
  path      = "transit-example/config/keys"
  data_json = <<EOT
{
  "disable_upsert": false
}
EOT

  depends_on = [vault_mount.this]
}

Steps to Reproduce

Minimal reproduction snippet

Note: default value is false, so in reality nothing is change
step 1. plan and apply
step 2. comment out resource vault_generic_endpoint
step 3. plan and apply
result: error

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[trodemaster]

Looks like I may be hitting this as well. Using the example code https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/generic_endpoint#example-usage "u1_entity" I'm also getting the Code 405 error.

I noticed that the error shows URL: GET https://vault.local:8200/v1/identity/lookup/entity however when I successfully run this command via CLI it's uses PUT via vault write command instead.

I suspect that this resource is not sending the correct command and ignoring the configuration of disable_read

terraform v1.6.4
vault provider v3.23.0

Update: I revisited this config with fresh eyes. it appears that because I used vault_generic_endpoint without disable_read = true once it was preventing any further plan from succeeding. Once I did a terraform state rm to that resource and applied again with disable_read = true it worked as expected. So watch out for that trap with vault_generic_endpoint.

[ivankatliarchuk]

I'll re-test. I think I did cover this case too and the behavior was the same.

[dnlopes]

Happening to me as well. Hit this issue after being redirect from #1715.

[javierguzman]

Hit this as well, does anyone have a workaround? Thanks in advance

[AleksanderDushku]

Changes published here are causing that: https://registry.terraform.io/providers/hashicorp/vault/latest/docs/guides/version_4_upgrade